ASSURED

Scope: Defining investigation boundaries

Phase 1 Β· piece 3 of 7

Where are the lines?

Scope decides what is in the investigation and what is out. Without it, investigations sprawl indefinitely. With it, every minute of analyst time is directed at material questions.

01 Regulatory 02 Time 03 Entity 04 Infrastructure

What you will get from this chapter

βš–οΈ

Apply the relevant regulatory framework, GDPR, CCPA, HIPAA, PCI DSS, SOX, to the investigation at the right moment.

πŸ•

Set defensible time windows for historical review and real-time investigation, calibrated to the threat type.

🧭

Decide which entities are in scope and how to handle access modeling, dependency tracing, and relationship mapping.

πŸ—οΈ

Recognize the infrastructure boundaries that constrain what an investigation can actually see.

The four boundary types

01
βš–οΈ

Regulatory boundaries

GDPR, CCPA, HIPAA, PCI DSS, SOX. The rules that constrain what data can be touched, how, and by whom.

Read β†’
02
πŸ•

Time boundaries

Historical review windows, real-time investigation, retention limits. When the investigation starts and stops.

Read β†’
03
🧭

Entity boundaries

Primary and secondary entities, relationship mapping, access modeling, dependency tracing. Which subjects are in.

Read β†’
04
πŸ—οΈ

Infrastructure boundaries

What the SOC actually has visibility into. Network segments, cloud accounts, geographic regions, retention.

Read β†’

Why Scope is its own phase

Without scope, investigations sprawl

Tap to reveal

Analysts who skip Scope often follow every interesting thread they find. Each thread feels productive in the moment. By the end of the shift, three threads are open, none are resolved, and the alert that started it all is still triaging itself.

Tap to flip back

Compliance lives at this step

Tap to reveal

Investigating an account that touched HIPAA-bound data carries different obligations than investigating a developer’s sandbox. Scope is where those obligations are recognized and formalized, before Uncover starts touching data that has rules attached.

Tap to flip back

Time is a boundary, not a default

Tap to reveal

A typical alert is investigated against the last 24 hours. A slow-burn insider case may need 6 months. Choosing the window deliberately is what makes the result defensible and the work bounded.

Tap to flip back

Visibility is finite

Tap to reveal

Scope is also honest about what the SOC cannot see. Air-gapped systems, third-party SaaS without logging access, off-network mobile devices. Naming the gaps upfront is what keeps Uncover from spending time on impossible queries.

Tap to flip back

Next up

Regulatory boundaries

GDPR, CCPA, HIPAA, PCI DSS, SOX. The rules that constrain investigation.

Read regulatory