Infrastructure boundaries

Four common boundary types

boundaries are guardrails, not obstacles. They prevent triage from expanding into irrelevant environments, reduce noise from unrelated , and preserve analyst focus on the systems most likely to yield actionable data.

🌐 Network segmentation

Subnets, VLANs, firewall zones, and DMZs define logical containment zones. If a host is restricted to a specific VLAN with no routing to external zones, adjacent systems can often be ruled out of scope unless evidence suggests segmentation failure.

🏛️ System domains

Active Directory forests, Azure AD tenants, LDAP hierarchies. These create structural separation in authentication and policy enforcement. Recognizing domain boundaries prevents premature attribution of behavior across unrelated trust zones.

☁️ Deployment environments

Cloud workloads, on-premises systems, SaaS platforms. Each operates under distinct access, tooling, and forensic constraints. Recognizing which segments belong to which infrastructure class tailors the scope to environments with proper visibility and operational control.

🌍 Geographic and sovereignty

Data residency rules can prevent moving log data across regions. An investigation may need to be conducted in-region or by a regional team. Multinational organizations often face conflicting jurisdictions in the same case.

🔐 Access patterns

Access patterns define how identities interact with systems and resources across the environment. Within Scope, access patterns are not evaluated for anomalies. They are cataloged to understand the structural flow of authentication and authorization. This contextual map sets investigative boundaries, identifies choke points, and prevents drift into unrelated identity ecosystems.

Authentication frameworks

SSO platforms, federated identity brokers, Kerberos-based systems. These determine where authentication events originate and how access is validated. Scope identifies which authentication systems were active during the event window and what logging sources are available, without that mapping, investigations risk extending into environments sharing no credential surface with the subject.

Authorization structures

, ABAC, MAC. These impose constraints on what authenticated identities can do and where. Scope accounts for these limitations so the investigation does not over-triage actions that policy would have denied. An authenticated account without write permissions can be excluded from write-only investigations.

Trust relationships

Domain trusts, delegated permissions, service principal access, token exchange. These bridge identity across boundaries. Documenting them distinguishes where access naturally extends from where escalation or impersonation would be required. Misinterpreting trust lines is the classic mis-scoping mistake.

An example of using access patterns to bound scope

An alert fires on an account in a Workday-federated SSO context. The implicated normally authenticates against the corporate AD via SSO.

Without access-pattern mapping, an analyst might investigate every system the user could theoretically reach via SSO including downstream SaaS apps. That can be hundreds of systems.

With access-pattern mapping, Scope confirms:

The user’s SSO entitlements limit to four specific SaaS apps.
Two of those apps had no activity in the relevant window per the IdP logs.
The other two are in scope; the rest are out.

The investigation goes from “hundreds of possible targets” to “two confirmed accessed targets.” That precision is what access patterns buy.

🧰 Tools as boundaries

Tooling is part of the infrastructure picture. Before a single or reviewing alerts, analysts must inventory their tooling landscape to establish visibility coverage, identify data gaps, and recognize the fixed investigative boundaries each platform imposes. Tools define the mechanisms, not the actions.

When setting scope, consider each platform’s observation and retrieval capabilities. SIEMs, EDRs, packet capture appliances, and intel offer distinct perspectives on activity, and recognizing each one’s reach and blind spots shapes the investigation’s breadth and depth.

📊 SIEM

Brings: centralized log aggregation, cross-source correlation, retention. The nerve center.

Limits: retention is capacity-bounded; unsupported log sources create coverage gaps; rule maintenance is an ongoing cost.

🔍 EDR

Brings: process lineage, command-line capture, file activity, real-time response actions.

Limits: coverage gaps on non-standard endpoints (IoT, OT, certain Linux distros); tuning sensitivity affects false-positive load.

🌐 Network analysis

Brings: traffic inspection, protocol decoding, deep packet inspection, retrospective replay.

Limits: high-volume environments stress capture capacity; encrypted traffic remains opaque without decryption infrastructure.

🌍 Threat intelligence

Brings: external IOC enrichment, TTP mapping to , campaign attribution.

Limits: feed quality varies; integration friction with SIEM/EDR; over-reliance produces alert fatigue.

🎭 Deception

Brings: high-fidelity alerts with minimal false-positives. Decoy interaction implies attacker presence.

Limits: coverage depth matters; sophisticated attackers can fingerprint decoys; maintenance overhead as production drifts.

🔬 Digital forensics

Brings: disk and memory analysis, artifact extraction, timeline reconstruction, chain-of-custody for legal/regulatory.

Limits: retrospective by nature; resource-intensive; environment-specific tooling for cross-OS coverage.

🛡️ Vulnerability scanners

Brings: known-CVE detection, asset fingerprinting, exploitability scoring, remediation tracking.

Limits: signature-based, no zero-day detection; point-in-time snapshots; potential disruption from active scans.

⚙️ SOAR

Brings: playbook automation, tool integration, case management, real-time response orchestration.

Limits: playbook maintenance burden; quality dependent on incoming alert fidelity; risk of analyst over-reliance.

☁️ CSPM

Brings: cloud misconfiguration detection, IAM analysis, compliance mapping, configuration drift alerts.

Limits: blind spots on proprietary/ephemeral services; finding-volume noise; cloud-specific tuning per provider.

🗄️ Security data lake

Brings: scalable retention beyond SIEM, schema-on-read flexibility, ML-friendly cross-source analytics.

Limits: normalization engineering cost; query performance without proper indexing; data engineering skill requirement.

🚫 Naming what is invisible

A useful Scope output is an explicit list of what the SOC cannot see for this case.

📱 Off-network mobile devices

Activity that happens when the device is off-corporate-network may be invisible until the device reconnects. MAM telemetry helps, but not all activity reaches it.

💼 Personal devices in BYOD

Often only see authentication events, not deeper telemetry. App-level activity, file access, and clipboard behavior live outside corporate visibility.

🔌 Third-party SaaS without integrated logging

The SOC sees the authentication; the in-app activity is in the vendor’s logs. Deeper investigation requires a vendor request and (usually) a contractual or legal channel.

🚪 Air-gapped systems

May produce no telemetry that reaches the SIEM at all. Investigation requires direct system access, often with physical or operational constraints.

🔒 Encrypted traffic without decryption

TLS metadata (timing, volume, JA3 fingerprint) is visible; payload content is not. C2 channels riding on legitimate TLS look like other TLS unless inspection is positioned upstream.

🪨 Legacy systems without modern agents

Mainframes, OT/ICS, embedded systems often cannot host EDR. Coverage is via network position or via the system’s own audit features, which may be limited.

A Alert S Subject S Scope U Uncover R Risk E Escalation D Documentation

Next up

Scope working example

A walkthrough of Scope applied to the same intrusion that ran through Alert and Subject.

See the example