Transition to Uncover

The puzzle metaphor

Triage assembles enough pieces of the puzzle to understand what is happening. Scope defined the puzzle’s boundaries: how big it is, what the frame looks like, what pieces are part of it. Uncover places enough pieces inside those bounds to reveal the picture, using the minimum number of pieces that clearly shows the attacker’s actions, motives, and impact. The Scope handoff is what tells Uncover where the frame is so it does not waste pieces fitting them outside it.

What Scope hands forward

A Scope deliverable answers five questions Uncover needs before opening a query window.

What threat type are we investigating?

Determines which playbooks Uncover should reach for and which data sources are most relevant. A phishing-driven intrusion and a slow-burn insider produce very different Uncover workflows.

What time window applies, and to which entities?

Primary entities may get one window, secondary entities another, extended-look entities a third. Uncover queries reference these windows directly so the work stays inside the boundary.

Which entities are in scope, at what depth?

Full depth for primary entities. Baseline comparison for secondary. Out-of-scope entities documented explicitly so Uncover does not investigate them by accident.

What regulatory and infrastructure constraints apply?

Regulatory triggers active, with parallel notification clocks running. Infrastructure gaps documented. Vendor or external-team requests in flight if needed.

What questions does Uncover need to answer?

Scope frames the investigative questions explicitly. How did the attacker gain initial access? What systems were touched? What data was accessed? Is persistence still active? These questions shape Uncover’s analytical effort.

Framing the Uncover questions

Uncover’s depth comes from working through specific investigative questions, not from running broad queries and hoping. Scope frames those questions before the data is even pulled.

🚪 Initial access

How did the attacker get in? Phishing, credential theft, vulnerability exploit, supply chain, social engineering. The answer drives where Uncover looks first.

🗺️ Scope of compromise

What systems were touched? What data was accessed? Uncover answers this by querying within the entity and time boundaries Scope set.

📌 Persistence

Are persistence mechanisms still active? Scheduled tasks, services, registry run keys, cloud automation, dormant accounts. The question shapes containment timing.

🔄 Lateral movement

Did the attacker move beyond the initial entry point? Across hosts, across identity boundaries, across cloud accounts. Drives the secondary-entity follow-up depth.

📤 Data movement

Was data exfiltrated? To where? Often the last question to surface in time-pressured triage, and the one with the largest impact on regulatory and business outcomes.

🎯 Intent indicators

What does the activity pattern suggest about the attacker’s goal? Ransomware staging looks different from espionage looks different from fraud. Intent shapes the response posture.

Common Scope-to-Uncover failure modes

A handoff can be done well in form and still fail in substance. Four patterns reduce the value of the work.

🪞 Repeating instead of bounding

The handoff document restates Subject’s entity map without making the in-scope vs. out-of-scope call. Uncover inherits ambiguity instead of a boundary and ends up redoing the scoping work.

📭 Missing the open questions

Scope hands forward a clean boundary but no framing of what Uncover should look for. Uncover starts with broad queries instead of focused ones, burning time on data exploration the methodology already specified.

🚧 Silent infrastructure gaps

Tools the SOC doesn’t have, retention that won’t reach back far enough, vendor data still pending. If those are not surfaced, Uncover finds out the hard way (often after writing the query that returns no data).

⏰ Regulatory clocks unmarked

Compliance triggers identified at Scope but not surfaced in the handoff. Uncover inherits a technical investigation without realizing a 72-hour clock is running in parallel. The investigation finishes; the notification window does not.

What 'good' looks like vs 'bad' in 30 seconds

Bad handoff: “Investigate everything around the workstation. PCI may apply.”

Good handoff:

Threat type: suspected; likely email-driven. Time: alert −24h through current, primary entities only. Extension requires evidence. Primary: WS-MKT-042, mjones (full depth). Secondary: DC01 (mjones authenticated there 09:14), file share \\fs01\marketing (mjones accessed 11:02). Both baseline-comparison only unless something surfaces. Out of scope: other marketing workstations, BYOD phone (no ), other VLANs. Regulatory: none triggered. Revisit if scope expands to systems handling regulated data. Tools: EDR primary, SIEM corroboration, network analysis for egress, TI passive only. Open questions: (1) how did the binary land on WS-MKT-042; (2) did it persist; (3) any C2 callbacks observed; (4) any attempts; (5) was any data staged or exfiltrated. Time budget: 4 hours initial, reassess at 16:00.

The good handoff is what lets Uncover open the first query inside the rails and finish on time. The bad handoff is what guarantees the next four hours are spent reading instead of investigating.

A Alert S Subject S Scope U Uncover R Risk E Escalation D Documentation

← Back to Scope overview Continue to Uncover →