Fenwick

Breach Intelligence / Field Report

The anatomy
of a breach.

Six minutes. Six decisions. This is the timeline most organizations never see until it is too late. Fenwick maps it so you can close it before it opens.

Scroll to read

Breach timeline / Six acts

01 / 06
T+00:00
14k
ports probed

Step 1

Reconnaissance

A single automated scanner probes your public perimeter -- 14,000 ports in 38 seconds. No alert fires. The attacker catalogs three open vectors and moves on.

Step 2

Initial access

A phishing link -- sent at 7:42 AM, opened at 8:03 AM -- drops a loader onto a finance workstation. The endpoint agent classifies it as low-risk adware.

Step 3

Lateral movement

The loader beacons home, receives a reverse shell, and begins harvesting cached credentials. By minute 47, it has moved to 4 additional machines on the same VLAN.

Step 4

Privilege escalation

A Kerberoasting attack extracts a service account hash. Offline cracking resolves it in 94 seconds. The attacker now holds domain-admin credentials.

Step 5

Exfiltration

82 GB of IP and financial records are staged in a temp directory and exfiltrated over HTTPS to a cloud storage bucket. DLP does not flag the destination domain.

Step 6

Persistence

A scheduled task is created under the SYSTEM account. The attacker now has a durable re-entry point. The incident will not be discovered for another 19 days.

Fenwick Breach Intelligence

We map the six minutes
so you never live them.

Fenwick embeds intelligence analysts inside your security function -- three to six months, no retainer markup, no tooling upsell. We leave with a closed gap and a documented playbook. Engagements by referral only.

Inquiries

Emailengage@fenwick.io
Signal+1 (628) 555 0147
OfficeSan Francisco, CA

All engagements are confidential. NDAs signed at first contact.