Federal Agency (Classified Sector)

Full Case Study

The agency's security team had observed anomalous outbound DNS traffic that their SIEM flagged as low-priority. A threat intelligence sharing partner subsequently provided an indicator that correlated with a known nation-state group's command-and-control infrastructure. Pulsosec was engaged under an emergency consulting agreement.

Threat Hunt

Our threat hunt team began with hypothesis-driven hunting: what TTPs would this specific group use given their known playbook? Using memory forensics across 200 high-value servers and analysis of 18 months of preserved NetFlow data, we identified the initial access vector — a compromised contractor VPN credential — and reconstructed the full 8-month attack timeline.

Actor Eviction

The group had established three distinct persistence mechanisms: a scheduled task masquerading as a Windows update service, a modified legitimate binary with a backdoor, and a rogue LDAP service account. Each was identified and removed in a coordinated cutover operation designed to prevent the actor from receiving eviction alerts.

Hardening

Post-eviction, we hardened 47 attack vectors identified during the hunt: disabled legacy authentication protocols, implemented privileged access workstations for all administrator accounts, rotated all service account credentials, and deployed deception technology across sensitive network segments.

Zero-Trust Architecture

Working with the agency's network team over 60 days, we designed and implemented a zero-trust segmentation model that eliminated implicit trust between network zones. All east-west traffic now requires explicit authorisation, reducing the blast radius of any future intrusion.