Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q1 2026, a report built on frontline threat intelligence from our global incident response investigations across LevelBlue.

Google Cloud Platform (GCP) has unique security challenges compared to AWS and Azure, requiring specialized strategies for incident detection, response, and forensic analysis.

Over the past quarter, the Cado team has been hard at work bringing new features and enhancements to the Cado platform. Here's an overview of what we’ve been up to: 

To close out this blog series on the six phases of incident response, we will discuss the final phase: Lessons Learned. This phase takes cybersecurity incidents and turns them into opportunities for growth and improvement, and emphasizes analyzing the response, identifying successes and shortcomings, and implementing enhancements to bolster future incident handling.

In our recent blog posts, we’ve been covering the six phases of incident response. So far, we’ve already covered the preparation phase, identification phase, containment phase, and eradication phase. In this blog post, we move on to the recovery phase.

After successfully containing a cybersecurity incident, the next crucial step is eradication, the fourth phase in the incident response lifecycle. Eradication involves completely removing malicious components from the organization's systems and addressing vulnerabilities that attackers exploited. Achieving thorough eradication ensures that threats do not linger or reoccur, allowing systems to be safely restored and future incidents prevented.

Containment is the third stage in the incident response lifecycle and it directly influences how quickly and effectively an organization can mitigate the impact of a cybersecurity incident. This phase aims to halt the spread of threats, minimize damage, and maintain operational continuity. Successful containment requires rapid decision-making, careful planning, and execution of immediate and long-term actions.

Timely identification of incidents is critical. The identification phase, the second stage in the six-phase incident response lifecycle, focuses on detecting, analyzing, and verifying security incidents as quickly and accurately as possible. Early and precise identification reduces potential damage, shortens recovery time, and significantly enhances overall cybersecurity posture.

Google Cloud Platform (GCP) has unique security challenges compared to AWS and Azure, requiring specialized strategies for incident detection, response, and forensic analysis.

Threat investigations rely on context to provide security teams with a clear picture of potential risks. This context comes from various sources, including telemetry, alert data, business impact, and risk assessments. One critical aspect of risk assessment is identifying open vulnerabilities on affected systems. This can help security teams determine whether known vulnerabilities are relevant to an active incident and how best to mitigate them.

AWS remains a dominant force in cloud computing, but its complexity presents unique challenges for security teams. Incident response in AWS requires a deep understanding of log sources, service-specific strategies, and forensic techniques.

Microsoft Azure continues to be a key player in cloud computing, offering a vast array of services that organizations rely on for their operations. With this complexity comes the challenge of incident response—how do security teams efficiently detect, investigate, and remediate threats in Azure?

Security teams are facing an overwhelming volume of incidents. Manual processes can slow down response times, increasing damage and recovery costs. To counter this, organizations are adopting automation tools to:

As cloud environments grow more complex and attackers evolve their tactics, incident response strategies must continuously improve to remain effective. In a recent webinar, Cado experts Al Carchie and Shannon Lucas discussed key lessons from years of hands-on experience in incident response and shared best practices for organizations looking to strengthen their approach.

Threat actors are becoming more sophisticated, and organizations must be prepared to detect, contain, and remediate incidents swiftly. The incident response (IR) process ensures that security teams can minimize damage, recover systems, and strengthen defenses against future threats. 

Digital forensics is a critical field dedicated to the identification, preservation, analysis, and presentation of digital evidence. As cyber threats evolve, so do the tools and techniques employed by forensic professionals. This blog looks into some of the top free and open-source digital forensics tools and the methodologies that are key to modern investigations.

Endpoint Detection & Response (EDR) is frequently used by organizations as the first line of defense against cyber attacks. EDR platforms monitor organizations’ endpoints (servers, employee laptops, etc) and detect and contain malicious activity running where possible. In this blog, we will be exploring a ransomware attack in a lab environment, using payloads inspired from real attacks.

As organizations increasingly migrate workloads to the cloud, cybersecurity teams must adapt their digital forensics strategies. Investigating security incidents in a cloud environment presents challenges and opportunities distinct from traditional, on-premises forensics. The ability to efficiently collect, analyze, and respond to threats depends on understanding these key differences.

Cloud environments introduce new cybersecurity challenges, requiring security teams to rethink how they detect, investigate, and respond to threats. The recent Cado Security webinar, Defining the ‘R’ in CDR: A Realistic Approach to Responding to Cloud Detections, explored these challenges and provided insights into effective cloud detection and response (CDR) strategies. Here are the key takeaways from the discussion.