Step 01
Scope Determination
The agent ingests the initial indicator and investigates across every connected system in parallel: endpoint, identity, cloud, email, SaaS. No waiting on a SIEM ingest queue.
Incident Response
From alert to containment. With evidence, not assumptions.
Command Zero investigates across every connected system the moment an incident is declared, builds the full attack narrative, and ties containment actions to evidence.
The Problem
Incidents move faster than your tools.
When an incident breaks, response can't wait. Not for log migration. Not for a consultant on a flight. Not for a playbook that doesn't fit the situation. Scope gets lost between tools. Containment decisions get made on partial evidence. The audit trail comes together after the fact, if at all.
277 days
average time to identify and contain a data breach (IBM, 2024)
$4.88M
average cost of a data breach in 2024 (IBM)
Hours to days
typical scope confirmation time on a multi-system incident
How It Works
Containment, tied to analysis.
Command Zero turns response into an evidence-driven workflow. The agent investigates across endpoint, identity, cloud, and SaaS in parallel. Containment options surface only when conclusions back them up.
02
Step 02
Cross-Ecosystem Narrative
Artifacts, timelines, and blast radius, built from real data instead of assumed from a playbook. Every step documents the data source queried and the conclusion drawn.
03
Step 03
Conclusion-Driven Action
Containment options surface tied to evidence: isolate host, disable account, revoke session, block IP. The analyst reviews and acts. No blind playbook execution.
04
Step 04
Audit-Ready Record
Every question asked, data source queried, artifact considered, and decision made. A forensic-grade trail for legal counsel, regulators, and post-incident review.
Key Benefits
Faster containment. Cleaner scope. Defensible record.
01
Hours to Minutes
Time-to-conclusion compressed from days to under 30 minutes for most cases. Surge capacity without a phone call to retainer.
02
Full Blast Radius
Scope determined across every connected system. No tool stops at its own data plane. Endpoint, identity, cloud, and SaaS in one investigation with one narrative.
03
Action Tied to Evidence
Containment options grounded in conclusions. No playbook drift. No blind execution. The analyst reviews and decides.
04
Defensible Audit Trail
Every artifact, question, and decision recorded for legal, regulatory, and post-mortem review. Reconstruct the incident from the record, not from memory.
Spotlight Scenario
Compromised cloud admin.
Before
The identity team flags an Entra ID admin sign-in from an unusual location. The IR team starts pulling endpoint logs. Email and SharePoint activity get checked manually, in different consoles, by different people. Decisions on session revocation and host isolation wait until scope is “good enough.”
Elapsed time: 4–12 hours, plus follow-up.
After
Command Zero ingests the alert, pivots into endpoint, expands into Microsoft 365, checks SharePoint admin actions, traces lateral movement, and surfaces a verdict with containment options tied to evidence. The analyst reviews, approves, and acts.
Elapsed time: Under 30 minutes.
Incident Coverage
Every incident type. Across every connected system.
Account Compromise
Identity-driven scope. Session traces, MFA and conditional access correlation, blast radius across SaaS.
Endpoint Intrusions
From initial detection to lateral movement, persistence checks, and cross-system impact.
Cloud & SaaS Incidents
Misconfiguration, anomalous admin actions, and data access patterns across M365, AWS, Okta, GitHub.
Insider Activity
Activity correlation across HR-flagged users, departures, and watchlist scenarios.
Glass-box AI: Every conclusion is backed by the questions asked, the data sources queried, and the artifacts considered. Containment actions are options, not autonomous outcomes.
IR Question Library
The questions an IR lead asks, ready to run.
Every IR investigation starts with a question. Command Zero ships with thousands, built from real SOC and IR workflows and mapped to your tools. Every analyst and every agent uses the same library.
What sign-in activity originated from this user in Microsoft Entra ID?
Microsoft Entra IDWhat IP addresses accessed this Microsoft 365 Exchange mailbox?
M365 ExchangeWhat email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
M365 ExchangeWhat service principals were added in Microsoft Entra ID?
Microsoft Entra IDWhat files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
SharePointWhat groups was this user added to in Microsoft Entra ID?
Microsoft Entra IDEncoded Expertise
Questions are the unit of expertise.
Every investigation starts with a question. Command Zero ships with thousands. All built from real SOC workflows, mapped to your tools.
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What site access requests were approved in Microsoft 365 SharePoint or OneDrive?
Understand and monitor approved SharePoint site access requests for identifying security risks and ensuring compliance with organizational policies.
SharePoint
What secure sharing links were created in Microsoft 365 SharePoint or OneDrive by this user?
The creation of secure sharing links by a specific user in Microsoft 365 SharePoint or OneDrive, to assess security risks and detect anomalies.
SharePoint
What files were copied by this user in Microsoft 365 SharePoint or OneDrive?
Investigate and identify files copied by a user in Microsoft 365 SharePoint or OneDrive for detecting unusual behavior or security breaches.
SharePoint
What users had full access delegate permissions for their mailbox removed in Microsoft 365 Exchange?
Understand the security implications of removing full access delegate permissions and to identify the users affected by such changes.
M365 Exchange
What users had full access delegate permissions for their mailbox added in Microsoft 365 Exchange?
Which users had Full Access delegate permissions added to their mailboxes in Microsoft 365 Exchange, to determine if these additions were legitimate or indicative of a security issue.
M365 Exchange
What files were accessed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files accessed by a user in Microsoft 365 SharePoint or OneDrive to assess potential security risks and understand the user's or attacker's actions.
SharePoint
What secure sharing links were deleted in Microsoft 365 SharePoint or OneDrive by this user?
Which secure sharing links have been deleted by a specific user in Microsoft 365's SharePoint or OneDrive, to identify potential security breaches or unusual behavior.
SharePoint
What IP addresses accessed this Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific Microsoft 365 Exchange mailbox.
M365 Exchange
What Microsoft 365 SharePoint sites were visited by this user?
Investigate the SharePoint sites visited by a specific user to detect any unusual or unauthorized activity.
SharePoint
What resource access requests were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made by a user to access requests in SharePoint or OneDrive, which could reveal unauthorized or suspicious activities.
SharePoint
What groups were added in Microsoft Entra ID?
Gather information about newly added groups in Microsoft Entra ID to assess for any unusual or unauthorized changes.
Microsoft Entra ID
What groups were created by this user in Microsoft Entra ID?
The groups created by a specific user in Microsoft Entra ID to identify any potential security incidents.
Microsoft Entra ID
What files were downloaded from Microsoft 365 SharePoint or OneDrive by this user?
Understand the user's activities or actions of a potentially compromised account by analyzing downloaded files.
SharePoint
What sign-in activity originated from this user in Microsoft Entra ID?
The sign-in activity associated with a specific user in Microsoft Entra ID for security analysis purposes.
Microsoft Entra ID
What transport forwarding rules were created or enabled in Microsoft 365 Exchange?
Highlight the significance of investigating transport forwarding rules to uncover potential unauthorized activities and security breaches.
M365 Exchange
What transport forwarding rules were created or enabled by this user in Microsoft 365 Exchange?
The creation or enabling of transport forwarding rules by a user, which could indicate potential security issues.
M365 Exchange
What secure links were used to access this resource in Microsoft 365 SharePoint or OneDrive?
The usage of secure links for accessing resources in Microsoft 365 SharePoint or OneDrive for security investigation purposes.
SharePoint
What email forwarding rules were created for mailboxes in Microsoft 365 Exchange?
Guide analysts on how to investigate and determine the legitimacy of email forwarding rules that could be part of a BEC attack.
M365 Exchange
What anonymous sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to anonymous sharing links by a specific user in Microsoft 365 SharePoint or OneDrive.
SharePoint
What secure sharing links were updated in Microsoft 365 SharePoint or OneDrive by this user?
The updates made to secure sharing links in SharePoint or OneDrive by a specific user, which can indicate suspicious activities.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
What files were moved in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has moved within Microsoft 365's SharePoint or OneDrive, which is critical for a cybersecurity investigation.
SharePoint
What IP addresses accessed this user's Microsoft 365 Exchange mailbox?
The IP addresses that have accessed a specific user's Microsoft 365 Exchange mailbox.
M365 Exchange
What folders were moved to the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific folders a user has moved to the recycle bin in Microsoft 365 SharePoint or OneDrive and to assess whether these actions were authorized or potentially malicious.
SharePoint
What files were renamed in Microsoft 365 SharePoint or OneDrive by this user?
The specific files that a user has renamed in Microsoft 365 SharePoint or OneDrive to assess potential security risks.
SharePoint
What transport forwarding rules were deleted or disabled in Microsoft 365 Exchange?
Understand the significance of deleted or disabled transport forwarding rules in Microsoft 365 Exchange and the steps required to investigate such events.
M365 Exchange
What transport forwarding rules were deleted or disabled by this user in Microsoft 365 Exchange?
Which transport forwarding rules were deleted or disabled by a specific user in Microsoft 365 Exchange.
M365 Exchange
What search queries were performed against Microsoft 365 SharePoint or OneDrive by this user?
The search queries performed by a specific user in Microsoft 365 SharePoint or OneDrive to identify any unusual or potentially malicious activity.
SharePoint
What groups were updated in Microsoft Entra ID?
Which groups have been updated in Microsoft Entra ID during a specific investigation timeframe.
Microsoft Entra ID
What properties of this group were updated in Microsoft Entra ID?
The specific properties of a user group that were updated in Microsoft Entra ID to assess the security implications of those changes.
Microsoft Entra ID
What previously deleted users were restored in Microsoft Entra ID?
Which user accounts that had been previously deleted have been restored in Microsoft Entra ID, in order to identify potential security issues.
Microsoft Entra ID
What resource access requests were denied in Microsoft 365 SharePoint or OneDrive?
Identify denied access requests to SharePoint or OneDrive resources to uncover potential security risks and user behavior anomalies.
SharePoint
What users were added in Microsoft Entra ID?
The new users added to Microsoft Entra ID to identify any unusual or potentially malicious activity.
Microsoft Entra ID
What users were created by this user in Microsoft Entra ID?
The user accounts created by a specific user in Microsoft Entra ID, to investigate potential security issues.
Microsoft Entra ID
What users were removed from a group in Microsoft Entra ID?
Which users have been removed from a group in Microsoft Entra ID, which could signal a security breach.
Microsoft Entra ID
What members were removed from this group in Microsoft Entra ID?
The members who were recently removed from a specific Microsoft Entra group.
Microsoft Entra ID
What groups was this user removed from in Microsoft Entra ID?
The specific Microsoft Entra groups from which a user has been removed, which could indicate malicious activity.
Microsoft Entra ID
What files were emptied from the recycle bin in Microsoft 365 SharePoint or OneDrive by this user?
The specific files a user has deleted from the recycling bin in Microsoft 365 SharePoint or OneDrive.
SharePoint
What emails were sent by a delegate from this user's Microsoft 365 Exchange mailbox?
The process of identifying emails sent by a delegate from a user's Microsoft 365 Exchange mailbox to assess potential security risks.
M365 Exchange
What service principals were added in Microsoft Entra ID?
Detect potential security breaches and understand the context of new service principal additions in Microsoft Entra.
Microsoft Entra ID
What files were uploaded to Microsoft 365 SharePoint or OneDrive by this user?
The details of files uploaded by a specific user to SharePoint or OneDrive in the context of a cybersecurity investigation.
SharePoint
See the Business Impact
Schedule a consultation with our team.
See how evidence-driven response transforms your IR program.
Schedule a ConsultationMinutes to scopeAudit-ready trailNo data migration