Has your organization suffered a data breach within the past 24 months? If so—and we believe many have—what process did your team use to respond to that breach? What data types were involved in the response process, and how long did the attacker have the advantage in your environment? In the 2020 SANS Enterprise Cloud Incident Response (IR) Survey, approximately 58% of survey respondents indicated that an attacker had at least two days of undetected time within the environment, with a quarter of those respondents admitting their dwell time was at least one month! 1 While these numbers have come down from years past, the fact that we are still measuring dwell time in days and months is an indication that something needs to improve. Furthermore, this is only one metric—and only half the battle. Response teams must be able to effectively remove the attacker from the environment to make a difference.