Proof packet
Recovery is not done until the story is explainable.
Executives, insurers, counsel, customers, and vendors need the same thing: a defensible record. Not screenshots thrown into a folder. A timeline, decisions, evidence, and remaining risk.
TimelineWhen it started, how it moved, and when it was contained.
ScopeUsers, hosts, servers, cloud apps, backups, and third parties touched.
ActionsAccounts revoked, hosts isolated, indicators blocked, restores validated.
Root causeLikely entry point, contributing gaps, and what still needs confirmation.
Next controlsMonthly monitoring, restore testing, stack management, and runbooks.