Insights · Archive
Tactical blueprints, real-world DFIR case studies, and practical security lessons learned from the field.
Start here
The publishing home for our practice notes, engagement debriefs, and threat-landscape reads — now open for contributions from student alumni, cohorts, and the wider community.
Read the welcome noteA case study on designing and building a realistic, closed-loop smart-grid cybersecurity testbed for a research institute — the requirement, the design approach, what was delivered, and why it matters for the people who keep the grid running. Implementation specifics are deliberately withheld.
By Cyberange Phygital Labs
A redacted case study mapping a 13-week journey from an external foothold to full Active Directory compromise. Discover how the operator adapted tactics on the fly and what forensic artifacts survived a rigorous CERT-In post-incident review.
By Cyberange Adaptive Red Team
A short practice note on the difference between a simulator and a range, and why the difference compounds in operator training, regulator-grade demonstrations, and live red-team engagements.
By Cyberange Phygital Labs
A new analyst, a trusted client, and an email that arrived at 5:45 on a Monday morning. The story of a business email compromise that turned on a single swapped character — and the forensic trail that survived a year of silence and a lawyer's denial.
By Cyberange DFIR Team
A sanitized DFIR debrief of a ransomware intrusion at a large Indian manufacturer. We reconstruct the timeline from a misconfigured firewall rule and a brute-forced RDP login through Mimikatz, AV removal, PsExec lateral movement, and full-estate encryption — and the anti-forensics that nearly erased the trail.
By Cyberange DFIR Team
It came in as a spam complaint. It ended at a forgotten brochure website wired into the company's domain controller, with the Domain Admin password sitting in a script on someone's desktop. A story about the assets nobody thinks are worth attacking.
By Cyberange DFIR Team
CERT-In Direction 70B (April 2022) requires reporting of certain cyber incidents within six hours of detection. A practical breakdown of what the clock actually measures, what your runbook needs to include, and where most organisations get the timeline wrong.
By Cyberange DFIR Consulting
The fastest-growing initial-access surface in the engagement data is the browser session, not the credential. Reverse-proxy phishing kits, OAuth consent abuse, extension supply-chain hijacks, and infostealer-fed cookie marketplaces — what changed, why MFA and password rotation no longer cover the dominant case, and which controls actually move the curve.
By Cyberange Threat Intel
