Case Study

Mitiga’s Threat Hunting Provides Clarity and Confidence to a Cyber Software Enterprise

When past exfiltration activities bring an attacker’s current AWS (Amazon Web Services) access into question, Mitiga is brought in to investigate.

Situation

Hunting for a persistent threat in AWS.

A worldwide cybersecurity software company that maintained extensive amounts of innovation and operational intellectual property (IP) in their cloud environments had experienced several past breaches in which sensitive data was exfiltrated (describe impact of this). They believed that the attacker may have gained persistency within their AWS environment and looked to investigate further to be sure that the problem was behind them.-

Requirements

Seeking an expert in AWS threat hunting

The customers were a CISO (Chief Information Security Officer) and Deputy CISO who needed a partner with proven strength in cloud threat hunting that also had deep knowledge of the AWS environment and opportunities a threat actor may exploit, to root out any damaging exfiltration activity that might still be under way.

Solutions

Mitiga leverages IR2 to conduct the hunts

Mitiga’s investigation centered on identifying both old and new tactics, techniques, and procedures (TTPs) that a threat actor could have used to gain persistency, developing attack scenario variants based on the attacker’s previous TTPs, and performing a series of attacks specifically geared towards the enterprise’s AWS environment. The IR2 platform’s Managed Threat Hunting was used for the task. Specifically, Mitiga’s research team leveraged IR2’s Cloud Attack Scenario Library (CASL) reflecting Mitiga’s growing body of cloud threat intelligence, as well as enriching CASL further and informing the hunt by querying industry intelligence sources, dark web forums, and underground markets. We term this approach to hunting “forensics as code.”

What SecOps

leaders are saying

"When something bad happens and you need to activate Mitiga, within an hour they already have people looking at your logs for the past year or even more."

Jonathan Jaffe, CISO, Lemonade

“We know how important it is to be prepared before an incident occurs, especially in cloud infrastructure.”

Adam Fletcher, Chief Security Officer, Blackstone

"Mitiga has a very elegant solution that enables companies to respond to sophisticated attacks in their SaaS and Cloud environments immediately."

John Watters, Former COO and President, Mandiant

"When something bad happens and you need to activate Mitiga, within an hour they already have people looking at your logs for the past year or even more."

Jonathan Jaffe, CISO, Lemonade

“We know how important it is to be prepared before an incident occurs, especially in cloud infrastructure.”

Adam Fletcher, Chief Security Officer, Blackstone

"Mitiga has a very elegant solution that enables companies to respond to sophisticated attacks in their SaaS and Cloud environments immediately."

John Watters, Former COO and President, Mandiant

Recommended Resources

Google Workspace - Log Insights to Your Threat Hunt

Google Workspace is a popular service for document collaboration for organizations and for individual users. Threat actors note that the popularity of this service is increased, and search for ways to exploit vulnerabilities and misconfigurations, so it is important to know how to hunt for threats in Google Workspace.

September 2, 2025

Breaking Down the Microsoft Entra ID Actor Token Vulnerability: The Perfect Crime in the Cloud

When we think about catastrophic vulnerabilities in the cloud, we usually imagine complex exploits that require advanced techniques, persistence, or luck. Sometimes a single flaw breaks the trust we put in our identity providers.

October 28, 2025

Inside Mitiga’s Forensic Data Lake: Built for Real-World Cloud Investigations

Most security tools weren’t designed for the scale or complexity of cloud investigations. Mitiga’s Forensic Data Lake was.