The original IR vendor demobilized 90 days ago. Systems were rebuilt within the first two weeks. EDR retention rolled at 30. The carrier is now asking why the notification population grew from 80,000 to 340,000 between the preliminary report and the final, and panel counsel needs an answer that will survive a DPA technical review.
This is not a live incident response problem. It is a post-incident forensic reconstruction problem, and the methodologies diverge sharply.
What Live IR Is Built to Do
Live incident response operates under operational pressure. The objectives are containment, eradication, and restoration of business function — typically inside a 14-to-30-day window with a war room, executive briefings, and a regulator clock running. Evidence collection is necessarily a secondary priority to stopping the bleeding.
The deliverable is an incident report optimized for the questions the business and the carrier need answered fast: was the threat contained, what is the immediate exposure, what remediation is required. It is operationally indispensable. It is also, by design, written before the full evidentiary picture is available.
What Cold-Case Reconstruction Is Built to Do
Post-incident forensic reconstruction operates 30 to 365 days after the fact, with no operational clock and no responsibility for containment. The objective is evidentiary: rebuild what executed, what was accessed, and what left the network from the artifacts that survived demobilization, patching, and rebuild.
The input set is different. Live IR works from EDR telemetry streaming in real time, fresh memory captures, and unrotated logs. Cold-case work operates on what remains: triage memory snapshots collected during the original response, restored backups, cloud audit trails (which often outlast on-prem retention), partial proxy and netflow records, and the original IR vendor’s collected artifact set.
The deliverable is different too. A Hexmortem Cold-Case Reconstruction is built for the deposition transcript and the DPA technical review — every finding bound to its artifact, every assertion published with a stated confidence interval, every gap in the record disclosed rather than papered over.
When the Original IR Report Stops Being Sufficient
Three triggers usually convert an operational IR engagement into a reconstruction engagement.
First, the exfiltration scope shifts. The preliminary scope was “limited”; the final notification population suggests otherwise; the carrier wants the discrepancy reconciled with artifacts. Second, a subrogation theory emerges. The insurer needs to establish that a third-party vendor’s failure caused the loss, and the original report — written for remediation, not causation — does not meet the standard subrogation counsel needs. Third, the original responder is structurally conflicted: they sold the EDR that missed the intrusion, sit on the carrier’s retainer, or have an operational interest in how the timeline reads.
Where the Two Engagements Should Coexist
Cold-case reconstruction is not a replacement for live IR. The original responder did the work that needed doing in the first 30 days. The reconstruction engagement does the work the original timeline did not have room for: artifact-by-artifact rebuild, confidence-interval discipline, and an evidentiary record engineered for adversarial venues.
In most matters Hexmortem takes, the original IR report stays in the file. The reconstruction sits alongside it, addressing the questions the operational report was never scoped to answer.
Choosing the Right Engagement
If the matter is active, the threat is live, and the priority is containment, the engagement is live IR and the reconstruction question is premature. If the matter is 60-plus days old, the operational report is in hand, and the questions now driving claim economics or litigation exposure require artifact-grade answers, the engagement is reconstruction.
Hexmortem operates exclusively in the second category. The lab runs no live IR practice, which is the structural reason it can be engaged when the original responder is conflicted, demobilized, or simply scoped for a different question than the one now on the table. If the report on your matter is being tested against questions it was not built to answer, that is the conversation to have.