04 · /opt/research

writing from the lab

artefact-first · evidence-led 5 notes

0x01 · research note

When Not to Engage Subrogation Forensics: An Honest Threshold for Cyber Insurers

Subrogation forensics for cyber insurers is not always the right engagement. An honest threshold for when recovery work product is — and isn't — warranted.

26 APR 2026 ~3 min · read →

0x02 · research note

Commissioning an Independent IR Second Opinion: A Buyer’s Evaluation Guide

What carriers, breach coaches, and panel counsel should ask before commissioning an independent IR second opinion — independence, methodology,...

26 APR 2026 ~3 min · read →

0x03 · research note

How to Prove Data Was Exfiltrated: An Evidentiary Standard for Breach Claims

How to prove data was exfiltrated to a standard that survives DPA review and deposition — artifacts, confidence intervals, and bytes-on-wire...

26 APR 2026 ~3 min · read →

0x04 · research note

Inside an Exfiltration Scoping Audit: Methodology and Evidentiary Output

What an exfiltration scoping audit includes — bytes-on-wire reconstruction, artifact attribution, and confidence intervals on egress scope.

26 APR 2026 ~3 min · read →

0x05 · research note

Cold-Case Reconstruction vs. Live Incident Response: When Each Applies

Cold-case reconstruction and live IR solve different problems. A comparison of when post-incident forensic reconstruction is the right engagement.

26 APR 2026 ~3 min · read →