Connecticut Based · DFIR & Cloud Response

Practical Cybersecurity for Businesses That Can't Afford a Breach.

DFIR, account takeover response, Microsoft 365 investigations, tenant cleanup, and security readiness — with a clean handoff into managed SOC monitoring when ongoing protection is needed.

Trusted by Connecticut Law Firms,
CPA Practices, & Insurance Agencies.

BTC-IR-CONSOLE
btc@ir:~$ btc triage --tenant lawfirm-ct --scope full
[ ✓ ] Entra ID sign-in logs pulled — 72hr window
[ ! ] Anomalous login detected: Lagos, NG
[ ! ] Inbox rule created: "del:* → Deleted"
[ ✗ ] BEC confirmed — WIRE FRAUD RISK ACTIVE
btc@ir:~$ btc contain --force-signout --revoke-tokens
[ ✓ ] All sessions revoked — 1 account
[ ✓ ] Malicious inbox rules deleted
[ ✓ ] Conditional Access enforced
[ ✓ ] Wire transfer blocked — $7M protected
btc@ir:~$
IR ENGAGEMENT ACTIVE $7,000,000 PROTECTED
Incident Response & DFIR ATO & BEC Investigations Microsoft 365 & Cloud Forensics Tenant Cleanup & Hardening IR Readiness & Insurance Support SOCaaS Handoff Incident Response & DFIR ATO & BEC Investigations Microsoft 365 & Cloud Forensics Tenant Cleanup & Hardening IR Readiness & Insurance Support SOCaaS Handoff

Black Tower Cyber Services

DFIR First. Monitoring When It Makes Sense.

Black Tower Cyber focuses on incident response, cloud forensics, Microsoft 365 investigations, tenant hardening, and readiness projects. Ongoing monitoring is available as a SOC-as-a-Service handoff instead of forcing every client into a full MSSP model.

Incident Response & DFIR

For active incidents, suspicious activity, malware alerts, cloud compromise, and situations where you need answers fast.

  • Triage, containment & recovery guidance
  • Evidence collection & investigation timeline
  • Endpoint, cloud, email & identity review
  • Written incident report & recovery plan
View Service

ATO / BEC Investigation

Focused response for compromised Microsoft 365 accounts, suspicious mailbox activity, fraudulent invoices, and wire fraud attempts.

  • Session revocation & account containment
  • Inbox rule, forwarding & delegation review
  • Sign-in, audit log & message trace analysis
  • Impact review & remediation steps
View Service

Microsoft 365 Security Assessment

A structured review of the Microsoft 365 tenant before monitoring, cleanup, insurance renewal, or post-incident hardening.

  • MFA, Conditional Access & legacy auth review
  • Admin roles, guest users & stale accounts
  • Enterprise apps, OAuth & risky consent
  • Written findings & remediation roadmap
View Service

Tenant Cleanup & Hardening

We clean up risky Microsoft 365 settings before they become incidents or before the client moves into SOC monitoring.

  • Restrict enterprise app consent & OAuth risk
  • Enforce MFA & Conditional Access baseline
  • Remove stale users, ghost admins & risky guests
  • Before/after configuration report
View Service

IR Readiness & Insurance Support

Preparedness projects for businesses that need incident plans, evidence folders, tabletop exercises, and insurance control validation.

  • ATO, BEC & ransomware playbooks
  • Contact tree & evidence procedures
  • Cyber insurance evidence folder
  • Tabletop exercise & after-action report
View Service

SOCaaS Handoff

After an incident, assessment, or cleanup, clients can move into managed monitoring instead of staying exposed.

  • Huntress MDR / EDR
  • Huntress ITDR, SIEM & SAT
  • Monthly threat reporting
  • Direct escalation back to Black Tower IR
View Service

How the model works

Black Tower Cyber handles the incident, investigation, assessment, and cleanup. If the client needs ongoing protection, we transition them into SOC-as-a-Service monitoring powered by Huntress, with serious incidents escalating back to Black Tower Cyber.

01
Investigate

IR, DFIR, ATO, BEC, cloud review.

02
Harden

Clean the tenant and reduce attack paths.

03
Monitor

SOCaaS handoff for ongoing coverage.

Not a full MSP.

We do not replace your IT provider. We focus on security incidents, identity risk, Microsoft 365 hardening, and the escalation path your business needs when something goes wrong.

Contact Us
Operator Led
BTC-DFIR-MODEL
Step 01

Investigate the incident, identity activity, mailbox changes, cloud logs, and attacker path.

Step 02

Contain the threat, revoke sessions, remove malicious rules, clean apps, and harden access.

Step 03

Document what happened, what was affected, and what needs to change next.

Step 04

When monitoring is needed, transition the client into SOCaaS through Huntress MDR, ITDR, SIEM, and SAT.

Leadership & Methodology

DFIR first. Monitoring when it makes sense.

Black Tower Cyber is built for companies that need answers during a security event, not another vague technology bundle. The focus is incident response, account takeover investigation, Microsoft 365 forensics, tenant cleanup, and practical security readiness.

Instead of presenting as a full MSP or broad MSSP, BTC operates as the investigation and hardening side of the business. When a client needs ongoing monitoring after an assessment or incident, the handoff is made into a SOCaaS model powered by Huntress.

This keeps the service realistic, professional, and aligned with what clients actually need: find out what happened, contain the issue, clean up the environment, document the outcome, and monitor what matters going forward.

Evidence-Based Investigations
Microsoft 365 & Cloud Focus
Written Reports & Roadmaps
SOCaaS Escalation Path

Who We Protect

Built for high-risk SMBs without an internal security team.

The best fit is a 10 to 50 employee organization that relies on Microsoft 365, handles sensitive data, and needs incident response or security readiness without hiring a full-time security department.

Law Firms

Privileged email, wire instructions, client files, and high-impact business email compromise risk.

CPA Firms

Tax records, payroll access, sensitive PII, and seasonal spikes in phishing and credential theft.

Real Estate

Closing documents, escrow communication, and wire fraud scenarios where one inbox can change everything.

Professional Services

Consultants, insurance agencies, finance teams, and SMBs that need practical cyber response.

How BTC Fits With SOCaaS

Project work first. Recurring monitoring second.

Black Tower Cyber handles the high-skill work: investigations, tenant assessments, hardening, reports, and readiness. If the client needs ongoing monitoring, they are moved into a managed security monitoring model with direct escalation back to BTC when something serious happens.

Clean Business Flow

Assessment or incident response creates the trust. Tenant cleanup reduces risk. SOCaaS keeps watching after the project. BTC stays positioned as the expert response team, not a generic MSP.

1

Investigate or Assess

ATO, BEC, phishing, M365 audit review, or a security readiness assessment.

2

Contain and Harden

Revoke sessions, enforce MFA, clean inbox rules, remove risky apps, improve Conditional Access, and document changes.

3

Report and Recommend

Deliver a written summary, timeline, findings, risk explanation, and practical remediation roadmap.

4

Move to Monitoring

Ongoing Huntress MDR, ITDR, SIEM, SAT, reporting, and alert escalation through SOCaaS when the client needs recurring protection.

Realistic Incident Scenarios

What BTC is built to handle.

The focus is not generic IT support. BTC is designed for high-impact security events involving identity, email, Microsoft 365, cloud evidence, and business risk.

ATO / BEC

Compromised mailbox with suspicious rules

A user reports odd emails and a vendor asks about changed payment instructions. BTC reviews sign-ins, sessions, inbox rules, forwarding, OAuth apps, message trace, and impact.

  • Session revocation
  • Mailbox forensics
  • Written incident summary
Tenant Risk

Messy Microsoft 365 tenant before monitoring

A company wants monitoring, but the tenant has weak MFA, risky app consent, stale admins, forwarding exposure, and no clear response process. BTC assesses and cleans first.

  • MFA and admin review
  • Enterprise app cleanup
  • Before and after report
Readiness

Cyber insurance renewal with missing evidence

A business needs to prove MFA, EDR, backups, awareness training, and response procedures. BTC validates controls and builds the evidence folder.

  • Control validation
  • IR plan and checklist
  • Carrier-ready evidence

Engagement Process

Clear scope. Clean execution. No mystery retainers.

BTC engagements are structured so the client knows what is being reviewed, what will be delivered, and what the next recommended step is.

01

Scope

Identify the incident, tenant, business risk, affected users, reporting needs, and urgency.

02

Collect

Preserve logs, export evidence, review identity activity, and capture relevant configuration data.

03

Contain

Remove attacker access, revoke tokens, reset credentials, clean malicious rules, and reduce immediate exposure.

04

Report

Deliver findings, timeline, remediation plan, and a SOCaaS or hardening recommendation if ongoing risk remains.

Confidential Intake

Need answers after a
security event?

Use BTC for active incident response, M365 account compromise, tenant assessments, hardening projects, insurance readiness, or a SOCaaS monitoring handoff.

Active Incident

Account takeover, BEC, phishing, malware, or suspicious access.

Planned Project

Assessment, cleanup, hardening, tabletop, or insurance readiness.

Request a Confidential Consultation

Tell us what happened or what you want reviewed.