Black Tower Cyber
DFIR · Microsoft 365 · Readiness · SOCaaS Handoff

Investigate the Incident.
Harden the Tenant.

Black Tower Cyber is built for active incidents, Microsoft 365 account compromise, business email compromise, cloud forensics, tenant cleanup, and incident readiness. When monitoring is needed, we hand clients into a SOC-as-a-Service model instead of pretending to be a full MSP.

Start an Engagement Report Active Incident
BTC Engagement Flow
Project first. Monitoring second.
1
Investigate or Assess

ATO, BEC, phishing, suspicious access, or a security readiness review.

2
Clean Up & Harden

MFA, Conditional Access, enterprise apps, mailbox rules, admin roles, and email controls.

3
Handoff to SOCaaS

Ongoing MDR, ITDR, SIEM, SAT, reporting, and escalation back to BTC IR.

This keeps Black Tower Cyber focused on high-value DFIR and hardening work while giving clients a path to ongoing protection.

Service Model

A focused DFIR practice, not a bloated MSSP menu.

These services are designed around what BTC can deliver at a high level: incident response, Microsoft 365 investigations, tenant hardening, readiness documentation, and a clean handoff into monitoring when ongoing coverage is required.

01

Incident Response & Digital Forensics

Active incident triage, evidence preservation, timelines, root cause, and written reports.
02

ATO & BEC Response

Microsoft 365 compromise, mailbox abuse, forwarding rules, message trace, and impact review.
03

M365 & Cloud Forensics

Audit logs, Entra ID, Exchange, SharePoint, OneDrive, OAuth, and cloud evidence exports.
04

Security Readiness Assessment

MFA, Conditional Access, enterprise apps, admin roles, mailbox rules, and SOCaaS readiness.
05

Tenant Cleanup & Hardening

Hands-on cleanup of risky tenant settings before attackers exploit them or before monitoring starts.
06

IR Readiness & Insurance Support

Playbooks, evidence folders, tabletop exercises, control validation, and questionnaire support.
This is BTC’s flagship service: active incident triage, containment guidance, evidence preservation, forensic review, timeline development, and a written incident report.

Active Incident Triage

Scope, severity, priority, and immediate containment path

Account Compromise Review

Sign-ins, sessions, tokens, MFA, mailbox activity

Phishing & BEC Investigation

Header analysis, message trace, IOC extraction, impact

Evidence Preservation

Exports, screenshots, logs, chain-of-custody notes

Endpoint Alert Review

Available EDR/MDR alerts, suspicious process activity

Incident Report

Timeline, root cause, impact, remediation steps

Packaged Engagement

Emergency Response

For active incidents involving suspicious access, malware alerts, phishing, account takeover, wire fraud, or cloud compromise.

Written Summary Recovery Guidance
Engage IR Now
ATO and BEC work is fast, focused, and high-value: revoke active sessions, reset credentials, review mailbox abuse, preserve logs, identify attacker actions, and document the business impact.

Session Revocation

Force sign-out, revoke refresh tokens, reset password

MFA Review

Re-registration, suspicious MFA methods, bypass review

Inbox Rule Forensics

Hidden rules, deleted folders, RSS, archive abuse

Message Trace

Identify impacted messages, recipients, and fraud attempts

OAuth App Review

Rogue apps, risky consents, suspicious permissions

Impact Summary

Who was affected, what was accessed, what changed

Packaged Engagement

ATO / BEC Investigation

For compromised Microsoft 365 accounts, suspicious mailbox activity, fraudulent invoices, wire fraud attempts, or client-reported suspicious email activity.

Start Investigation
Cloud forensics focuses on audit logs, identities, mailboxes, files, applications, and administrative changes that show how an attacker gained access and what they touched.

Microsoft 365 Audit Logs

Unified audit log, Exchange, SharePoint, OneDrive

Entra ID Investigation

Sign-ins, risk, conditional access, admin actions

Exchange Online Review

Mailbox audit, delegation, forwarding, transport rules

SharePoint / OneDrive Exposure

External sharing, suspicious downloads, permissions

Google Workspace / AWS Review

When needed, scoped cloud review and evidence export

Timeline Development

First access, attacker actions, containment, recovery

This is the pre-SOCaaS entry point. It gives the client a practical risk picture and gives BTC a clean path to recommend hardening, cleanup, or monitoring.

MFA Review

Coverage, admin enforcement, weak methods

Conditional Access Review

Baseline policies, gaps, legacy auth, named locations

Enterprise App Review

User consent, risky apps, stale integrations

Mailbox Risk Review

Forwarding, inbox rules, delegation, external access

Email Authentication

SPF, DKIM, DMARC, spoofing controls

Findings Report

Priority matrix and SOCaaS readiness recommendation

Microsoft 365 Security Assessment

A practical review for companies that need to know where they are exposed before an incident, insurance renewal, or managed monitoring onboarding.

Hardening is project-based and high-value. This is where you remove stale accounts, enforce MFA, restrict app consent, clean risky rules, and document the before/after state.

Restrict App Consent

Disable risky user consent and review existing apps

Remove Suspicious OAuth Apps

Clean stale, risky, or over-permissioned apps

Enforce MFA

Users, admins, break-glass planning, method cleanup

Conditional Access Baseline

Policy recommendations and safe rollout approach

Admin Role Cleanup

Least privilege review and stale admin cleanup

Before / After Report

Documented changes and risk reduction summary

Tenant Cleanup & Hardening Project

For companies that need hands-on remediation after an assessment, incident, insurance questionnaire, or before moving into managed monitoring.

This service gives companies the documents, playbooks, and evidence they need before an incident or insurance renewal exposes gaps.

IR Plan

Roles, responsibilities, escalation path, contact tree

ATO / BEC Playbook

Containment, evidence, client notifications, recovery

Ransomware Checklist

Isolation, backups, legal, insurance, restoration

Evidence Folder

MFA, EDR, SAT, backups, policies, diagrams

Questionnaire Support

Cyber insurance and client security questionnaires

Tabletop Exercise

Guided incident drill with after-action notes

IR Readiness Package

For companies that need playbooks, tabletop preparation, control evidence, and insurance-ready documentation before something happens.

SOCaaS Handoff

After we investigate and harden, monitoring can take over.

Black Tower Cyber should not look like a broad MSSP. The cleaner model is: BTC investigates and hardens, then hands clients into a managed monitoring service when they need ongoing MDR, identity monitoring, SIEM visibility, phishing training, and alert escalation.

Website positioning: Need ongoing monitoring after the incident? After an investigation or security assessment, BTC can help transition your business into managed security monitoring through a SOC-as-a-Service model with direct escalation back to our IR team.

Huntress MDR

Endpoint monitoring and managed response.

Huntress ITDR

Microsoft 365 identity threat detection.

Huntress SIEM

Log visibility and security event correlation.

Huntress SAT

Security awareness and phishing training.

Need answers, cleanup, or a path to monitoring?

Start with a short scoping call. We will determine whether you need emergency response, an ATO/BEC investigation, a Microsoft 365 assessment, tenant cleanup, readiness work, or SOCaaS handoff.

Contact Us Report Active Incident