The Distance Problem: the compromised endpoint is in a home office 200 miles away. Or it is one of 500 workstations that might be affected and you need to know which ones within the hour. Or it is a server in a data center you cannot physically access until tomorrow morning. KAPE requires local execution — someone must run it on or from the target machine. Velociraptor solves this: deploy an agent once, collect forensic artifacts remotely from any endpoint on the network, hunt across the entire fleet from a single console, perform live response without physically touching the system, and quarantine compromised endpoints with a single click. Where KAPE is the single-system collection tool, Velociraptor is the enterprise-scale investigation platform.
Deliverable: Velociraptor deployed in one of three configurations (standalone collector, single-server lab, or cloud production), validated with a test collection, and understood at operational depth — the architecture that enables remote forensics, VQL as the query language for endpoints, the artifact system that makes Velociraptor extensible, hunting across the fleet for scope determination, and the decision framework for when to use Velociraptor versus KAPE versus Defender XDR Live Response.
⏱ Estimated completion: 30 minutes
Velociraptor — Remote Response at Scale
Collecting evidence from 500 endpoints without leaving your desk
The compromised user works from home, 200 miles away. You need triage artifacts from their workstation. You also need to hunt across every endpoint in the organization to determine whether the attacker touched other systems. You cannot physically visit 500 workstations. You cannot ask 500 users to run KAPE manually. Velociraptor solves both problems — remote evidence collection from a single endpoint and fleet-wide hunting across thousands, from your forensic workstation.
Velociraptor is an advanced open-source endpoint monitoring, digital forensic, and incident response platform created by Mike Cohen, a security researcher who previously worked at Google and Rapid7. It was purpose-built for the reality of modern incident response: geographically distributed endpoints, remote workers, cloud-hosted virtual machines, and investigations that span hundreds or thousands of systems simultaneously. Rapid7 acquired Velociraptor and continues its active development, with the project maintaining its open-source license and community-driven artifact ecosystem.
# Create a standalone offline collector
Set-Location "C:\IR\Tools\Velociraptor"
# Download the latest release from:
# https://github.com/Velocidex/velociraptor/releases
# Save the Windows executable to C:\IR\Tools\Velociraptor\
# Option A: Create a preconfigured collector using the GUI wizard
.\velociraptor.exe gui
# In the GUI: Server Artifacts → Build Offline Collector
# Select the artifacts to collect (e.g., Windows.KapeFiles.Targets)
# Configure parameters (e.g., _SANS_Triage = Y)
# Build → produces a standalone .exe collector
# Option B: Create a collector from the command line
.\velociraptor.exe collector create --os windows --output "C:\IR\Tools\Velociraptor\collector_triage.exe" --format zip
# Run the collector on a target system (or your workstation for testing)
.\collector_triage.exe
# Output: a ZIP file containing collected artifacts
# Transfer the ZIP to the forensic workstation for analysis
# Start Velociraptor in instant/GUI mode
# This launches server + client + browser automatically
Set-Location "C:\IR\Tools\Velociraptor"
.\velociraptor.exe gui
# What this does:
# 1. Starts the Velociraptor server (listening on localhost:8889)
# 2. Starts a single client connected to the server
# 3. Opens your browser to https://127.0.0.1:8889
# 4. Logs in with default credentials (admin / password)
# 5. The client auto-enrolls — you see it in the client list
#
# Datastore: stored in a temp directory by default
# To persist data: --datastore "C:\IR\Tools\Velociraptor\datastore"
#
# This is NOT a production deployment — it uses self-signed certs,
# default credentials, and runs on localhost. Use it for the course lab.
# Production deployment — generate server and client configuration
.\velociraptor.exe config generate -i
# Interactive wizard prompts:
# What OS will the server be deployed on? [linux/windows/darwin]
# Path to the datastore directory: /opt/velociraptor/datastore
# Frontend hostname or IP: velociraptor.northgateeng.com
# Frontend port: 8000
# GUI port: 8889 (or same as frontend with path-based routing)
# GUI username: admin
# GUI password: [strong password]
#
# Output:
# server.config.yaml — server configuration
# client.config.yaml — client configuration (deploy to all endpoints)
# Start the server
.\velociraptor.exe --config server.config.yaml frontend -v
# Deploy the client to endpoints (via SCCM, GPO, Intune, or manual)
# The client config embeds the server URL and certificates
# Package as MSI for enterprise deployment:
.\velociraptor.exe --config client.config.yaml service install
// VQL fundamentals: the SELECT-FROM-WHERE pattern
// This is the same pattern as SQL and KQL
// List all running processes
SELECT Pid, Name, Exe, CommandLine, CreateTime
FROM pslist()
// Filter to suspicious parent-child relationships
// Outlook spawning PowerShell = likely phishing payload execution
SELECT Pid, Ppid, Name, CommandLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell|cmd|wscript|cscript|mshta"
AND Ppid IN (
SELECT Pid FROM pslist() WHERE Name =~ "outlook|winword|excel"
)
// Find files created in the last 7 days in suspicious locations
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs="C:\\Users\\*\\AppData\\Local\\Temp\\*.exe")
WHERE Ctime > timestamp(epoch=now() - 86400 * 7)
// Check for persistence via scheduled tasks with suspicious actions
SELECT Name, Actions, Triggers, State,
parse_string_with_regex(string=Actions, regex="<Command>(?P<Command>[^<]+)") AS Command
FROM Artifact.Windows.System.TaskScheduler()
WHERE Command.Command =~ "powershell|cmd|wscript|mshta|rundll32"
OR Command.Command =~ "AppData|Temp|ProgramData|Public"
// Alternative: run the collection as a VQL query from the notebook
// This demonstrates the VQL equivalent of the GUI collection
SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device="C:",
_SANS_Triage="Y"
)
// The notebook interface allows you to write and execute VQL
// directly — useful for custom collections not covered by
// built-in artifact parameters
// Hunt example 1: Find a specific persistence mechanism across the fleet
// Scenario: initial investigation found a suspicious scheduled task
// named "ChromeUpdate" that runs a PowerShell encoded command.
// How many other endpoints have this task?
SELECT Name, Enabled, Actions, LastRunTime, NextRunTime
FROM Artifact.Windows.System.TaskScheduler()
WHERE Name =~ "(?i)ChromeUpdate"
// Results: each row is a client where the task exists
// If 12 of 500 endpoints have this task, you have 12 compromised systems
// Hunt example 2: Find endpoints that communicated with a C2 IP
// Scenario: threat intel provides a known C2 address
SELECT Pid, Name, ForeignAddr, ForeignPort, State
FROM connections()
WHERE ForeignAddr = "203.0.113.47"
// Results: every endpoint with an active connection to the C2 IP
// Hunt example 3: Find endpoints with a specific file hash
// Scenario: malware analysis reveals a SHA256 hash for the payload
SELECT FullPath, Size, Hash.SHA256 AS SHA256
FROM Artifact.Windows.Search.FileFinder(
SearchFilesGlob="C:\\Users\\**\\*.exe",
Upload_File=false
)
WHERE SHA256 = "a1b2c3d4e5f6...the known malicious hash..."
// Results: every endpoint where the payload exists on disk
Expand for Deeper Context
In the developer's own words, "Velociraptor is simply a VQL engine." This statement captures the tool's design philosophy: at its core, Velociraptor executes VQL (Velociraptor Query Language) queries against endpoints and returns structured results. Everything else — the web GUI, the client-server architecture, the hunt management, the artifact exchange — is infrastructure built around that core capability. This design makes Velociraptor infinitely extensible: if you can express an investigation question as a VQL query, Velociraptor can answer it across any number of endpoints simultaneously.
A single Velociraptor server can handle 10,000-15,000 connected endpoints. For larger deployments, a multi-frontend architecture scales to over 100,000 endpoints. The client agent runs on Windows, Linux, and macOS, consuming minimal resources (10-20 MB RAM, negligible CPU when idle). Communication between client and server uses mutually authenticated TLS — the client authenticates the server and the server authenticates the client, preventing both MITM attacks and unauthorized client connections.
The capabilities that make Velociraptor essential for IR fall into four categories:
Remote forensic collection. Collect KAPE-equivalent triage artifacts from any endpoint with the agent installed — without physically touching the machine, without requiring the user to do anything, without deploying additional tools. The investigator selects an artifact (for example, Windows.KapeFiles.Targets with the _SANS_Triage parameter), clicks Collect, and the agent executes the collection on the endpoint. Results upload to the server automatically. For a remote worker on a home network, this is the only practical way to collect forensic evidence without shipping a USB drive or talking a non-technical user through a command-line process.
Enterprise-wide hunting. Run a VQL query against every connected endpoint simultaneously and receive aggregated results in minutes. "Show me every endpoint where a scheduled task named 'ChromeUpdate' exists and the task action contains powershell.exe" returns results from 5,000 endpoints in under 10 minutes. This is how you determine the scope of an incident: from one known compromised endpoint to every affected system in the fleet. Without this capability, scoping requires logging into each system individually or relying on EDR telemetry that may not capture the specific artifact you need.
Live response. Open a remote shell on any connected endpoint through the Velociraptor GUI. Execute commands, browse the filesystem, download specific files, and perform triage — all from the investigation console. This provides the same capability as Defender XDR Live Response but works on endpoints that are not enrolled in Defender, runs on Linux and macOS (not just Windows), and is not limited to the commands that Microsoft exposes through their API.
Endpoint quarantine. Isolate a compromised endpoint from the network with a single action in the GUI. Velociraptor modifies the local firewall rules to deny all connections except communication to the Velociraptor server — meaning the endpoint is cut off from the attacker's C2 channel and from lateral movement paths, but remains accessible for remote investigation and evidence collection. This is containment without losing investigation access.
Figure IR1.4a: Velociraptor's four IR capabilities. Remote collection eliminates the distance problem. Enterprise hunting determines scope. Live response enables real-time investigation. Quarantine provides containment without losing access.
---
Architecture: how Velociraptor works
Velociraptor operates on a client-server model. The server component provides the web GUI (management console), stores collected data, manages hunts, and distributes VQL queries to clients. The client component (agent) runs on each endpoint as a lightweight service, maintains a persistent connection to the server, executes VQL queries when instructed, and uploads results.
The communication flow is unidirectional from the client's perspective: the client initiates an outbound TLS connection to the server. The server never initiates connections to clients. This means the client works through firewalls and NAT without inbound port configuration — the same connectivity model used by cloud-managed EDR agents. The client polls the server for work (new artifact collections, hunt queries), executes any assigned work locally, and uploads results through the existing connection.
When you initiate an artifact collection through the GUI, the server queues the VQL artifact for the specified client. The next time the client polls (typically within seconds), it receives the artifact, executes it locally on the endpoint with full system privileges, and uploads the results (structured data and optionally collected files) to the server. The investigator views the results through the web GUI or downloads them for analysis in Timeline Explorer.
For hunts (enterprise-wide queries), the process scales: the server distributes the same VQL query to all connected clients simultaneously. Each client executes the query locally and returns results. The server aggregates all results into a single view. A hunt across 5,000 endpoints that checks for a specific scheduled task completes in minutes — each client processes the query in seconds, and the results flow back as each client responds.
---
Deployment: three modes for different contexts
Velociraptor supports three deployment modes, each suited to a different operational context. For this course, the standalone collector or single-server lab mode is sufficient. Production environments use the cloud/production mode.
Mode 1: Standalone collector (no server required). The simplest deployment — a single executable that collects specified artifacts when run on a target system and produces a ZIP file of results. No server, no agent installation, no network configuration. This mode is equivalent to running KAPE from a USB drive, but with VQL flexibility for custom collection. Use this when you need to collect from a single system, when the target cannot connect to a server, or when you need a tool that runs from USB on an isolated/offline endpoint.
The standalone collector is included in the jump bag (IR1.8). It provides a VQL-based collection option alongside KAPE for situations where KAPE is not available or where a specific VQL artifact is needed that KAPE targets do not cover.
Mode 2: Single-server lab (recommended for this course). A full Velociraptor deployment running on your forensic workstation. The server and a single client run on the same machine, giving you the complete GUI experience: artifact collection, hunt management, VFS browser, notebooks, and live response. This mode is designed for testing, training, and artifact development.
The gui mode is the fastest way to experience Velociraptor's full capability. Within 30 seconds of running the command, you have a working server with a connected client and a web GUI where you can run artifact collections, create hunts, browse the endpoint's filesystem, and test VQL queries.
Mode 3: Cloud/production deployment. For organizations deploying Velociraptor as their IR platform, the server runs on a dedicated cloud VM (Azure, AWS, GCP) or on-premises server, with client agents deployed to all managed endpoints via SCCM, Intune, GPO, or manual installation. This requires proper TLS configuration, multi-user authentication, role-based access control, and storage planning.
Production deployment planning — server hardening, agent deployment, storage sizing, multi-user configuration, and integration with SIEM platforms — is covered in the course's operational context within IR15-IR16 (enterprise investigation scenarios). For the course lab, Mode 2 (single-server) provides the full capability needed for all exercises.
---
VQL: the query language for endpoints
VQL is to Velociraptor what KQL is to Microsoft Sentinel — the native language for asking investigation questions. VQL is syntactically similar to SQL but operates against endpoint data sources rather than databases. Understanding VQL fundamentals is essential for effective use of Velociraptor, because VQL is what powers every artifact collection, every hunt, and every live response query.
VQL provides access to forensic data sources that are not available through standard Windows APIs: raw NTFS parsing (reading the $MFT directly), raw registry hive parsing (reading offline hives), memory scanning (YARA rules against process memory), ETW (Event Tracing for Windows) for real-time monitoring, and raw disk access for collecting locked files. This makes Velociraptor not just a remote access tool but a remote forensic analysis platform — the VQL query runs on the endpoint with the same level of access as a locally executed forensic tool.
---
Artifacts: the reusable investigation library
VQL queries are packaged as "artifacts" — reusable, parameterized collection definitions that can be shared, versioned, and deployed across the community. An artifact defines what VQL to run, what parameters the investigator can configure, what columns the output contains, and how to present the results. Artifacts are the building blocks of every Velociraptor operation.
Velociraptor ships with hundreds of built-in artifacts covering the most common forensic and IR tasks. The Velociraptor Artifact Exchange (docs.velociraptor.app/exchange/) provides hundreds more contributed by the DFIR community. When a new threat emerges — a supply chain attack like the 3CX incident, a new zero-day, a novel persistence mechanism — the community publishes detection artifacts within hours that any Velociraptor deployment can immediately use.
Key built-in artifacts for IR:
Windows.KapeFiles.Targets — collects the same artifacts as KAPE targets. The _SANS_Triage parameter replicates KAPE's !SANS_Triage compound target. This is the standard triage collection artifact for Velociraptor, producing output equivalent to a KAPE collection but executed remotely through the agent.
Windows.System.TaskScheduler — enumerates all scheduled tasks on the endpoint. Used for persistence detection (T1053.005). The output includes task name, actions (executable path and arguments), triggers, last run time, and next run time.
Windows.Sys.StartupItems — enumerates all autostart locations: registry Run/RunOnce keys, Startup folders, services, scheduled tasks, WMI subscriptions. A comprehensive persistence audit in a single artifact.
Windows.EventLogs.Evtx — queries specific event logs with filtering. Instead of collecting all event logs (which can be large), this artifact queries specific event IDs within a time range — collecting only the evidence relevant to the investigation question.
Windows.Detection.Yara.Process — runs YARA rules against the memory of running processes. Used for detecting in-memory malware (Cobalt Strike beacons, fileless implants) that Volatility 3 would detect in a memory dump but that disk-based tools cannot see.
Windows.Network.Netstat — enumerates active network connections with owning process. The equivalent of netstat -anob but returned as structured data that can be filtered and correlated.
---
Your first remote collection
With Velociraptor running in GUI mode and a client connected, run a collection to validate the deployment and understand the output workflow.
Navigate to the client list → select the connected client → click the "New Collection" button (+ icon) → search for Windows.KapeFiles.Targets → select it → in Configure Parameters, set _SANS_Triage to Y → click Launch.
The collection runs on the endpoint. Progress displays in the GUI. When complete, the results appear in the Collected Artifacts tab. You can browse the collected files through the GUI or download the entire collection as a ZIP for analysis on the forensic workstation with EZTools.
---
Enterprise hunting: determining incident scope
Hunting is the capability that most distinguishes Velociraptor from single-system tools like KAPE. When the investigation identifies an indicator of compromise (IOC) on one endpoint — a specific scheduled task, a particular file hash, a suspicious registry key — the immediate question is: "How many other endpoints are affected?" Without hunting, the investigator must check each endpoint individually. With Velociraptor, the question is answered across the entire fleet in a single hunt.
Navigate to the Hunt Manager → click "New Hunt" → select the artifact → configure parameters with the IOC → select target endpoints (all, specific labels, or specific OS) → Review → Launch.
Each hunt produces aggregated results across all responding clients. The Hunt Manager shows how many clients have been queried, how many responded, and how many returned positive results. The investigator can then drill into individual client results for detailed analysis. The hunt results can be downloaded as CSV for analysis in Timeline Explorer, imported into a SIEM, or used to create Velociraptor labels that group the affected endpoints for subsequent targeted collections.
Worked investigation finding — fleet-wide scope determination:
Finding: Velociraptor hunt using Windows.System.TaskScheduler with filter Name =~ "ChromeUpdate" executed across 487 connected endpoints. Results: 12 endpoints returned positive hits — the "ChromeUpdate" scheduled task exists on 12 of 487 systems (2.5%). All 12 systems are in the same organizational unit (Engineering) and the task was created within a 4-hour window on March 14, suggesting automated deployment by the attacker rather than manual installation.
Proves: The compromise extends beyond the single endpoint identified in the initial alert. 12 endpoints have the same persistence mechanism, all created within the same timeframe, indicating systematic attacker deployment across the Engineering OU.
Does not prove: Whether the attacker has additional persistence mechanisms on these or other endpoints. Whether endpoints without the scheduled task were not compromised (the attacker may have used different persistence on other systems).
Next step: Label all 12 affected endpoints in Velociraptor. Run a targeted KAPE-equivalent collection (Windows.KapeFiles.Targets) on all 12 for deep forensic analysis. Run additional hunts for other known IOCs (registry Run keys, service installations, WMI subscriptions) to determine if the attacker used multiple persistence mechanisms.
---
Velociraptor vs KAPE vs Defender XDR Live Response: decision framework
All three tools collect forensic evidence from endpoints. The choice depends on the investigation context, the infrastructure available, and the scale of the incident.
Use KAPE when: you have physical or direct access to the target (onsite, USB, local network). You need the structured KAPE output format that integrates directly with EZTools and the !EZParser module pipeline. You are collecting from a single system or a small number of systems. The target is offline, isolated, or cannot connect to a Velociraptor server. KAPE is the fastest single-system collection tool — 2-5 minutes with no infrastructure overhead.
Use Velociraptor when: the target is remote (home worker, branch office, cloud VM). You need to collect from multiple systems simultaneously or hunt across the fleet for scope determination. You need live response capability (remote shell, file browsing, memory scanning). You need to quarantine an endpoint while maintaining investigation access. Velociraptor is the remote investigation platform — it does what KAPE does but adds distance, scale, and live interaction.
Use Defender XDR Live Response when: the target endpoint is already managed by Defender for Endpoint P2. You need to perform live response on a Windows endpoint that is enrolled in Defender but does not have the Velociraptor agent. Your organization standardizes on Microsoft security tools and prefers portal-based operations. Live Response is limited to the commands Microsoft exposes (file collection, script execution, process listing) but requires no additional agent deployment — it leverages the existing Defender agent.
Use all three when: the investigation warrants maximum coverage. Start with Velociraptor for rapid remote triage across the fleet (scope determination). Use KAPE on the highest-priority endpoints for deep triage collection optimized for EZTools processing. Use Defender XDR Live Response for quick evidence pulls from endpoints that have Defender but not Velociraptor. The tools are complementary, not competing.
---
Troubleshooting common issues
Client does not appear in the GUI after starting. In gui mode, the client auto-enrolls within seconds. If it does not appear: check that the process is running (look for two velociraptor processes — server and client). In separate server/client mode: verify the frontend URL in client.config.yaml matches the server's actual listening address. Check that the server's firewall allows the frontend port. Verify that client and server configs were generated from the same config generate run (they share cryptographic keys).
Collection times out or is very slow. Large collections (full SANS_Triage equivalent) produce 200 MB-2 GB of data that must upload from the client to the server. Over slow connections (VPN, home broadband), this can take 10-30 minutes. For bandwidth-constrained environments, use targeted collections instead of the full triage — collect only the specific artifact type needed for the current investigation question, then expand if needed.
VQL query returns no results. Verify the artifact name (case-sensitive, exact match). Verify the client has Administrator privileges — most system artifacts require elevation. Some artifacts require specific Windows features (Sysmon artifacts require Sysmon to be installed; PowerShell ScriptBlock artifacts require ScriptBlock logging to be enabled). Test the VQL query in the notebook against the local client before deploying it as a hunt across the fleet.
Hunt affects endpoint performance. Heavy VQL queries (full filesystem scans, YARA memory scanning across all processes) consume CPU and disk I/O on the client. For production hunts across critical infrastructure, use throttling parameters to limit the resource impact: --ops_per_second limits the query execution rate. Schedule resource-intensive hunts during maintenance windows or limit them to non-critical endpoints first, expanding to production systems after validating the impact.
Compliance Myth
"You need a commercial EDR to perform remote evidence collection and endpoint isolation."
Production reality: Commercial EDR products (CrowdStrike Falcon, SentinelOne, Defender for Endpoint) provide telemetry, detection, and response capabilities. But their live response and evidence collection features are limited to the commands the vendor exposes through their API — and their forensic depth is optimized for alert investigation, not comprehensive evidence preservation. Velociraptor provides full forensic collection capability (equivalent to running KAPE locally) with the addition of enterprise-scale hunting, VQL customization, endpoint quarantine, and memory scanning — all for $0 in licensing. If you have a commercial EDR deployed, Velociraptor complements it by providing deeper forensic collection and custom hunting. If you do not have an EDR, Velociraptor provides the remote investigation capability your IR team needs. The choice between Velociraptor and a commercial EDR is not either/or — many IR teams deploy both, using the EDR for detection and Velociraptor for investigation.
Compliance Myth
"Velociraptor is free, so it must lack the enterprise features needed for production deployment."
Production reality: Velociraptor includes: mutually authenticated TLS communication, multi-user authentication with role-based access control, comprehensive audit logging of all server and investigator actions, multi-tenancy support for service providers managing multiple clients, API access for automation and SIEM integration, and a multi-frontend architecture that scales to 100,000+ endpoints. These are the same enterprise features that commercial tools charge per-endpoint licensing for. The "cost" of Velociraptor is not licensing — it is the engineering time to deploy, maintain, and develop custom VQL artifacts. For organizations with DFIR engineers who can write VQL, Velociraptor is the most capable IR platform available at any price. For organizations without that expertise, Velociraptor still functions with built-in and community artifacts — and this course teaches the VQL fundamentals needed to customize it.
Build it: Deploy Velociraptor and run your first collection
Download Velociraptor from the GitHub releases page
Download Velociraptor from the GitHub releases page. Run velociraptor.exe gui to start the instant lab deployment. When the browser opens, navigate to the client list and select the auto-enrolled client. Run a new collection using the Windows.KapeFiles.Targets artifact with _SANS_Triage enabled. While the collection runs, explore the GUI: browse the VFS (Virtual File System) tab to see the endpoint's filesystem remotely. Open a notebook and run SELECT * FROM pslist() to list running processes via VQL. Download the collection results as a ZIP and examine the contents on your forensic workstation — the structure should mirror a KAPE collection. If all of this works, Velociraptor is operational and ready for IR2.
Investigate: Create and run your first hunt
In the Hunt Manager, create a new hunt using the Windows.System.TaskScheduler artifact. Leave the default parameters (no filter — collect all scheduled tasks). Launch the hunt. After the client responds, examine the results: every scheduled task on the endpoint, with names, actions, triggers, and timing. Now create a second hunt that filters for suspicious task names: set the TaskNameRegex parameter to Update|Sync|Helper. Compare the results to the unfiltered hunt. This filtering workflow is exactly how you scope an incident — start broad, then narrow to the specific IOC.
Beyond this investigation
The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.
Decision point
You discover evidence that the attacker has been in the environment for 90 days. The CISO asks: 'Why did our SOC not detect this sooner?' How do you answer constructively?
Answer with facts, not defensiveness. 'The attacker used [specific techniques] that our current detection rules do not cover. The investigation identified [N] detection gaps — [list the specific ATT&CK techniques that were not detected]. The IR-to-DE handoff includes these gaps as detection engineering sprint items. Estimated time to close: [N weeks].' This answer is honest (we missed it), specific (here is what we missed and why), and forward-looking (here is how we fix it). The PIR action items transform the detection failure into a measurable improvement program.
