DFIR Services in Bengaluru · Cloud & SaaS Incident Response

A Bengaluru breach is usually a cloud breach. The product and SaaS estates along the Outer Ring Road, the GCC environments in Whitefield, and the startup stacks around Koramangala live in AWS, Azure and GCP, behind CI/CD, SSO and a hundred SaaS integrations — so the incident response that matters here is cloud-native forensics, not just endpoint imaging. Macksofy's DFIR practice responds to the incidents Bengaluru actually has: cloud-account compromise, CI/CD and supply-chain intrusions, SaaS/identity token theft, ransomware, and business email compromise — with the cloud-forensics depth a product environment demands.

Cloud incidents leave a different evidence trail, and we collect it correctly. CloudTrail / Azure Activity / GCP Audit logs, IAM and role-assumption chains, key and token usage, snapshot and image acquisition of affected workloads, container and Kubernetes forensics, and the SaaS audit logs (Google Workspace, M365, Okta, GitHub) that often hold the real story. We reconstruct the identity timeline — which token, assumed which role, touched which resource — because in a cloud breach the attacker rarely 'lands' on a host the old way; they assume a role, mint a key, and move through the control plane. Acquisition is forensically sound with hashes and chain-of-custody, preserved before auto-scaling or a redeploy destroys the evidence.

Supply-chain and CI/CD incidents are a Bengaluru specialty because Bengaluru builds software. We investigate compromised build pipelines, leaked or abused CI secrets, malicious dependencies and poisoned artifacts, and the blast radius of a stolen deploy credential across environments and customers. For multi-tenant SaaS we scope the hardest question fast: was this a single-tenant compromise or did the attacker cross the tenant boundary — because the answer drives both the customer-notification and the DPDP-notification decision. BEC and identity-token theft round out the common set: OAuth-grant abuse, session-token replay and mailbox-rule persistence in M365/Workspace.

The deliverable is shaped for a product company's three audiences. Engineering gets a precise timeline, root cause, and the exact misconfiguration or credential path to fix — written for people who'll remediate in a sprint. Customers and their security teams get the assessment they'll demand: what was accessed, whether their tenant was affected, and the evidence behind the answer. Compliance gets the DPDP breach-notification trail (Data Protection Board plus affected principals), and where the product carries health or financial data, the HIPAA/PCI-adjacent notification framing — plus the CERT-In six-hour report. We map TTPs to MITRE ATT&CK (and ATT&CK Cloud) throughout.

Eradication in the cloud means closing the identity and control-plane paths, not just rebuilding a box: rotating keys and tokens, fixing the IAM trust and role-assumption gaps, removing persistence in SaaS and CI/CD, and verifying through the logs that the attacker is gone. We pair recovery with hardening — least-privilege IAM, secrets-management, pipeline integrity, and detection-engineering that turns the incident's indicators into permanent cloud-SIEM and CSPM coverage. For retainer clients we run a post-incident tabletop against the product's real architecture.

Bengaluru engagements run remote-first by nature — cloud forensics is remote work — with a guaranteed retainer SLA and named responders who learn your architecture before the incident. We are vendor-neutral across the cloud and tooling stack and CERT-In empanelled. Onsite is available across ORR, Whitefield, Electronic City and Manyata when an engagement needs hands on a device, but the response starts the moment you call, wherever your team is.