IR Analysis

The Challenge with Existing Solutions & Processes

Time Consuming

Experienced IR responders typically have a diverse set of tools they like to use to investigate threats. The trouble is that these tools aren’t connected so responders have to be the glue that guides the analysis and transfers data between various systems.

Experience Required

The tools used by IR responders can be finicky and complex to setup and operate. This increases the skillset required to perform even basic analysis. It can take years to become proficient in setting up and using these tools and the ongoing updating and maintenance can be time consuming.

Lack of Consistency

Since each responder typically has their own preferred tools and investigation process this means that two analysts investigating the same threat will often get different results and may generate different intelligence to act on.

How TwinWave Helps

IR responders can directly submit a suspected threat to the TwinWave platform, or they can review a threat that has already been submitted by a SOC analyst who is escalating the threat to the IR team for additional review.

With TwinWave, IR responders get the benefit of automated attack chain following along with the rich forensics generated for every resource that was part of the attack chain.

Forensics across multiple systems, including 3rd party analysis systems like sandboxes, are all normalized into a common forensics format making it easier for IR responders to find key information.

Because the system combines data generated across multiple systems, IR responders can also see “hot spots” in the forensics data where multiple systems have seen the same artifact (IP address, domain, mutex, file hash, process, etc.).

With TwinWave, IR responders can spend their time reviewing and analyzing the data, not generating it.

Example Forensics – IR Analysis

The TwinWave platform is designed to provide maximum data extraction as part of the analysis process. This includes extracting many different types of file data including meta-data, macro content, embedded content like executables, malware payload download locations and much more.

In this example from an Emotet analysis, the powershell command used by Emotet for payload download has been decoded and deobfuscated to identify the payload URLs.

Benefits of Using TwinWave


TwinWave’s automation replaces the tedious manual activities that IR responders normally have to perform in order to generate the data they need for deeper analysis and investigation. By integrating many of the tools that responders like to use and running them in an automated fashion IR responders can focus on analyzing the data rather than generating it.



TwinWave has multiple layers of analysis engines each of which generates its own rich data. This data extraction is run at each level of the attack chain and the results of all the analysis are aggregated for the entire attack chain resulting in extremely rich data.



After analyzing the threat the TwinWave UI includes critical data like credential phishing form URLs, malware payload download links, C2 IP addresses and more that IR analysts can use for response activities including threat hunting for additional impacted users.