Compromise Assessment

Identify current or past attacker activity in your environment

The Mandiant Compromise Assessment service allows organizations to evaluate their environments for the presence of targeted attacker activity. The Compromise Assessment has helped many organizations identify or confirm security breaches that had existed for years and resulted in theft of valuable intellectual property, personally identifiable information, payment card information, or other sensitive information.



Attackers develop custom malware and use advanced tactics that are difficult or even impossible to detect using conventional detection mechanisms. The Compromise Assessment service applies our intelligence on how threat actors operate and our experience gained from hundreds of investigations. We apply the same leading technologies we use to respond to incidents to identify indications of present or historical attacker activity.

Compromise Assessment will provide you with:



Compromise Assessment will tell you if you are currently compromised or if there has been past attacker activity. You will also clearly understand the extent and the severity of the compromise. Alerts are confirmed before reporting to minimize false positives.

Preliminary summary of attacker activity

Preliminary summary of attacker activity

Though not designed to replace an incident investigation, the Compromise Assessment will provide you with concrete findings and recommendations related to compromised systems. This may include the preliminary attack timeline and malware information.



Besides answering the critical question "Are we compromised?", Mandiant will also provide recommendations based on the assessment's findings. Based on the findings, we recommend immediate investigative and containment next steps, and longer-term enhancements.

What you get

  • Analysis of network, endpoint and log data
  • Identification of compromised systems
  • Report of attacker activity
  • Summary of findings

M-Trends 2017 Infographic

Explore the trends and get statistics based on Mandiant’s investigation of the year’s successful breaches and cyber attacks across the globe.

Learn more

SYNful Knock: A Cisco Implant

Insight into how attackers use a new threat vector, Cisco routers, to establish a foothold and compromise data.

Download report


“A compromise assessment answers the all important question: Have you been breached?”

- Benefits of Compromise Assessments

Benefits of Compromise Assessments and Why Security-Conscious Firms Use Them
Download white paper

Our Approach

The major activities our consultants perform during a Compromise Assessment include:

Deploy proprietary network, host, and log inspection technology

We place investigative technology at Internet egress points and on host systems such as servers, workstations, and laptops.

Assess your environment using intelligence from prior investigations

We apply our comprehensive library of indicators of compromise to evaluate network traffic, servers, workstations, laptops, and critical log data for evidence of current and past attacker activity.

Analyze evidence

Our consultants perform host and network forensic analyses as well as malware and log analyses to conduct the assessment. We confirm initial findings to minimize false positives prior to reporting them.

Summarize findings

We provide a detailed report that summarizes the steps taken during the assessment, the major findings, and any appropriate recommendations for next steps.

Professional affiliations and certifications