What is a Compromise Assessment?

What a Compromise Assessment Actually Covers

Endpoint Forensics

The endpoint forensic component of a compromise assessment examines a sample of representative endpoints — typically servers and high-privilege workstations — for evidence of attacker presence. The work includes memory analysis (running processes, injected code, suspicious modules), persistence mechanism review (scheduled tasks, registry run keys, WMI subscriptions, services), execution artifact analysis (PowerShell history, prefetch files, shimcache, AmCache), and lateral movement evidence (RDP and SMB activity logs, credential access artifacts). Coverage is sample-based for cost reasons; the sample is selected to maximize the probability of detecting compromise if it exists.

Network and Identity Telemetry

The network and identity telemetry components examine logs and detection data for indicators of compromise. This includes authentication logs (suspicious logins, impossible-travel patterns, abnormal MFA failures), identity provider audit logs (OAuth grants, application consents, privilege changes), network DNS and proxy logs (beaconing patterns, traffic to known-bad infrastructure), and email security logs (BEC indicators, suspicious external forwards, sent-folder anomalies that suggest account takeover).

Cloud Platform Audit Logs

For organizations with material cloud presence, compromise assessment work extends into cloud platform audit logs. Microsoft 365, Google Workspace, AWS, Azure, and GCP each produce extensive audit telemetry that can surface attacker activity invisible at the endpoint or network layer. Cloud-resident attacks frequently leave no endpoint forensic evidence at all because the attack operates entirely through API calls authenticated with stolen credentials or OAuth grants.

When Compromise Assessments Are Warranted

M&A Due Diligence

Pre-close compromise assessment has become standard practice for mid-market and larger PE deals. The diligence question is whether the target organization is currently compromised — because acquiring a compromised target means inheriting the breach and all of its consequences (regulatory notification, customer disclosure, R&W exclusions, remediation cost). The 2018 Marriott / Starwood case is the canonical example: Marriott's M&A diligence did not include compromise assessment, the inherited Starwood environment had been compromised since 2014, and Marriott absorbed the regulatory and customer-impact consequences post-close.

Post-Incident Validation

After incident response activity concludes, compromise assessment validates that the response was complete — that no attacker presence remains in the environment. The work is particularly important for incidents involving sophisticated threat actors who may have established multiple persistence mechanisms; the incident response team may have remediated the obvious indicators while missing the secondary persistence. Compromise assessment as the closeout phase of incident response is increasingly standard practice.

Threat Intelligence Triggers

When threat intelligence indicates active campaigns against the organization's industry, geography, or supply chain, compromise assessment determines whether the campaign has already succeeded against your specific environment. Recent examples include the assessments triggered by SolarWinds disclosure in 2020, the MOVEit campaign in 2023, and the various supply chain incidents that produce broad downstream exposure. Acting on threat intelligence without verifying current exposure leaves the worst-case outcome (active compromise from the named campaign) undetected.

Unexplained Anomalies

Operational anomalies that cannot be explained through normal troubleshooting sometimes warrant compromise assessment to rule out attacker activity. Examples include unexpected outbound network traffic, unexplained changes to security configurations, anomalous account behavior, and customer reports of suspicious activity. Compromise assessment in these cases is the structured investigation that either rules out compromise or confirms it — both outcomes producing actionable information.

How Compromise Assessments Differ From Adjacent Disciplines

Compromise Assessment vs. Penetration Testing

Penetration testing simulates attacks to identify exploitable vulnerabilities. Compromise assessment looks for evidence that an actual attack has already succeeded. The two disciplines are complementary but not interchangeable: a clean penetration test does not mean the environment is not currently compromised (because the compromise may have used techniques the pen test did not simulate), and a successful compromise assessment finding does not mean the environment is broadly vulnerable (the attacker may have exploited a specific path now closed).

Compromise Assessment vs. Vulnerability Assessment

Vulnerability assessment enumerates exploitable weaknesses in the environment. Compromise assessment looks for evidence that weaknesses have been exploited. Organizations with mature vulnerability management programs still benefit from compromise assessment because the discipline addresses a different question: 'are we currently compromised' rather than 'where are we exposed to future compromise.'

Compromise Assessment vs. Continuous Threat Hunting

Threat hunting is the ongoing operational discipline of proactively searching for attacker presence using hypothesis-driven investigation. Compromise assessment is a point-in-time engagement with defined scope and deliverables. Organizations with mature MDR services typically receive continuous threat hunting as part of the service; compromise assessment is the supplemental engagement that provides deeper, broader investigation than continuous hunting can deliver within ongoing service economics.

Compromise Assessment vs. Incident Response

Incident response is reactive — initiated when a security event has been identified. Compromise assessment is proactive — initiated to determine whether security events exist that have not yet been identified. The work shares forensic methodology; the engagement context and deliverables differ. A compromise assessment that finds active compromise typically transitions into incident response engagement.

Related Reading

• What is Incident Response? — the reactive counterpart
• What is Threat Hunting? — the continuous version of the same investigative discipline
• What is Cyber Due Diligence? — the M&A framework that frequently incorporates compromise assessment
• What is MDR? — the operational service that includes continuous threat hunting

Real-World Example: The Pre-Close Compromise Assessment That Found Nine-Month Dwell

A Cloudskope compromise assessment conducted during pre-close diligence on a mid-market healthcare services acquisition illustrates how the discipline can fundamentally change a deal trajectory. The target was a $95M revenue specialty services company; the sponsor's diligence team had completed financial and legal workstreams without significant findings, and the cyber due diligence baseline assessment had not surfaced material concerns. The compromise assessment was scoped as standard pre-close protocol rather than triggered by specific suspicion.

The endpoint forensic work surfaced anomalous PowerShell execution patterns on three servers in the engineering environment. Deeper investigation identified evidence of credential dumping activity dating to nine months prior, the establishment of multiple persistence mechanisms (scheduled tasks, registry run keys, WMI event subscriptions), and ongoing low-volume data exfiltration to attacker-controlled infrastructure. The target's IT team had no awareness of the compromise — the attacker had operated below the threshold that would have triggered the target's endpoint protection alerting.

The findings reshaped the deal. The sponsor paused close to allow incident response engagement to complete environment remediation, validate scope, and confirm no patient data had been exfiltrated. The R&W binder was rewritten to exclude consequences flowing from the discovered compromise. Purchase price was reduced by $6M to reflect the remediation cost and regulatory exposure. The deal closed eight weeks later than originally planned with substantially modified economics.

The structural lesson: the compromise existed before the diligence; cyber due diligence's baseline assessment did not surface it (because compromise assessment work was not in the original diligence scope); compromise assessment found it; the sponsor's economic outcome was materially better than acquiring the target without that finding. The cost of the compromise assessment was a fraction of the deal-economic adjustment it produced.

Frequently Asked Questions

How long does a compromise assessment take?
Typical mid-market engagements run 4-8 weeks depending on environment complexity, scope of endpoint sampling, and depth of cloud platform analysis. Pre-close M&A engagements may run faster (2-4 weeks) when scope is constrained to material findings only. The timeline includes data collection, analysis, and findings report production.

Is a compromise assessment the same as incident response?
No. Compromise assessment is proactive — initiated to determine whether compromise exists without knowing in advance. Incident response is reactive — initiated when a security event has been identified. Both use overlapping forensic methodology but differ in trigger, scope, and deliverable. A compromise assessment that finds active compromise typically transitions into incident response.

How much does a compromise assessment cost?
Typical mid-market engagements run $50,000-$250,000 depending on environment size, depth of investigation, and timeline pressure. Pre-close engagements tied to deal timelines run higher per-week rates because of the timeline constraints. The cost is small relative to the consequences of undetected compromise.

What if the assessment finds evidence of compromise?
Standard response is to scope the finding through incident response engagement — determining the full extent of attacker presence, validating containment, and producing the remediation roadmap. Compromise assessment findings frequently surface during the engagement; mature providers transition smoothly between assessment and response work.

Should we conduct a compromise assessment as part of every M&A deal?
For material acquisitions in industries with significant cyber risk exposure (healthcare, financial services, technology, regulated manufacturing), yes — particularly when the target has not maintained mature security operations capability. The Marriott / Starwood case is the standard example of why this discipline matters. Smaller acquisitions may use lighter-weight scope appropriate to deal economics.