eye.security About the Product Partner Portal Customer Portal
Incident Response
← Return to overview

STORIES FROM THE SOC: Pentest or a real threat?

Jul 7, 2025
Eye Security
By: Eye Security

A Monday afternoon. Our SOC is alerted by Defender for Endpoint: suspicious PowerShell activity, lateral movement with hands-on keyboard activity, and credential access attempts across endpoints. All signs of a serious attack.

Our actions in minutes

  • Detection. The attacker manually attempts to extract Windows SAM and SECURITY hives and run CrackMapExec. These are classic steps for credential dumping and privilege escalation.
  • Rapid human triage. Before isolating systems that could disrupt business operations if legitimate, we call the customer to verify.

The outcome

  • Confirmed scheduled penetration test targeting AD servers. No real compromise, just strong detection at work!

This is why human-in-the-loop approach matters

  • Automatic isolation could have interrupt business during legitimate activities like pentests or IT maintenance.
  • If the customer could not be reached, or could not verify this behaviour, our IR team would have engaged right away, within minutes from detection.
  • Rapid escalation: Our team is always ready to respond, verifying and containing before any real damage is done.

Did you know we regularly detect unannounced pentests? We are confident our SOC will catch them, just like we do with the real thing.

Stay vigilant!

Diagram illustrating a hands-on keyboard attack launched from a compromised account, displaying various alerts and incident details in a security operations center interface.

Related articles.

STORIES FROM THE SOC: Eye see you, Axios

Eye Security investigates new threat actors and their methods, focusing on business email compromise (BEC). For example, an alert was triggered when a phishing attempt bypassed multi-factor authentication. Analysts quickly revoked access, limiting damage to a stolen password. Their rapid response ensures threats are mitigated effectively.