Cayosoft Identity Forensics & Incident Response
Annual Subscription Product — Service Offering Description

C-SUPIR-1YA-00

Governing Terms

This Service Offering Description is incorporated into and governed by Cayosoft’s Professional Services Addendum and the Cayosoft Subscription Agreement (CSA), as referenced therein. In the event of any ambiguity or conflict, the Professional Services Addendum controls unless an Order expressly amends a specific provision.

Product Overview

Cayosoft Identity Forensics & Incident Response (the “Product”) is an annual subscription offering that combines continuous identity security posture management with incident response assistance, forensic guidance, and recovery support for Microsoft Active Directory (AD) and Microsoft Entra ID environments. The Product focuses specifically on the identity layer, such as accounts, privileges, roles/groups, delegated access, identity configuration, and high-impact administrative change activity. The Product helps customers reduce identity risk over time and respond confidently when identity conditions are suspected to be part of an incident.

The Product is designed to establish a clear baseline of identity security posture, maintain ongoing improvement through a consistent monthly review cadence, and validate recoverability through annual identity disaster recovery (DR) testing participation. When urgent events occur, the Product provides identity-focused assistance to help accelerate triage, narrow scope, prioritize containment actions, and support recovery planning and verification.

The Product is intended to complement, not replace, the customer's broader security operations and incident response capabilities, by addressing the identity control plane where attackers frequently seek persistence and impact. Customer shall not rely on the Product as its sole source of security monitoring or incident detection.

What’s Included

 

Program delivery cadence: Baseline → Monthly → Annual, with incident response assistance available throughout the subscription term. The specific services delivered may vary based on customer environment, scope, and circumstances, and the lists below are illustrative, not exhaustive or guaranteed.

Baseline Identity Security Assessment and Readiness Setup

At the beginning of the subscription term, Cayosoft performs a structured baseline to establish the customer’s starting identity security posture. This baseline is designed to (i) surface identity-layer exposures that increase blast radius (the scope of systems, accounts, and configurations potentially affected by a security event), (ii) highlight priority control gaps, (iii) reduce friction during real-world incidents, and (iv) create an actionable roadmap for improvement that can be refined over time.

Baseline services typically include:

• Baseline Identity Security Assessment
  • Review privileged identities and privileged pathways (e.g., high-risk groups/roles and delegated access patterns)
  • Identify high-impact identity configuration risks and common attack leverage points
  • Define priority “watch areas” used to accelerate triage during suspected compromise
  • Provide a prioritized posture improvement backlog (hardening and operational recommendations)
• Readiness setup
  • Confirm operating model (contacts, escalation path, communications cadence)
  • Establish access and evidence-handling workflow aligned to customer policy
• Response and recovery runbook alignment
  • Create or refine an identity-focused response and recovery approach, including sequencing and verification steps appropriate to the environment

Monthly Identity Security Posture Review and Guidance

On a monthly basis during the subscription term, Cayosoft conducts a posture review cycle that helps customers sustain forward progress, reduces configuration drift, and continuously strengthens identity resilience. The monthly review is designed to keep identity security operational and measurable to ensure that improvements are not limited to post-incident activity and that identity recovery readiness remains aligned with how the environment evolves over time.

Monthly services typically include:

• Monthly posture review
  • Review notable identity changes, posture signals, and material risk shifts from the prior month
  • Reassess privileged access exposure and high-risk patterns
  • Identify drift from the baseline and recommend corrective actions
• Monthly guidance and recommendations
  • Provide practical hardening guidance and monitoring improvements
  • Recommend operational controls and recovery readiness improvements (e.g., privileged change discipline, verification steps, recovery prerequisites)
• Progress tracking
  • Track and update priority recommendations and outcomes from prior guidance (as applicable)

Annual Identity DR Participation and Product Refresh

At least once per subscription year, Cayosoft will participate in the customer’s identity disaster recovery (DR) testing to validate that identity recovery procedures can be executed under realistic conditions. This annual review is intended to reduce uncertainty during a real incident by ensuring the recovery sequence is understood, prerequisites are known, and verification steps are practical and repeatable.

Annual Identity DR participation includes one (1) identity DR exercise per subscription year, consisting of:

• Pre-test preparation: review scope, success criteria, roles/contacts, recovery approach, prerequisites, and environment assumptions; confirm runbooks and the planned recovery sequence.
• Live exercise participation: participate during the scheduled DR window to guide identity-layer recovery sequencing and verification steps, aligned to the agreed scenario and customer policies.
• After-action review: provide observations, gaps, and prioritized improvement recommendations, including updates to identity recovery runbooks and readiness assumptions as needed.

The customer shall be responsible for scheduling the annual DR exercise, defining the test scope and success criteria in coordination with Cayosoft, providing the test environment and necessary infrastructure, and ensuring appropriate customer personnel are available to participate in the exercise.

Incident Response Assistance

What Qualifies as an Incident for Product Usage

Incident response assistance may be initiated when the customer is actively experiencing identity-driven security events or identity service disruptions that impact AD and/or Entra ID, including:

• Suspected or confirmed identity compromise (unauthorized access, privilege escalation, or identity-enabled lateral movement)
• Ransomware or extortion events with identity involvement (privileged accounts, authentication/authorization pathways, or identity systems implicated)
• Unauthorized or anomalous identity changes (unexpected changes to privileged groups/roles, delegated rights, authentication policies, conditional access, synchronization settings, or other high-impact identity configurations)
• Domain/forest identity outage or instability (replication/availability issues, trust/authentication failures, or conditions requiring identity-layer recovery planning and sequencing)
• Tenant-level identity disruption (Entra ID conditions affecting authentication, authorization, or administrative control paths)

Incident Response Assistance Scope

When incident response assistance is initiated, Cayosoft provides identity-focused support intended to accelerate triage and decision-making and to support safe recovery. Support is typically delivered in close coordination with the customer’s incident commander, security stakeholders, and operational teams.

• 24x7 Incident Response with 1 hour initial response time
• Scope is limited to 1 incident per year and up to 160 hours of consulting services Incident response assistance may include:
  • Triage and scoping of identity-layer impact and likely blast radius
  • Evidence review and development of an identity activity timeline using available identity sources provided/accessible
  • Containment and remediation guidance aligned to customer policy (with customer executing such containment and remediation efforts)
  • Recovery planning support, including sequencing and validation guidance
  • Post-incident recommendations to reduce recurrence and improve readiness

 

Roles and Responsibilities

Cayosoft shall deliver the baseline, monthly, annual, and incident response assistance components described above during the subscription term and provide guidance, recommendations, and documented outputs aligned to this Service Offering Description.

The customer shall provide Cayosoft with timely, sufficient, and secure access to the customer's AD and Entra ID environments, tooling, logs, and other identity-related data sources reasonably necessary for Cayosoft to perform the baseline assessment, monthly posture reviews, annual DR participation, and incident response assistance described herein. The customer shall ensure that all access is granted in accordance with the customer's own security policies and access-management procedures and shall promptly notify Cayosoft of any changes to access arrangements that may affect service delivery.

When the customer initiates incident response assistance under this Product, the customer shall provide Cayosoft with a reasonable description of the suspected event, the identity systems and accounts believed to be affected, and any available preliminary evidence or indicators of compromise. The customer shall promptly communicate material developments during the course of any incident, including the involvement of law enforcement, regulators, external forensic firms, or legal counsel, to the extent such disclosure does not conflict with applicable legal obligations. During an active incident, the customer shall use commercially reasonable efforts to make its designated contacts and relevant security, IT, and operational personnel available to participate in triage, scoping, and coordination activities within a timeframe consistent with the severity of the event.

The customer acknowledges that Cayosoft's role under this Product is advisory and supportive in nature and that Cayosoft does not execute changes directly in the customer's environment. The customer shall be solely responsible for executing all administrative actions, containment measures, remediation steps, configuration changes, and change controls recommended by Cayosoft or otherwise required in connection with the services, in each case in accordance with the customer's own policies and procedures.

Additional responsibilities, cooperation, expectations, acceptance, and warranty-related terms are governed by the Professional Services Addendum and the CSA. Cayosoft shall not be liable for any degradation, delay, or failure in the performance of services under this Product to the extent caused by or resulting from the customer's failure to fulfill its responsibilities under this section or under the Professional Services Addendum or the CSA.

Deliverables

Deliverables vary by customer environment and selected scope, and may include:

• Baseline Identity Security Assessment summary and prioritized recommendations
• Monthly posture review notes and guidance summary
• Annual identity DR participation after-action summary and improvement recommendations
• Identity response and recovery runbook inputs and updates
• Incident support notes, timelines, and prioritized next actions (as applicable)