Dtex for Incident Response & Forensics

DTEX for Incident Response & Forensics

DTEX collects dedicated user activity metadata from the endpoint, creating a high-fidelity audit trail in human-readable data. This audit trail makes forensic investigations simple and seamless.

Unmatched Endpoint Data

User activity data directly from the endpoint, both on and off the corporate network, gives investigators the full audit trail that solutions like SIEM, EDR, DLP, or CASB tools can’t produce. This includes obfuscated or hidden activity, printing activity, privilege escalation, and other data that is historically difficult to see.

Understand Context and Intent

Investigation tools that focus on malware and other external attacks simply do not provide the data investigators need to understand the context around a human-based incident. DTEX provides contextual information you need to answer the big questions -- who, what, where, when, and why -- within minutes, including visibility into every step of the kill chain.

Rapid In-House Investigations

With this real-time, unbroken audit trail, security teams can quickly conduct investigations in-house or, if desired, with the help of DTEX’s specialized analyst team. Calling in expensive contractors isn’t necessary, nor do investigators need to gain physical access to the device in question.


Global organizations use DTEX to quickly understand the chain of custody of a breached or sensitive document, without requiring physical access to endpoints. Not only is this crucial for investigations, but it also helps companies proactively understand their greatest areas of weakness.

The Audit Trail in Action, Revealing the Full Kill Chain

No other solution offers an audit trail as complete, including detailed visibility into every step of the insider threat kill chain. Take, for example, the below audit trail of a data theft incident:

  • User accesses confidential server.
    > Reconnaissance

  • User switches from corporate wifi to mobile hotspot network.
    > Cirvumvention

  • User escalates privileges.
    > Weaponization

  • User copies 121 files to their local desktop.
    > Aggregation

  • User compresses those files into "ClientList.zip" and encrypts it.
    > Aggregation

  • User renames "ClientList.zip" to "MomsPieRecipe.pdf"
    > Obfuscation

  • User uploads "MomsPieRecipe.pdf" to Dropbox.
    > Exfiltration

With this timeline of user behavior, analysts can quickly understand the full context of this incident:

Malicious Intent

The intentional obfuscation of the file name and the switch off of the corporate network show analysts that this was an intentional, malicious incident.

Affected Files

The audit trail reveals exactly which files the user downloaded and stole.

Definitive Timeline

Dtex maps the entire incident, step by step, to a definitive timeline.

Prosecutable Evidence

Should the company decide to pursue legal action, Dtex provides record of the user's data theft, including the evasive action taken before the event.

Learn more:

Case Study:

DTEX and Phishing

Find out how DTEX detected and investigated a phishing attack at a customer.

Original Research

The 2019 Insider Threat Intelligence Report

Dive into findings, results, and research from DTEX investigations over the past year.

Learn More:

How DTEX Fights Insider Threats

Get a deeper explanation of DTEX's approach to insider threat detection.

Investigating Malware with DTEX

While DTEX's metadata collection focuses on user behavior, its extensive high-fidelity endpoint data has also proven to be very useful when it comes to investigating external incidents, including malware, ransomware and hacking attacks. Customers have used DTEX to quickly identify which endpoints organization-wide have used a dangerous application, for instance. Or, determine the exact root phishing email that led to an infection.

Prosecution-Ready Evidence

DTEX's user behavior records have been used to support legal proceedings and prosecution. Recently, DTEX's data was used in the prosecution of a data theft incident at a large financial institution, which resulted in a guilty plea.

Learn More About How Enterprise DMAP Intelligence Can Help
Secure and Optimize Your Business


2021 Remote Workforce Security Report Available Now. Read the News!

Dtex Announces $17.5M in New Funding! Read More!