Deconfliction Tracking

When performing offensive assessment work, you will likely trigger an alert or generate anomalous logs that draw someone’s attention. If the system owner cannot identify you as the source, they will likely contact you to deconflict the event.

You can record deconfliction events under a project’s Deconflictions tab. Each recorded event appears as a card, like so:

Deconflictions are time-sensitive. Delayed or inconclusive responses can mean wasted effort and frustration for defenders. Events like these are why activity logging is critical. Each deconfliction card tracks a few key pieces of information and light metrics.

Once you have responded, you can update the status to reflect if the event was or was not related to your work, and the card will show how much time has passed between receiving the deconfliction request and the final response.

This data helps you and your client keep track of these events, but it can also reveal potential gaps and weaknesses in monitoring strategies. For example, suppose several hours have passed between the alert timestamp and the client contacting you. In that case, that could indicate defenders not receiving timely notifications or dealing with a lot of noise and a backlog of notifications.

A careful review of deconfliction events before a post-assessment debrief call can offer interesting insights and topics of discussion.