The Investigation Gap in Traditional MDR

Most MDR providers stop at detection and escalation. Two new capabilities in BlueVoyant AI (BlueVoyant's MDR platform), Cloud Forensics and Device Forensics, extend the service into active investigation, giving analysts the tools to determine what happened during an incident rather than simply flagging that one occurred. When an incident requires traditional forensic investigation, these same tools provide a direct transition into that process.

Detection is a mature capability. Every major MDR provider ingests logs, correlates alerts, and escalates incidents, but the bottleneck has never been detection. It's the investigation that follows. When a serious incident occurs, most organizations follow the same sequence: the product fires an alert, the customer escalates internally, an IR firm is called, and evidence collection begins days later, after the IR firm finishes scoping and contracts are signed. By that point, relevant log data may have rolled, attacker activity may have been partially overwritten, and the cost of the investigation has grown significantly.

BlueVoyant's approach is to start the investigation at the same time as the detection, using tooling built directly into the platform.

Cloud Forensics

The challenge for analysts is volume: M365 generates many audit events across email, file access, sign-ins, and admin activity, and those events are spread across separate interfaces in the native tooling. Building a coherent incident timeline manually takes hours and requires an analyst who knows exactly which event types to look for.

Cloud Forensics addresses this by providing a single investigative workspace for M365 audit data. An analyst enters a query, consisting of a date range, a set of users, an IP address, or a keyword, and the platform retrieves the relevant audit records in real time. It then applies curated risk filters to automatically surface high-priority events: operations associated with attacker behavior like mail-forwarding rule creation, sign-ins from high-risk geographies, and activity linked to known attacker tooling.

From there, analysts work interactively: tagging events, adding notes, and pivoting on indicators like IP addresses, file hashes, or URLs to pull threat intelligence enrichment without leaving the interface. An AI layer handles batch analysis across all retrieved records, extracting indicators of compromise, building a chronological timeline, and mapping activity to MITRE ATT&CK. A copilot interface allows the analyst to query the data directly and generate structured output, including client-ready summaries of incidents like business email compromise.

The practical result is that an investigation which would previously require a full SOC analyst workday can typically be completed in under an hour.

Device Forensics

When an endpoint is implicated in a serious incident, collecting the forensic evidence from that machine has traditionally been one of the slowest steps in any investigation. Manual collection by a forensic specialist takes hours and sometimes requires physical access to the device. In a live incident, that delay creates real risk: attackers have time to remove tools, delete logs, or pivot to additional systems before investigators have a baseline of what happened.

Device Forensics automates evidence collection from suspect endpoints. When a high-severity incident involves a specific machine, a collection workflow triggers automatically or can be kicked off manually by an analyst. A signed, trusted collection routine runs on the endpoint and gathers artifacts across more than 20 categories, including program execution history, scheduled tasks, registry entries, event logs, browser history, and network connections. The collected evidence is written to protected storage using time-limited, write-only access credentials, with full chain-of-custody logging and no persistent secrets stored on the device.

An AI forensics agent then processes the collected files, extracts indicators of compromise, constructs an event timeline, and maps the attacker's activity to MITRE ATT&CK. Analysts review the results in the portal alongside the raw artifacts, with the AI-generated summary attached directly to the incident record. From trigger to analyst-ready findings, the process typically takes about 30 minutes and functions regardless of which EDR is running on the endpoint.

Cloud and Device Forensics can reduce DFIR triage time by 90%.

Why Digital Forensics and Incident Response (DFIR) Capability Is a Separate and Significant Differentiator

SOCs can act only on devices they monitor. Cloud Forensics and Device Forensics support investigations within the MDR workflow for those monitored devices. The unmanaged devices are where the retention of a DFIR team is critical to ensure full stack security of the organization. In addition, significant incidents, such as large-scale ransomware attacks, nation-state intrusions, insider threats, or data breaches requiring litigation-ready evidence, demand hands-on response capabilities beyond what any automated platform can provide on its own.  DFIR teams provide the much-needed crisis management that is missing from most providers.

The standard model in the MDR industry is to handle detection and containment, then refer the customer to a third-party IR firm for the deeper investigation. That referral introduces a handoff cost: the IR firm lacks context from the detection, needs time to understand the environment, and operates as a separate engagement with separate reporting. The customer manages two vendor relationships simultaneously during the period when their attention is most constrained.

For BlueVoyant MDR clients with a DFIR retainer, BlueVoyant eliminates that handoff, covering the full scope of incident response: compromise assessment, active threat containment, forensic investigation, malware analysis, legal-hold evidence preservation, crisis management, and post-incident reporting. The handoff from the SOC to the DFIR team is transparent. All team members have context from the detection and ongoing familiarity with the customer's environment, which reduces ramp-up time and eliminates the re-explanation of findings across vendor boundaries.

Three areas where this integration has measurable impact: 

1. Response time: when a critical incident escalates to the DFIR team, context and details are already available rather than having to brief in a separate vendor, and time-to-investigation compresses accordingly. 
2. Evidence continuity: artifacts collected through Device Forensics or Cloud Forensics carry forward into the DFIR investigation, which matters both for speed and for evidentiary integrity. 
3. Accountability: a single team owns the full outcome from first alert through final report, which simplifies coordination and creates a clear chain of responsibility for organizations under regulatory scrutiny or facing litigation.

BlueVoyant AI’s Cloud Forensics and Device Forensics capability allows for rapid advancement from detection to investigation, reducing the time required to understand an incident from hours to minutes. Along with the addition of retaining our full time DFIR team means that when an incident exceeds the scope of automated tooling, BlueVoyant can respond without a vendor handoff and with the context and continuity from a “one team” approach that is transparent to our clients.