Use Case


Malware is a common attack vector used by adversaries to harvest user credentials, exfiltrate data and extort money. Kroll Responder harnesses signature and behaviour-based threat detection techniques to identify the latest malware threats, including ransomware and cryptomalware, as well as fileless and polymorphic variants. Automated incident response actions enable threats to be contained and eliminated before they spread.

A laptop that has been locked due to ransomware

Use Case

Privilege escalation

System vulnerabilities and misconfigurations can allow attackers to gain elevated access to systems and assets that are normally restricted. Kroll Responder uses the latest behavioural monitoring technology to closely monitor the activities of privileged users, identify privilege escalation techniques and detect attempts to exfiltrate data.

An attacker escalating privileges to obtain admin access

Use Case

Lateral movement

Upon establishing a foothold on a network, attackers will attempt to pivot through systems and accounts to reach their end goal. Kroll Responder helps detect lateral movement by identifying privilege escalation, efforts attempts to install remote access tools, and changes to access controls.

Lateral movement across servers to access the crown jewels

Use Case

Compromise of trusted hosts

A large proportion of attacks target endpoint devices such as servers, workstations and laptops. Kroll Responder baselines the activity of hosts to help detect unusual behaviour such as spikes in network traffic, unknown communication sources, and the deactivation of security controls.

Host devices being compromised by an attacker

Use Case

Data exfiltration

To achieve a high level of data security, it’s important to know when sensitive data is modified, copied and erased. Kroll Responder continuously monitors the integrity of files, protocols and applications that facilitate the transfer of data, and for evidence for command and control (C2) activity.

Data being exfiltrated to a command and control server

Use Case

Policy violation

Tracking adherence to information security policies and standards is a good way to uncover suspicious activity. Kroll Responder helps to detect threats by monitoring employee and system attempts to access restricted resources, including unusual out-of-hours requests.

An employee attempting to access data from an unknown location

Use Case

Credential access

To steal account names and passwords, adversaries deploy credential harvesting malware, and use brute-force and credential dumping techniques. Kroll Responder can help detect credential access attempts by monitoring for use of weak passwords, account lock outs and login attempts from unknown locations.

A password being crunched by a bruteforce attack

Use Case

Cloud-focused threats

Many cyber security threats now specifically target cloud environments. Kroll Responder can help to achieve cloud visibility by monitoring public, private, hybrid and virtualised cloud environments for suspicious user, system and application activity.

Aan attacker attempting to steal data from a cloud environment

Use Case

Supply chain compromise

If your organisation is dependent on a growing ecosystem of partners and suppliers, there is an increased risk of a supply chain compromise. Kroll Responder helps prevent third party compromises by closely monitoring user accounts, applications and web sites for suspicious activity.

A supply chain compromise

Use Case


Despite the adoption of more intelligent prevention technologies, there is always a risk of employees receiving and falling victim to phishing emails. Kroll Responder provides an extra layer of protection against phishing attacks by integrating with secure email gateways and popular email tools such as Office 365 and Gmail to improve detection of suspicious activity.

A series of spear phishing emails

Use Case

Insider threats

People, whether acting out of negligence or malice, are one of the top causes of data breaches. Kroll Responder leverages advanced User and Entity Behaviour Analytics (UEBA) to help better identify compromised accounts, privilege abuse and other suspicious user activity that could suggest an insider threat.

An inside attacker exfiltrating sensitive data

Use Case

Zero-day attacks

Detecting previously unknown threats is challenging but achievable with the right tools and data. Kroll Responder integrates the latest cyberoffensive intelligence, high fidelity telemetry and a range of analytics-based technologies to hunt for evidence of new adversarial tactics, techniques and procedures.

A zero day security threat marked on a calendar