From the cable to the finding in 25 minutes.
Enterprise forensic triage over an isolated VLAN with network boot. It turns any suspect laptop or desktop into a parsed, correlated case reviewable in the browser —without writing a single byte to the client disk, without agents, without booting Windows.
~25 min per disk · isolated forensic VLAN · read-only disk · multi-host in parallel
The problem we solve
When an organization detects a possible compromise, the first question is always the same: what did that host do, when, and how serious is it? Answering it with traditional methods takes hours or days, and every hour is an advantage for the attacker, exposure for the business and decay of volatile evidence.
Slow bit-by-bit imaging
Powering off and imaging the disk takes 4 to 8 hours before analysis can even begin.
Scattered tooling
Mounting, parsing and manually cross-referencing logs, registry, journals and OS artifacts with separate utilities.
A report that arrives too late
Producing something readable by management, legal or an expert becomes one more bottleneck.
The architecture: forensic VLAN + network boot
The investigated client boots from the server on a dedicated VLAN, with no internet and no visibility of the corporate network. Windows never boots; the disk is opened in read-only mode.
Total isolation
The host boots on a VLAN with no internet access and no view of the corporate network. If it was compromised, the attacker goes blind from the first second: no C2, no exfiltration.
Chain of custody preserved
The Windows disk is never mounted for writing. Analysis runs in memory and opens the disk with read-only locks: it is impossible to contaminate the evidence.
Hardened server
The forensic server is the only authorized system on the VLAN: a clean, reproducible, audited environment, with no corporate policies an attacker could have touched.
Aligned with standards
It respects the spirit of NIST 800-86, ISO/IEC 27037 and RFC 3227: preserve before analyzing, isolate before inspecting, do not alter what is investigated.
Scales horizontally
Several clients work at once on the VLAN; the server handles N triages in parallel. It enables fleet triage: 30, 50 or more endpoints in an afternoon.
Zero physical impact
No need to remove the disk or break seals: just connect a network cable and boot from network (F12).
The operational workflow
Five steps, ~30 minutes from “I plug in the cable” to “I have the report”.
Connect to the forensic VLAN
The analyst plugs the suspect machine into the dedicated switch port.
Boot from network (F12)
The machine loads the analysis system from the server. Windows never boots; the disk is visible only as evidence, read-only.
Triage runs automatically
Dozens of forensic analyzers run in parallel over the disk. Each finding streams to the server over the isolated VLAN in real time. ~25 minutes for a typical disk.
The rules engine correlates
More than 130 rules run over the artifacts: severity (critical / warning / informational), MITRE ATT&CK techniques and descriptions in Spanish or English. The cross-case exclusion list suppresses known false positives.
The analyst reviews in the browser
Executive dashboard with KPIs, severity charts, MITRE heatmap and prioritized findings. Drill-down to each artifact, tags, false-positive suppression and case closing.
Product capabilities
Exhaustive forensic capture
Coverage of the main Windows artifacts: MFT, journals, registry hives, event logs (security, system, PowerShell, RDP, defense, tasks), prefetch, jump lists, browsers, USB, devices, network, sessions, persistence and recent execution.
Structural custody
Client disk never written; exclusive insertion account on the server (the client cannot read or alter other cases’ evidence); full audit of every suppression, tag and annotation with user, reason and timestamp.
Correlation engine with 130+ rules
Rules aligned to MITRE ATT&CK Enterprise (persistence, execution, lateral movement, exfiltration, evasion, credentials). Tier-0 high-signal rules and a persistent exclusion list: the tool learns from the analyst.
Reviewable at any level
Executive dashboard, per-case report with MITRE heatmap and raw drill-down, sub-second global search, role control (admin / analyst / observer) and native Spanish/English bilingual.
Built-in analyst manual
More than 50 documents per artifact type: what it is, where it lives, what it contains, how to investigate it and common false positives. Bilingual and linked from the interface.
How it compares
Traditional triage speed, evidence custody and coverage, in a single platform.
| Prisma Pro DFIR | Traditional image + analysis | EDR (CrowdStrike, etc.) | Classic triage (KAPE) | |
|---|---|---|---|---|
| Time to first finding | 25–30 min | 4–8 h + hours | minutes (live telemetry only) | 1–2 h + parse |
| Client disk untouched | ✓ structural lock | ~ depends on operator | ✗ runs in live OS | ~ depends |
| Network isolation | ✓ dedicated VLAN | ✓ post-image | ✗ needs cloud | ~ depends |
| Works on powered-off machine | ✓ | ✓ post-image | ✗ needs live agent | ✓ post-image |
| No preinstalled agent | ✓ | ✓ | ✗ | ✓ |
| Multi-host in parallel | ✓ N simultaneous | ✗ one at a time | ✓ tied to EDR | ✗ |
| Built-in MITRE correlation | ✓ 130+ rules | ~ manual | ✓ proprietary | ✗ |
| Persistent cross-case exclusions | ✓ | ✗ | ~ depends | ✗ |
| Executive UI in the browser | ✓ | ✗ heavy client | ✓ proprietary portal | ✗ command line |
| Native Spanish/English bilingual | ✓ native | ✗ English only | ~ depends | ✗ English only |
Who is it for?
Prisma Pro DFIR turns any room with a switch into a field forensic lab: 25 minutes from the cable to the finding, on a VLAN that does not let the attacker move a single packet, with the evidence intact and reviewable in a browser.
Bring the forensic lab to the incident.
Want to see a live demo or discuss deployment in your organization? Let’s set it up.
Request a demo