Choose a language:

Computer attacks have grown exponentially, targeting both businesses and governments.​

Advanced Persistent Threats (APT) are scenarios where advanced attackers compromise an information system and remain active for years without being detected. How can an organization determine if an attacker has already bypassed its security ? In particular, how can it recognize an advanced persistent attack (APT) that most popular security solutions fail to detect ? 

Compromise Discovery is a solution developed by PwC that allows you to take a proactive approach to identify potential IS compromises by analyzing weak signals over a wide area.


Benefits of Compromise Discovery


Easy to deploy at scale. No specific agent to install.

reportThreat analysis

Identify risky behaviors and suspicious traces that may indicate an ongoing or past attack.

searchCompliance validation

Provide an accurate analysis of the compliance of your IT assets.

We developed the Compromise Discovery solution in response to a question frequently asked by our clients following our security assessments : "I now know that I am at risk, but is it already too late ?". Our approach has allowed us to identify discrete attacks on our clients' most at-risk perimeters : for example, the presence of banking malware on a branch treasurer's workstation, remote access to an executive assistant's environment, or the presence of unsecured remote access solutions left on a critical server by a supplier.

Jamal Basrire, Cybersecurity Associate, PwC France and Maghreb


Initial Assessment
20,000€Discovery Pro / SME - ISE
  • Definition of the perimeter of the IS machines to be analyzed
  • First collection of data necessary to detect a compromise
  • Analysis limited to 500 endpoints
  • Detection of suspicious behaviors & weak signals
  • Delivery of a report with a global view of the IS
Initial + subscription + incident response retainer
50,000€Discovery Expert / SME - ISE
  • Definition of the scope of the IS machines to be analyzed
  • Initial collection + monthly collection for one year
  • Analysis limited to 1000 endpoints
  • Detection of suspicious behaviors & weak signals
  • Delivery of a report with a global view of the IS
  • Access to our Incident Response service (available 7 days a week), first 2 days of analysis included
  • Access to our Threat Watch platform

Book a demo

The information collected during your visit to this site is protected by Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "RGPD"), as well as by Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms, in its latest version in force. This information is also confidential, and is in no way intended to be distributed to third parties, particularly for commercial prospecting purposes. For more information, we invite you to consult our Privacy Policy. For more information, please visit www.pwc.com/structure



What is an indicator of compromise ?

Indicators of compromise are technical artifacts or behaviors whose presence indicates malicious activity on the information system.

What are the most common indicators of compromise ?
Examples include:
  • Traces of failed authentication attempts on a set of servers 
  • Abnormal behavior of conventional Windows processes
How does PwC's Compromise Collector solution work ?

PwC's collector is based on the DFIR-ORC utility developed by the ANSSI. It can be launched via various execution methods, the preferred method being deployment via GPO. Running the collector generates a zip file containing artifact exports in text format, which is then retrieved from a file server for analysis by PwC. The collection does not require any remote access from PwC, once configured by the client.

What types of analyses are performed by PwC in its platform ?

The Compromise Analytics platform is a modular environment, continuously updated with new tests and analyses. It is based on several types of processing : 

  • Enrichment with internal or external Threat Intelligence databases (comparison based on signatures or technical indicators, customer data is not sent to third parties)
  • Search for known suspicious behaviors (technical) or behaviors that deviate from the nominal operation of a system 
  • Statistical analysis of the entire fleet (uncommon behaviors or files, divergent behavior compared to the rest of the fleet)

Once these tests have been performed, the discrepancies are manually analyzed by a PwC expert in order to eliminate false positives and investigate the data to understand the extent of a potential compromise.

These products might interest you