As defenders, the critical moment is when we've determined that an attacker's attempt to gain a foothold onto the network was successful. This sets of a chain of investigative activity where we follow breadcrumbs through our data to understand where they attacker went, what their mission is, and what they took. As these breadcrumbs are uncovered, we don't just have to follow their path, we also must ascertain if similar evidence can be found at other points on the network. This is all part of scoping the attacker to better understand the attack. In this post, I'm going to talk about strategies for attack scoping and discuss how Sqrrl enables them intuitively.