CYBERSECURITY AND DFIR

Incident Blast Radius Estimator.

Additional page sections

Estimates likely blast-radius pressure from identity scope, lateral movement potential, data reach and dependency concentration.

Version 1.7 Research interface Protected engine Incident blast-radius review note
PURPOSE

Decision supported.

Estimates likely blast-radius pressure from identity scope, lateral movement potential, data reach and dependency concentration.

Intended user

research, assurance and technical review teams

Output status

Preliminary outputHuman review requiredNot certification
USE CASES

Where this instrument fits.

  • Scope incident response priorities
  • Prepare executive incident summaries
  • Identify containment urgency
  • Prioritize identity, network and data review
INPUTS

Required input fields.

  • Compromised identity scope (required): Single low-privilege user, Business app role, Privileged or cloud admin
  • Lateral movement potential (required): Low, Medium, High
  • Data reach (required): Low, Material, Critical
  • Dependency concentration (required): Low, Medium, High
  • Segmentation strength (required): Strong, Partial, Weak

Data handling: this interface uses the L2ET protected same-origin instrument engine. Do not enter confidential, regulated, privileged, incident, medical or sensitive operational data.

METHOD

Heatmap logic.

Combines identity privilege, lateral movement potential, data reach, dependency concentration and segmentation into a blast-radius pressure map.

Source families

incident scopingidentity securityresilience assessment

Assumptions

  • No live discovery is performed.
  • Estimates depend on accurate architecture knowledge.
  • Containment decisions require incident commander review.
INTERACTIVE INSTRUMENT

Incident blast-radius review note.

Use the controls below to generate a preliminary artifact. The output is intentionally bounded and requires human review.

OUTPUT ARTIFACT

Incident blast-radius review note.

The generated artifact includes findings, assumptions, limitations, recommended next actions and exportable structured output.

Export options

Copy outputMarkdownJSON
EXAMPLE

Example input and output.

Example input

Compromised business app role with medium lateral potential and material data reach.

Example output

Outputs medium-high blast pressure, containment focus areas and evidence required.

LIMITATIONS

What this tool does not do.

  • Does not confirm compromise scope.
  • Does not scan the environment.
  • Does not replace forensic analysis.

This instrument does not provide legal, medical, cryptographic, engineering, regulatory or compliance certification.

RELATED METHOD

Method and workflow links.

Read the family method note for assumptions, output artifacts, update policy and review boundaries.

Open methodology Open family

RELATED TOOLS

Suggested workflow sequence.

DFIR Evidence Map Builder

Builds an evidence source matrix and investigation sequence for a selected incident scenario.

open instrument →

KEV Exposure Triage Tool

Prioritizes review of a known-exploited vulnerability using user-entered exposure, asset criticality and compensating controls.

open instrument →

Cyber Resilience Control Mapper

Maps a disruption scenario to controls, telemetry, recovery evidence and test cadence.

open instrument →
CHANGELOG

Version history.

  • v1.7 - Research-grade instrument template, method notes, assumptions, limitations, example and export actions added.
  • Last updated: 2026-05-27.
  • Maturity state: Research interface.