Security evidence and diagnosis for SMBs

Find out what happened.
Show your work.

Postmortem helps MSP technicians collect the right evidence, separate causes from noise, and turn hours of log review into a clear report that shows where every conclusion came from.

Read only by default. Conclusions cite evidence. A technician approves every report.

09:08 EDTWindows starts the first update retry.

09:18 EDTDNS, Netlogon, and Group Policy begin timing out.

09:28 EDTThe secure channel verifies without a trust repair.

The WS-14 investigation

A domain problem that started with Windows servicing.

The user saw a slow machine and a lost domain connection. The timeline showed when the update retries, disk pressure, and domain timeouts actually occurred.

  1. 01

    Collect

    The signed probe exports the approved event channels and runs bounded health checks.

  2. 02

    Correlate

    The rule places two update retries before pressure and the domain timeouts.

  3. 03

    Explain

    The technician sees the exact evidence IDs, one missing trace, and a constrained claim.

  4. 04

    Verify

    The same pack runs after repair. The case stays open until the checks pass.

Abstract evidence signals converging into an ordered path from observation to verified action
Collection is only the beginning. Review and verification close the loop.

Packs built for specific questions

The evidence larger teams expect, built for an SMB workflow.

Diagnostics

When the machine is slow, unstable, or losing the domain.

Collect Windows Update, CBS, performance, DNS, Netlogon, Kerberos, and Group Policy evidence in one bounded case.

See diagnostic workflow
Incident investigation

When an account or endpoint may be compromised.

Preserve evidence before it expires, normalize clocks, and build a reviewable sequence across endpoint and cloud systems.

See incident boundaries
Security assessment

When an SMB needs to see the path, not a 200-line scanner dump.

Pair safe external and internal observations, identify critical business assets, and prioritize the changes that break credible paths.

See assessment direction

Hostile input stays data

A log line never gets to write the conclusion.

Parser rules read structured fields. Collected strings remain escaped evidence. The report shows the rule, evidence IDs, gaps, confidence, reviewer, and approval time.

  • Explicit scopeServer authorization defines what the probe may collect.
  • Direct artifact uploadRaw evidence bypasses workflow engines and browser caches.
  • Uncertainty preservedUnknown and insufficient evidence are valid outcomes.
  • No automatic remediationA technician reviews every action in the first release.

See the evidence chain

A failed update looked like broken domain trust.

Walk through the real synthetic fixture: servicing retries, resource pressure, DNS timeouts, Netlogon, Group Policy, and the evidence that ruled out trust loss.

Review case PMR-2026-0041