Tried, Tested and Proven

Cyber Threat Analysis and Detection Service (CTADS™)

The Cyber Threat Analysis and Detection Service (CTADS™) is a threat detection service designed to help you combat Advanced Persistent Threats (APT’s) that steal information from compromised computers. Cyber Threat Analysis and Detection ServiceThose who carry out these attacks are determined and resourceful in their attempts to capture information and maximise data exfiltration.

In light of a marked rise in APT’s, we have devised CTADS as a leading edge solution, providing consolidated threat intelligence, gathered from a number of reliable and trusted sources. These sources include Portcullis’ own research and development work, as well as public and privately disclosed threat feeds.

We have further extended Cyber Threat Analysis and Detection Service (CTADS™) beyond the remit of other threat analysis services by including the efforts of real people, to analyse traffic in depth for suspicious activity such as; IP tunnelling, binary files, payloads, exploitation attempts, malware, shellcode, command and control traffic and beacon packets.

Our analysts are experts with backgrounds in defence, intelligence, finance and other industries. They are able to interpret vast amounts of information for the suspicious activity and threats contained within. They take the technical information and produce a story of events, discuss probable threats and recommend mitigations appropriate and suitable for you. The technical output also describes what has happened and when, the combination of technical discovery with threat modelling and risk centric analysis will look at answering who, where, why and how.

Cyber Threat Analysis and Detection Service (CTADS™) not only analyses traffic entering your network but also leaving it. In today’s world, Data Exfiltration is a huge concern. This work is often like finding a needle in a hay stack and requires skills and understanding far beyond the normal abilities of most security professionals. However, no automated systems can achieve anything like the accuracy and insight achievable by individuals with such a depth of knowledge and understanding. The manual phase of this service allows us to push past a set of known problems which we reactively identify and attempt to be proactive, using the latest intelligence with the combined experience of the team.

Incident response

CTADS Incident Response is a time based service that proceeds through up to five stages.


  • Our analysts will liaise with you to gain a detailed understanding of your network architecture and your organisation’s exposure to APT’s, before planning an effective strategy for the deployment of Cyber Threat Analysis and Detection Service (CTADS™) Collection Agents. Details of the Collection Agents to be deployed will be provided to you in an equipment register so the data collected can be accounted for throughout your assignment.

Data Collection

  • Portcullis investigators will then deploy the Collection Agents; a selection of best of breed, appropriate and specialised tools; to obtain a recording of network level traffic during a fixed period for later, detailed analysis.


  • Upon return to our labs, your traffic will be subjected to stringent analysis for evidential data. The Collection Agents are first indexed and all data cross referenced then threats are trended and identified; suspicious files, malware and other files containing payloads are reconstituted, analysed and – where required – reverse engineered to understand how they function and provide details to identify further occurrences of them. Where discovered, malicious code will be investigated by the dedicated and experienced network and software technicians. Throughout the Data Collection and Analysis processes you will receive regular progress reports.


  • The results of the consultation, data collection and analysis will be collated into a comprehensive technical report of our actions, discoveries, conclusions and recommendations. Executive reports may also be commissioned for a specific audience.
    The report will include a summary of positively identified issues, a general traffic analysis, a list of any potential compromised hosts and wherever possible, a list of types and levels of data egress with detailed information on the data itself and the egress destination. Attack attribution and threat modelling will also take place at this stage, building on the risk analysis performed during the initial consultation.


  • Upon completion of the Cyber Threat Analysis and Detection Service (CTADS™) assignment, data collected will either be securely erased or the media physically destroyed and certificates of destruction provided to you. Alternatively you can request the return of the devices containing your traffic for destruction by you.