This investigation summary details the Mandiant investigation. Mandiant was engaged by Gainsight, on November 20, 2025, to investigate a suspected intrusion impacting the Gainsight platform. The investigation aimed to 1) determine the root cause and scope; 2) assist with containment and remediation.
The investigation and remediation concluded on December 5, 2025, and the following information is accurate as of that date.
Mandiant has identified no evidence in Gainsight logs of an active threat actor, and partnered with Gainsight for containment and hardening efforts across the Gainsight technology environment. Mandiant has verified the remediation activities performed during the response, which included application vulnerability analysis, credential management, logging enhancements, and security configuration reviews, including:
Identity & Access Management (IAM)
- Rotate all credentials/tokens for AWS S3, Snowflake, and Salesforce
- Ensure Multifactor Authentication is enforced for all users
- Delete Unused Access Keys
- Evaluate and implement scanning solution for sensitive credentials
Data Protection & Encryption
- Enforce HTTPS Communication on Elastic Load Balancers
- Enable Encryption on SQS Queues
- Restrict overly permissive S3 bucket policies
Network & Infrastructure Security
- Enable Geo-Restrictions and Use AWS WAF Service on API Gateways and CloudFront Distributions
- Restrict access to Internet-facing EC2 instances
- Restrict access to Amazon OpenSearch Cluster
- Protect Access to EC2 instance metadata
Visibility & Logging
- Enable Audit Logging for Redshift Instances
- Enable logging and encryption on OpenSearch (marked for decommission)
- Enable alerting on TOR-Based AWS Key Usage & S3 Access
- Enable alerting on TruffleHog Mass STS Key Validation
- Enable alerting on S3 Sensitive CSV Download From Suspicious Networks
- Enable alerting on Tenant Bucket Object Enumeration From Single Source
- Enable alerting on Okta MFA Disabled / Factor Reset for Privileged Accounts
- Enable alerting on Okta Sign-In Anomalies for High-Privilege Identities
- Enable alerting on Cloud Snapshot / Image Enumeration From Non-Baseline Principals
