Our Work | SMOKE Intelligence Services

How engagements take shape.

Where There's Smoke, There's Fire.

Most engagements begin with a phone call. The client describes the situation. We confirm whether we are the right fit and provide a clear scope and cost estimate. If we are not the right fit, we say so directly.

The work is almost always ad hoc: one investigation, one automation build, one ongoing monitoring arrangement. We do not sell retainers or fixed packages, because the problems that warrant outside expertise rarely fit a standard size. Some clients engage us once. Others keep us on call. Both arrangements work.

Pricing scales to the engagement. We have completed single-day turnarounds and multi-month projects. The first conversation is always free.

What the work actually looks like.

Details below have been generalized or omitted to protect client confidentiality.

Threat Source Attribution

The situation

A security team for a public figure was receiving threatening emails from multiple anonymous accounts. Sender names varied across free email providers, and it was not clear whether one individual or several were responsible.

What we did

We analyzed full email headers across every message, traced originating IP addresses, and verified authentication chains to confirm that the messages came from the claimed providers rather than spoofed sources. We checked the source IPs against VPN, proxy, TOR, and known botnet datasets. One of the sending addresses appeared in two prior breach corpora, indicating a personal account rather than a disposable one.

What the client got

All messages traced to a single residential IP in a specific city, with no proxy indicators. Findings were packaged with full technical documentation suitable for law enforcement referral, alongside recommended next steps for ISP and provider complaints.

Incident Response for a School District

The situation

A teacher observed signs of possible unauthorized access on a student's district-issued device. Files were appearing or changing unexpectedly, with indicators consistent with remote access. The student's personal information may have been exposed. The district IT department had not responded with urgency.

What we did

An external party cannot examine district-owned property without a formal engagement, which requires chain of custody, legal authority, and procurement clearance. Instead, we delivered a structured guidance document covering how to record observations with timestamps, what escalation language invokes student safety obligations, how to confirm that a formal IT ticket has been logged, and how to escalate through campus administration if IT remained unresponsive. For the family, we outlined a parallel set of steps: filing a police report, requesting forensic preservation of the device, powering it off, and changing all passwords from a separate device. We also described what a competent IT investigation should include, so the family could ask informed questions.

What the client got

A clear, actionable playbook that respected the district's authority while creating accountability. If the district later needed to bring in an outside firm, the evidence chain would remain intact.

Disgruntled Employee Takeover

The situation

A small business employee was terminated following a series of inappropriate workplace incidents. Before access could be revoked, the individual seized administrative control of shared accounts, including Google Workspace and the company's marketing platforms.

What we did

We isolated affected systems, halted further access, rotated credentials and secrets across the environment, preserved logs and other artifacts, and assembled a documentation package suitable for handoff to counsel or law enforcement. Security guidance was provided in parallel, so leadership could make informed decisions in real time.

What the client got

After-hours and weekend coverage during the immediate response, minimal interruption to ongoing business, and a hardened access posture afterward.

Operational Efficiency Through Automation

The situation

A company was spending significant staff hours on repetitive data entry between systems that did not integrate with one another. The work was error prone and limited the team's bandwidth for higher value tasks.

What we did

We reviewed the existing toolchain, identified the core friction points, evaluated alternative vendors against both cost and capability, and built ad hoc automated workflows to bridge the remaining systems. Staff were trained on the new processes and given documentation for ongoing use.

What the client got

Reduced software spend, faster and more reliable internal processes, and recovered time that the team redirected toward onboarding new hires.

Small team.
Substantial background.

SMOKE was initially founded by two professionals with more than twenty years of combined experience in corporate intelligence, risk consulting, and operational strategy. That experience includes time in executive protection, global threat monitoring, and investigations at firms recognized across the industry.

The day-to-day work sits at the intersection of intelligence analysis, data engineering, and applied technology. We write and maintain our own codebases. We create custom, on-prem local AI workflows when privacy is a requirement. We have built automated pipelines that screen flagged communications and deliver severity-calibrated alerts in real time.

SMOKE exists because the expertise that large organizations pay seven figures for should not require seven figures to access. A small business owner receiving threats deserves the same quality of analysis as a Fortune 500 executive. A school district managing a compromised device deserves clear guidance, not a vendor pitch.

How engagements take shape.

What the work actually looks like.

Threat Source Attribution

Incident Response for a School District

Disgruntled Employee Takeover

Operational Efficiency Through Automation

Small team.Substantial background.

Small team.
Substantial background.