Left of boom cover

Estimated reading time: 7 minutes

When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.

In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.

So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.

left and right boom timeline
Visual representation of the timeline , the event (Boom) and the actions or tools to the right and left of it.

For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.

Left of Boom

A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.

There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.

A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.

A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.

These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.

This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.

A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.

Right of Boom

Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.

For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.

An example of right-of-boom

To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.

If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.

The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.

As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.

Left of boom strategy
A strategy that also takes into account what happens before an attack is much more effective.

Why “Right and Left of boom” concepts are important

If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.

Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.

Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.

Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.


A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.

Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.

Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.

To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.


It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.

The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.

To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.

Link utili:

Useful links: