A few months back I wrote a paper for my employer, Foundstone, on how we used the Foundstone software product (previously called “Foundscan,” now known as “Foundstone Enterprise) when doing incident response. We found that after collecting IR data (not before, as some advocate) we could determine if the remediation action we recommended would be worthwhile. It’s no use discovering an intruder has gained access via an unpatched IIS vulnerability if the organization also runs unpatches versions of OpenSSH!”]
Source: https://taosecurity.blogspot.com/2003/10/foundstone-publishes-white-paper-on.html