When Huntress remediates a threat by deleting artifacts, a protected copy should be retained for a configurable period and made accessible to admins for post-incident investigation.

This is standard behavior in major NGAV/EDR platforms and is critical for:

Root cause analysis — examining the original payload after the fact

Threat intel extraction — submitting samples to sandboxes or sharing with IR teams

Evidence preservation — maintaining chain of custody for compliance or legal purposes

False positive review — verifying legitimate files weren't incorrectly removed

The retained copy should be:

Cryptographically isolated (e.g., encrypted vault or password-protected archive) to prevent re-execution

Accessible only to admin-level users in the Huntress portal

Subject to a configurable or fixed retention window before permanent deletion

Ideally downloadable

Currently, files deleted by Huntress are unrecoverable, which can significantly hamper post-incident investigations on managed endpoints.