This session presents two real-world case studies to show the lifecycle of exam security breaches, from detection to response and program growth. First, we examine how a braindump (i.e., disclosed items and answers) evolved over an 18-month period as items on the exam were replaced. Data forensics methods tracked the time required for new items to be disclosed and how usage of the braindump spread through the population and evolved. Second, we examine how the Society for Human Resource Management (SHRM) responded to a test security threat. Data forensics analysis detected a breach, concentrated among remotely proctored test instances, and impacting several test forms. SHRM will share how they navigated and addressed the breach and used it to strengthen exam integrity and their program. Together, these case studies show how data forensics provide invaluable insight into the specifics of a breach and how that information can be used practically to address a breach and grow stronger.