Post-incident information is as or more important to customers than the actual incident and response functionality. Security as a service (SaaS) must provide accurate, timely and complete post-incidence forensics information in order to be successful. This paper outlines the motivation for security products migrating to the cloud and where common products fall down in implementation. Guidelines for accurate evaluation are provided.