Services/Incident Response & DFIR

Offensive Application & Cloud Detection & Response Managed Detection & Response Incident Response & DFIR Security Program & Risk AI

Service 07Under attack? · DFIR · Retainer

Incident Response & DFIR

When an attack is underway, the speed and clarity of the response decides the damage. We contain it, find out what happened, and get you back to safe operation.

Book a scoping call All services

At a glance

ResponseRapid, remote-first

EngagementEmergency · Retainer · Readiness

ForensicsFull DFIR and root-cause analysis

OutputIncident report and hardening plan

§ 01Overview

Incident Response & DFIR

Senior-led incident response and digital forensics, available as an emergency engagement or an ongoing retainer. We contain the attack, investigate how far it reached, support your regulatory reporting, and harden you against a repeat.

§ 02What's included

What the service covers.

Engage any item on its own, or combine them into a single engagement.

Emergency response

We engage fast when an incident is underway, take control of the situation, and stop the attack from spreading.

Containment and eradication

We isolate affected systems, remove the attacker's access, and confirm they are actually out before recovery begins.

Digital forensics (DFIR)

We establish how the attacker got in, how far they reached, and what was accessed or taken, preserving evidence properly.

Ransomware response

Specialised handling of ransomware, from containment and scoping to recovery strategy and decision support.

Regulatory breach reporting

We help you meet NIS2 and GDPR reporting obligations within the required windows, with an accurate account of what happened.

Retainer and readiness

Pre-arranged response capacity with agreed response times, plus readiness assessments and tabletop exercises so the plan works before you need it.

§ 03How we approach it

A clear methodology, every time.

Contain

Stop the spread first. We isolate affected systems and cut off the attacker's access, without destroying the evidence.

Investigate

Forensic analysis to establish the entry point, the scope, the timeline, and the impact.

Eradicate and recover

Remove the cause, confirm the attacker is gone, and restore systems from verified, clean sources.

Review and harden

A post-incident review that closes the gap the attack used, so the same thing cannot happen again.

§ 04What you get

Results you can act on.

Every engagement ends with documented findings and evidence, written for the technical team and for the board.

01Incident timeline and root-cause analysis

02Preserved forensic evidence

03Containment and recovery actions taken

04Regulator-ready breach report (NIS2 / GDPR)

05Lessons-learned and hardening plan

← Previous service

Managed Detection & Response

Next service →

Security Program & Risk

Independent and vendor-neutral. We don't resell the tools we test.

Our only product is expertise and evidence, so our advice has no agenda but yours.

Independent

Vendor-neutral. No licences to sell, no conflicts of interest.

Senior-led

Every engagement is run by senior engineers, not handed to a queue.

Evidence-led

Reproducible findings and documented proof, not severity labels.

Regulator-ready

Built to satisfy NIS2, DORA, ISO 27001, and GDPR by design.

FAQ

Questions, answered

We think we are under attack right now. What do we do?

Contact us immediately and, if you can, isolate affected systems from the network without powering them off, since that can destroy evidence. We engage fast, take control, and stop the spread.

What is a retainer and do we need one?

A retainer is pre-arranged response capacity with agreed response times, so help is ready the moment you need it rather than negotiated mid-crisis. It is the difference between a controlled response and lost hours, and is recommended for regulated and high-availability organisations.

Can you respond remotely?

Yes. Most incident response is delivered remotely, which is the fastest way to engage. Where on-site forensics or containment is needed, we arrange it.

Should we pay a ransom?

The guidance from authorities is not to pay: it does not guarantee recovery, it funds further attacks, and it can carry legal consequences. We help you make that decision from a position of facts and a clear recovery plan, not panic.

Do you handle the NIS2 and GDPR reporting?

We support it. We give you an accurate, timely account of what happened so you can meet the NIS2 and GDPR reporting windows, and we work alongside your legal and compliance teams.