← Services
IR-07

Incident Response

Rapid containment, forensic analysis, and remediation guidance for when minutes matter and clarity is scarce.

Scope this engagementAsk a question

// Overview

Retainer-backed incident response with a 4-hour SLA. We contain, investigate, and rebuild. And stay through the post-incident hardening so the same root cause doesn't recur.

Optional tabletop exercises and runbook authoring make sure the next incident isn't your first time running the play.

We coordinate with counsel, insurers, and regulators so you have a single throat to choke and a defensible written timeline.

// Who it's for

Built for teams that look like this.

  • Companies without an in-house DFIR capability
  • Insurance carriers needing a pre-approved IR partner on panel
  • Teams that need a documented IR plan for SOC 2 / HIPAA / PCI

// How we engage

A four-phase engagement.

  1. 01 · Triage

    First call within 60 minutes. Establish incident command, scope, and initial containment within the first 4 hours.

  2. 02 · Contain

    Stop the bleeding. Isolate compromised hosts, revoke sessions, rotate credentials, block known IOCs across the environment.

  3. 03 · Investigate

    Forensic imaging, log correlation, malware analysis, and a written timeline suitable for counsel, regulators, and cyber insurance.

  4. 04 · Recover & harden

    Rebuild, validate, and close the gaps that allowed entry. Deliverable: a post-incident review and 30/60/90-day hardening plan.

// Proof

Related case studies

All case studies →
DTC retailer contains a Magecart skimmer in 4 hours
Retail · MAY 03, 2024

DTC retailer contains a Magecart skimmer in 4 hours

K-12 district restores classrooms after ransomware in 6 days
Education · JUN 13, 2017

K-12 district restores classrooms after ransomware in 6 days

Logistics provider rehearses ransomware before it hits
Logistics · JAN 26, 2025

Logistics provider rehearses ransomware before it hits

// FAQ

Common questions.

Is the retainer drawn down if we never have an incident?

Retainer hours convert to readiness work. Tabletop exercises, runbook authoring, and IR plan reviews. No hours are wasted.

Do you work with our cyber insurer?

Yes. We sit on multiple insurer IR panels and coordinate with breach counsel and forensic accountants as needed.

What's your SLA?

4 hours for retainer clients, with most incidents getting a first call within 60 minutes. Non-retainer emergency engagements: best-effort, typically same-day.

// Related modules

Pair with

CISO-00

vCISO / Fractional CISO

A named senior security leader who owns strategy, compliance, board reporting, and incident command. Billed monthly, not by headcount.

TH-01

Cyber Intelligence

Automated threat hunting across surface and deep web vectors, tailored to your IP range and industry vertical.

CLD-09

Cloud Security

Hardened posture management for AWS, Azure, and GCP with continuous configuration drift detection and automated remediation.

Ready to scope Incident Response?

A free 20-minute call gets you a written scoping note, named lead, and rough quote. No procurement loop required.

Book a scoping callSee pricing tiers