Active incident? We respond now.
Every minute of adversary dwell time increases the scope of damage and reduces your legal options. Our emergency response team is available around the clock — initial triage begins within 15 minutes; formal analyst acknowledgement and engagement letter follow within the hour.
· Triage starts within 15 minutes
· Formal acknowledgement within the hour
· Out-of-band encrypted channel
· Emergency NDA pre-executable
· Lead analyst assigned same day
DO / DO NOT
Before you do anything else.
Do not — before contacting us
- Do not power off or reboot affected systems — volatile memory contains critical evidence (running processes, network connections, encryption keys) that is lost permanently on shutdown
- Do not delete logs, files, or artefacts — even if they appear malicious; evidence destruction can create legal and regulatory liability
- Do not attempt to "clean up" the attacker — uncoordinated remediation destroys forensic evidence and often fails to fully remove persistence
- Do not communicate over potentially compromised channels — if you suspect email or messaging is compromised, contact us by a separate device and account
- Do not notify staff or third parties broadly — until legal counsel and our team have assessed the scope and notification obligations
Have ready when you contact us
- When it was discovered — and when you believe it started, if known
- How it was discovered — alert, user report, external notification, or ransom note
- What systems appear affected — rough count and type (endpoints, servers, cloud, OT)
- Whether the attacker appears still active — ongoing encryption, lateral movement alerts, or active C2 callbacks
- Your authorising contact — the person with authority to approve the engagement (CISO, CIO, legal counsel, or CEO)
- Any regulatory obligations — industry, jurisdiction, and applicable frameworks (GDPR, HIPAA, SEC, NIS2, etc.)
WHAT HAPPENS NEXT
The first hour, the first day, the engagement.
First 60 minutes
- Initial triage — severity assessment routed to a senior responder within 15 minutes; formal analyst acknowledgement and engagement letter follow within the hour
- Secure channel established — all communications move to an encrypted, out-of-band channel independent of your infrastructure
- Emergency NDA executed — signed within the first call; engagement begins immediately after
First 24 hours
- Immediate preservation guidance — specific instructions for your environment to capture volatile state before it degrades
- Parallel containment — containment advice issued concurrently with evidence collection to limit adversary dwell time
- Lead analyst assigned — a named investigator takes ownership of your case for the duration of the engagement
Engagement support
- Encrypted status briefings at agreed intervals throughout the incident
- Regulatory notification factual summaries (GDPR, SEC, NIS2, HIPAA) prepared as scope is determined
- Direct liaison with internal and external counsel
- Final delivery and remediation handover with full chain-of-custody documentation
ALTERNATE CHANNEL — IF DIRECT EMAIL IS UNAVAILABLE
