Active incident? We respond now.

Every minute of adversary dwell time increases the scope of damage and reduces your legal options. Our emergency response team is available around the clock — initial triage begins within 15 minutes; formal analyst acknowledgement and engagement letter follow within the hour.

· Triage starts within 15 minutes
· Formal acknowledgement within the hour
· Out-of-band encrypted channel
· Emergency NDA pre-executable
· Lead analyst assigned same day
DO / DO NOT

Before you do anything else.

Do not — before contacting us

  • Do not power off or reboot affected systems volatile memory contains critical evidence (running processes, network connections, encryption keys) that is lost permanently on shutdown
  • Do not delete logs, files, or artefacts even if they appear malicious; evidence destruction can create legal and regulatory liability
  • Do not attempt to "clean up" the attacker uncoordinated remediation destroys forensic evidence and often fails to fully remove persistence
  • Do not communicate over potentially compromised channels if you suspect email or messaging is compromised, contact us by a separate device and account
  • Do not notify staff or third parties broadly until legal counsel and our team have assessed the scope and notification obligations

Have ready when you contact us

  • When it was discovered and when you believe it started, if known
  • How it was discovered alert, user report, external notification, or ransom note
  • What systems appear affected rough count and type (endpoints, servers, cloud, OT)
  • Whether the attacker appears still active ongoing encryption, lateral movement alerts, or active C2 callbacks
  • Your authorising contact the person with authority to approve the engagement (CISO, CIO, legal counsel, or CEO)
  • Any regulatory obligations industry, jurisdiction, and applicable frameworks (GDPR, HIPAA, SEC, NIS2, etc.)
WHAT HAPPENS NEXT

The first hour, the first day, the engagement.

First 60 minutes

  • Initial triage severity assessment routed to a senior responder within 15 minutes; formal analyst acknowledgement and engagement letter follow within the hour
  • Secure channel established all communications move to an encrypted, out-of-band channel independent of your infrastructure
  • Emergency NDA executed signed within the first call; engagement begins immediately after

First 24 hours

  • Immediate preservation guidance specific instructions for your environment to capture volatile state before it degrades
  • Parallel containment containment advice issued concurrently with evidence collection to limit adversary dwell time
  • Lead analyst assigned a named investigator takes ownership of your case for the duration of the engagement

Engagement support

  • Encrypted status briefings at agreed intervals throughout the incident
  • Regulatory notification factual summaries (GDPR, SEC, NIS2, HIPAA) prepared as scope is determined
  • Direct liaison with internal and external counsel
  • Final delivery and remediation handover with full chain-of-custody documentation

ALTERNATE CHANNEL — IF DIRECT EMAIL IS UNAVAILABLE

SEND AN ENQUIRY

General enquiries and partnerships.

ENCRYPTED AT REST AND IN TRANSIT · ~1 BUSINESS DAY REPLY
ACTIVE INCIDENT?