EN / ES

Incident Response & Digital Forensics

When an incident occurs, Cyber Defence’s Disrupt team provides rapid containment, investigation, and recovery – backed by contractually guaranteed response through our Incident Response Retainer.

I need help with an incident now View Incident Response Retainer options

When seconds matter, experience and preparation decide the outcome

Ransomware, business email compromise, insider abuse, and targeted intrusions rarely arrive with warning. The decisions you make in the first hours can determine whether you contain the incident quickly or suffer prolonged disruption and investigative uncertainty.

Cyber Defence’s Disrupt team consists of experienced incident responders, penetration testers, threat analysts, and digital forensics specialists. We combine deep technical capability with disciplined process so that you have clear guidance, not guesswork, when it matters most.

From first alert to full recovery

Our Incident Response service is designed to support organisations through the entire lifecycle of an incident – from initial detection and triage through containment, eradication, recovery, and lessons learned.

Whether you are calling us for the first time during a crisis or engaging us through an Incident Response Retainer, our priority is to stabilise the situation, protect evidence, and help you make informed decisions that balance business continuity, regulatory obligations, and technical risk.

Scenarios

Incidents we commonly handle

The Disrupt team responds to a wide range of incidents, including:

Ransomware and destructive malware

Encryption or deletion of data and systems, including targeted ransomware campaigns and rapid-spread outbreaks.

Business email compromise

Unauthorised access to mailboxes, account takeovers, payment redirection, and phishing from internal accounts.

Web application and API compromise

Exploitation of public-facing applications, credential stuffing, or logic abuse resulting in data exposure.

Insider threats and unauthorised access

Malicious or negligent insider activity affecting data confidentiality, integrity, or availability.

Cloud and Microsoft 365 intrusions

Compromise of Azure, AWS, Microsoft 365, or other SaaS platforms through identity and configuration weaknesses.

Suspicious activity and compromise assessment

Targeted investigations when you suspect something is wrong, but do not yet have a confirmed incident.

How Cyber Defence manages an incident

  1. 1. Triage & stabilisation

    We gather initial information, assess severity, and help you stabilise the situation by containing obvious spread and preventing further damage.

  2. 2. Evidence preservation

    We advise on preserving logs, images, and other artefacts so that key evidence is not lost to reboots, log rotation, or well-intentioned but damaging clean-up actions.

  3. 3. Investigation & scoping

    Our analysts and forensics specialists determine what happened, how the attacker gained access, what they did, and which systems and data are affected.

  4. 4. Containment & eradication

    We work with your teams to contain the attacker’s access, remove malicious tooling and persistence, and close the paths used to gain entry.

  5. 5. Recovery & hardening

    We support the restoration of systems and data, prioritising critical services. At the same time, we recommend and help implement hardening steps to prevent recurrence.

  6. 6. Reporting & lessons learned

    We provide clear reporting suitable for technical teams, leadership, regulators, and insurers, along with practical recommendations for strengthening your security posture.

The Disrupt team

A multidisciplinary incident response capability

Incident Response at Cyber Defence is delivered by the Disrupt team – a blend of offensive and defensive specialists.

Incident responders

Experienced IR leads who coordinate activity, manage stakeholders, and keep incidents moving towards resolution.

Penetration testers & red teamers

Attackers-turned-defenders who understand how intrusions unfold and where to look when time is limited.

Threat analysts

Specialists who correlate indicators, look for related activity, and enrich findings with wider threat intelligence.

Digital forensics specialists

Investigators who extract and interpret evidence from endpoints, servers, logs, and cloud platforms.

Detection & engineering specialists

Engineers who help you implement detections, logging, and control changes as part of the recovery process.

Advisers to leadership and boards

Senior staff able to brief executives and boards in clear, risk-based terms during and after an incident.

Incident Response Retainer: guaranteed help when you need it

The worst time to negotiate terms, onboarding, and legal approvals is in the middle of an incident. Our Incident Response Retainer provides a contractual, pre-agreed framework so that when something goes wrong, the Disrupt team can engage immediately under clear conditions.

An IR Retainer gives you:

• Guaranteed response times and 24/7 contact channels
• Pre-agreed commercial terms and NDAs
• Onboarding of your environment, contacts, and critical systems
• A block of pre-purchased incident response hours
• Access to Cyber Defence’s Threat Intelligence and SOC365 specialists when required

Retainer options

Incident Response Retainer tiers

Choose the level of cover that matches your risk profile and operational needs. All retainers can be tailored for complex or regulated environments.

You can review pricing and purchase a retainer online via the Incident Response Retainer section on our pricing page.

Essentials Retainer

Designed for smaller organisations. Includes a defined block of incident response hours, 24/7 contact routes, and agreed response targets for P1 incidents.

Standard Retainer

Our most popular option. Includes higher hour allocations, faster response targets, proactive onboarding workshops, and priority access to Disrupt team specialists.

Enhanced Retainer

For larger or regulated organisations. Includes substantial IR hour credits, the fastest response targets, joint exercises, and integration with SOC365 and Threat Intelligence.

Buy an Incident Response Retainer online

If you already know that you need contract-backed incident response support, you can select and purchase an Incident Response Retainer directly through our pricing page.

Once in place, your organisation will have guaranteed access to the Disrupt team under agreed response times and commercial terms.

View IR Retainer pricing and purchase

Outcomes

What organisations gain from working with us

Our objective is not only to resolve the current incident, but to leave you in a stronger position than before.

Reduced impact and downtime

Faster containment and guided recovery minimise operational disruption and revenue loss.

Clarity on what happened

Evidence-based understanding of root cause, attacker activity, and affected systems and data.

Better detection and prevention

Findings feed into detection engineering, hardening, and Threat Intelligence to prevent recurrence.

Support for regulatory and legal processes

Reporting suitable for regulators, insurers, and legal teams, helping you meet disclosure and documentation obligations.

Reassurance for leadership and boards

Clear communication and post-incident briefings that provide leaders with confidence and actionable next steps.

A long-term security partner

Access to the wider Cyber Defence services across SOC365, Threat Intelligence, and penetration testing.

Incident Response & Retainer – common questions

Can we call you without an Incident Response Retainer?

Yes. We will always do our best to assist during an incident, even if we do not have a retainer in place. However, priority, response times, and commercial terms are significantly clearer and faster when you have an IR Retainer agreed in advance.

What is included in the pre-purchased hours?

Hours under the retainer can be used for triage, investigation, containment support, forensics, reporting, and post-incident workshops. We will track usage transparently and agree where effort is best spent based on the incident.

What happens if we exceed our retainer hours?

If an incident exceeds your pre-purchased hours, we will continue to support you on agreed overage rates. We can then review your retainer level after the incident to ensure it remains appropriate.

Can the retainer include proactive services?

Yes. Many clients use a portion of their retainer for proactive exercises such as incident simulations, tabletop exercises, or small forensic readiness projects. This can be built into your specific agreement.

How quickly can you respond to an incident?

Response times depend on the severity of the incident and your chosen retainer tier. We define clear targets for P1, P2, and P3 incidents in the retainer contract so that expectations are explicit.

A security partner you can lean on when it matters most

Cyber Defence’s Disrupt team combines hands-on incident response experience with deep knowledge of offensive tradecraft, SOC operations, and threat intelligence. We understand not only how attacks unfold, but also how organisations need to respond operationally, legally, and reputationally.

If you want to ensure that the next incident your organisation faces is handled quickly, calmly, and professionally, talk to us about setting up an Incident Response Retainer that fits your environment.