Incident response and DFIR: we contain, investigate and recover with evidence
When an incident hits, the goal isn’t “to investigate”: it’s to stop the damage, restore operations and leave clear evidence behind. We cover the full cycle: activation and triage, containment done right, forensics with chain of custody, eradication, verified recovery and lessons learned. We work across Microsoft 365/Entra ID, Active Directory, cloud (AWS/Azure/GCP) and endpoints, with deliverables useful for leadership, technical teams, audit and third parties (legal, insurance, regulator). Under retainer, we kick off in minutes.
Kick-off
Minutes under retainer
emergency channel and SLAs
Forensics
Chain of custody
hashing and defensible timeline
Closure
Verified recovery
no residual persistence
Built for regulated and demanding environments: governance, execution and defensible evidence.
Execution quality
“Security that runs”: operations + governance + auditability. We don’t stop at diagnosis: we close gaps, verify, and produce defensible evidence.
Kick-off
Minutes under retainer
immediate triage
Forensics
Chain of custody
endpoint · network · cloud
Closure
Verified recovery
with lessons learned
What Incident Response and DFIR covers in practice
- Initial triage in minutes under retainer, with preliminary scope and risk prioritization.
- Containment with traceability: measured, logged and reversible actions where appropriate.
- DFIR forensics with chain of custody and hashing (disk, memory, cloud and Microsoft 365).
- Defensible timeline: initial access → persistence → lateral movement → exfiltration.
- Verified recovery: no residual persistence, with a post-mortem review.
- Deliverables for leadership, technical teams, audit and third parties (legal, insurance, regulator).
We handle the incident in two layers: technical containment to stop the impact and defensible forensics to explain what happened, to whom, how and when. We don’t conflate “we have logs” with “we know what happened”: the value is in the reconstructed timeline, a verifiable remediation plan and a recovery that doesn’t reintroduce persistence.
Deliverables (for management, technical teams, audit and third parties)
Executive report
Summary for leadership and the committee: what happened, scope, impact, decisions taken and next steps in a single page.
Technical DFIR report
Detailed evidence, hashes, reconstructed timeline, observed TTPs, IoCs and root cause analysis.
Evidence package + IoCs
Preserved evidence with traceability, IoCs and a hunting pack for retrospective searches and continuous detection.
Verifiable remediation plan
Prioritized actions with owners, verification criteria, lessons learned and subsequent hardening.
Typical use cases
Ransomware and extortion
Containment, evidence preservation, vector analysis and safe recovery. Coordination with insurance and an informed decision on negotiation.
BEC / email compromise (M365)
Review of sign-ins, OAuth consents, mail-forwarding rules and mailbox persistence to stop fraud and leave traceability.
Intrusion and lateral movement in AD
Timeline of initial access, persistence and lateral movement in Active Directory, with verified eradication and credential/secret reset.
Exfiltration or privilege abuse
Measurement of real impact, identification of affected data and traceability useful for regulatory notification and business decisions.
Cloud incident (AWS/Azure/GCP)
Review of IAM, storage, federated identity and tokens, with persistence cleanup and subsequent hardening.
Support to leadership, legal and insurance
Executive and technical reports preserved with chain of custody, useful for the committee, regulator, insurance or a subsequent proceeding.
FAQ (Incident response and DFIR)
What’s the difference between incident response and digital forensics? ↓
Incident response focuses on the present: stop the impact, contain, eradicate and recover. Digital forensics focuses on proving what happened with defensible evidence (hashes, chain of custody, timeline). In practice they go together: during the incident, forensics guides containment (what can be safely isolated vs. preserved); after the incident, forensics backs the report for audit, insurance, regulator or court.
Do we need a retainer or can you jump in live? ↓
Both options work. Under retainer we kick off in minutes with an emergency channel, runbook and triage SLAs agreed in advance — that’s the difference-maker in the first hours. Without a retainer we still engage, but live activation always loses time to paperwork, context and access provisioning: cost and risk are higher.
What kind of incidents do you cover? ↓
Ransomware and extortion, email compromise and BEC (Business Email Compromise) in Microsoft 365, external intrusion with lateral movement in Active Directory, data exfiltration, cloud incidents (AWS/Azure/GCP: IAM, storage, OAuth, federated identity) and privilege abuse by insiders. We do not cover OT/ICS forensics or deep mobile forensics.
Do you work inside Microsoft 365, Entra ID and Active Directory during the incident? ↓
Yes, that’s where most of the work happens. We review sign-ins, OAuth consents, mail-forwarding rules, privilege changes, MFA, Conditional Access, Entra ID/AD events and mailbox persistence. The goal: identify the vector, cut persistence and leave evidence with a timeline for the report.
Are the reports usable for insurance, regulators or legal proceedings? ↓
They’re designed for it. We deliver two layers: an executive report (what happened, scope, impact, decisions and next steps) and a technical DFIR report (hashed evidence, timeline, TTPs, IoCs and root cause analysis). The evidence package is preserved with traceability so it’s defensible to third parties. If you need specific judicial expert reports, we agree scope upfront.
How long does a typical engagement last and how do we close? ↓
It depends on scope. Triage and initial containment typically take hours; forensics, timeline and eradication, days; the report and lessons learned, another short iteration at the end. We close with the report, a verifiable remediation plan, IoCs + a hunting pack and a hardening pass to reduce the probability of a repeat.
What’s included in this service area
- Triage and containment done right: less damage, more traceability
- DFIR forensics with chain of custody and hashing (disk, memory, cloud, M365)
- Timeline: initial access → persistence → lateral movement → exfiltration
- Coverage of M365/Entra ID, Active Directory, cloud (AWS·Azure·GCP) and endpoints
- Optional 24/7 retainer with triage SLAs, emergency channel and onboarding
- Executive and technical report, evidence and IoCs + verifiable remediation plan
How we work (from assessment to evidence)
-
Step 1
Activation & triage
Emergency channel, initial triage, preliminary scope and risk prioritization. Under retainer, we kick off in minutes with agreed SLAs and runbook.
-
Step 2
Containment & forensics
Wave-based containment with measured impact and evidence preservation with hashing. We build a defensible timeline: initial access, persistence, lateral movement and exfiltration.
-
Step 3
Eradication & recovery
Persistence removal, credential and secret reset, verified recovery (not just 'back up') and coordination with IT/SecOps and third parties (legal, insurance, regulator).
-
Step 4
Closure & lessons learned
Executive report, technical DFIR report, IoCs + hunting pack, verifiable remediation plan and lessons learned with hardening and process improvement.
Services in this area
Talk to an expert →Incident Response
Forensics / Análisis Forense
Investigación, análisis de ataques recibidos, preservación de evidencias y análisis para incidentes y litigios
Incident Response
Incident Response Retainer 24/7
24/7 contract with activation in minutes, a prepaid hour bank, readiness onboarding and triage SLAs. Your team is already under contract on the bad day.
Incident Response
SOC & Respuesta a Incidentes
Detección, contención y respuesta con playbooks y mejora continua.
Is this service area a fit for your case?
We’ll run a short assessment to define scope, priorities, and a realistic roadmap.