Under attack?
We respond immediately.
Senior-led incident response when every minute counts. Containment, investigation, and recovery — handled by engineers who have done this before.
Every threat vector, handled
From ransomware to insider threats — our team has the experience and tooling to respond decisively.
Ransomware response
Rapid containment, negotiation support where necessary, and systematic recovery of encrypted systems. We stop the spread and get you back online.
Business email compromise
Account takeover investigation, damage assessment, and forensic analysis of compromised mailboxes. We trace exactly what was accessed and by whom.
Data breach response
Forensic analysis to determine scope and exposure, combined with regulatory notification support including ICO reporting where required.
Malware & APT investigation
Deep-dive forensics into advanced persistent threats. We identify malware families, map lateral movement, and remove every trace of persistence.
Insider threat
Evidence preservation, access audit trails, and legal-ready reporting. We handle the technical investigation while your legal team handles the rest.
Supply chain compromise
Third-party breach assessment and exposure analysis. When a vendor is compromised, we determine what it means for your organisation.
Structured response, from minute one
A proven methodology that brings order to chaos. Every engagement follows this framework.
Triage
A senior engineer assesses scope, identifies the threat vector, and determines containment options. You have a clear picture within the first hour.
Containment
Isolate affected systems, cut off attacker access, and preserve forensic evidence. The priority is stopping the bleeding without destroying what we need to investigate.
Investigation
Forensic analysis across affected systems. Root cause identification, lateral movement mapping, and full scope determination. No guesswork — evidence-driven analysis.
Recovery
Restore operations systematically. Implement emergency security controls, validate system integrity, and bring services back online with confidence.
Reporting
Full incident report with timeline, root cause, impact assessment, and actionable recommendations. Regulatory reporting support where required, including ICO notification.
It's January. Tax season.
This is a composite of a real incident — anonymised, but accurate. The firm became our client six months later. But the damage was already done.
The call nobody wants
Staff report they can't open files. A ransom note appears on every screen. The practice management system, document store, and email server are encrypted. HMRC self-assessment filing deadlines are three weeks away. 2,400 client tax returns sit locked behind AES-256 encryption.
The scramble begins
The managing partner calls their IT provider — a break-fix outfit who have never dealt with ransomware. They check the backups. They are on the same network. Also encrypted. The firm starts calling incident response providers. Most cannot start until Monday. Some will not take clients without a retainer.
48 hours lost to ramp-up
An incident response team arrives on Monday. They spend the first two days just understanding the environment — no documentation, no network diagrams, no asset inventory. While they map the infrastructure from scratch, 2,400 client tax returns remain inaccessible. HMRC deadlines do not move.
The second blow
Systems are slowly restored from partial off-site backups. But forensic analysis reveals the attackers had access for three weeks before detonating the ransomware. Client personal data — names, addresses, UTRs, financial records — may have been exfiltrated. ICO notification is now required. Every affected client must be informed.
The real cost
Eleven days of total downtime. HMRC reasonable excuse applications filed for every affected client. £180,000 in incident response, legal, and recovery costs. Three major clients leave within the quarter. An ICAEW investigation is opened into the firm's data handling practices.
The voicemail that wasn't from the CFO.
A composite of an AI-augmented incident pattern we're starting to see. Anonymised, accurate.
A voicemail from the CFO
A finance assistant receives a voicemail. The CFO's voice — unmistakable accent, the same speech rhythm she's heard a hundred times — instructs an urgent wire transfer to a new supplier. Completion deadline today.
The follow-up email
The assistant pauses — the request feels unusual. She emails the CFO to verify. A reply arrives within minutes: "Confirmed. Please proceed. I'm in back-to-backs all day." Tone matches. Sign-off matches.
£340,000 leaves the account
The wire goes out. Mid-afternoon, the assistant mentions it to the real CFO in passing — the real CFO who knows nothing about a new supplier, a wire transfer, or the voicemail. The colour drains from both their faces.
Forensic analysis
We trace the voicemail. The deepfake was synthesised from a 90-second clip of the CFO speaking at an industry conference, freely available on YouTube. The follow-up "email reply" was sent from a spoofed look-alike domain registered three weeks earlier. The supplier account was emptied within two hours of receiving the wire.
The damage
No data breach. No regulatory notification. But £340,000 gone, recovery doubtful given the offshore wire chain. Internal trust shattered. The finance team's processes get overhauled. The CFO stops publishing video content. The board asks the question they probably should have asked six months earlier: what else are we exposed to that we don't know about?
Same attack. Different outcome.
The difference between catastrophe and containment is not luck. It is preparation.
Which company do you want to be?
What the retainer includes
Preparation is not a cost. It is the difference between a contained incident and a catastrophe.
Pre-agreed SLAs
Guaranteed response within 30 minutes, 24/7/365. Your incident goes to the front of the queue — no scrambling for availability when every minute counts.
Environment onboarding
We document your infrastructure, network topology, critical assets, and key contacts in advance. When an incident hits, there is no ramp-up time — we already know your environment.
Quarterly readiness assessments
We test your backups, review your detection capabilities, and update your incident response playbook. When an attack comes, you know your defences work — because we tested them last quarter.
Annual tabletop exercises
Simulated incident scenarios with your leadership team. Practise decision-making under pressure — who calls the ICO, who briefs the board, who talks to clients — before it is real.
Priority access to senior engineers
The same senior consultants who know your environment are the ones who respond. No handoff to a junior team. No explaining your setup from scratch under pressure.
Regulatory preparation
ICO notification templates, evidence preservation procedures, and legal coordination frameworks — ready before you need them. When the clock starts on your statutory reporting window, you are not starting from scratch.