Incident Response & Digital Forensics
When something's gone wrong, we find out what happened, stop the bleeding, and get you running again.
Incident response is what we do when something has already gone wrong: a compromised email account, ransomware, a fraudulent wire, a system acting strangely. We step in to figure out what's happening, stop it from spreading, and get you back to normal. Digital forensics is the evidence side of that work: carefully collecting and preserving the proof of what occurred, then analyzing it to reconstruct how the attacker got in, what they touched, and what was taken.
The Technical Reality
The current federal playbook for this is NIST SP 800-61 Revision 3, published in 2025. It organizes incident response around the same NIST Cybersecurity Framework (CSF 2.0) functions used across the rest of security. Three of those functions run continuously, before anything ever goes wrong, and exist to make response possible: Govern, Identify, and Protect. The actual incident response is the other three: Detect (noticing something is wrong), Respond (containing and stopping it), and Recover (restoring your systems and operations).
Here's a correction worth making, because a lot of older guidance is still floating around. For years the standard described a fixed four-phase lifecycle: Preparation, then Detection & Analysis, then Containment/Eradication/Recovery, then Post-Incident Activity. Revision 3 retired that model. Preparation isn't a phase you do once at the start; it's the ongoing Govern, Identify, and Protect work that supports response but isn't part of the response itself. If a vendor is still selling you the old four boxes, they're working from a superseded standard.
Digital forensics is the part that answers 'what actually happened, and can we prove it.' We collect and preserve evidence with a documented chain of custody — meaning every piece is handled and tracked so it would hold up later, whether for an insurer, a lawyer, or law enforcement. Then we analyze it to reconstruct the event: tracing how an attacker moved, reviewing mail and audit logs, and finding things like hidden inbox rules an attacker left behind to quietly forward or delete your email.
The output is a documented timeline, in plain language: how they got in, what they accessed, what they took, and what we did about it. That timeline is what turns a frightening unknown into something you can actually act on, report on, and close out.
NIST's 2025 guidance (SP 800-61 Rev. 3) organizes incident response around the Cybersecurity Framework. Three functions run continuously to prepare you; three are the response itself.
Govern
Set and monitor your risk strategy and policy.
Identify
Know your assets and your current risk.
Protect
Put safeguards in place to limit the blast radius.
Detect
Find and analyze the attack as it happens.
Respond
Contain it, eradicate it, and communicate.
Recover
Restore operations — and capture the lessons.
Source: NIST SP 800-61 Rev. 3 · aligned to the NIST CSF 2.0 Functions.
What It Looks Like For You
For a small or midsize business, an incident usually starts with Microsoft 365: an employee's account gets phished, and suddenly invoices are going out from a name you trust or replies are quietly disappearing. We get into the account and the audit logs, confirm whether the attacker was in, look for the hidden inbox rules they use to hide their tracks, reset what needs resetting, and lock the door behind them. Then we walk you through a clear timeline of what they reached and what they didn't — so you know exactly what you're dealing with, and what (if anything) you're legally obligated to disclose.
What You Get Out Of It
A real timeline, not a guess
You get a documented account of how they got in, what they touched, and what was taken, so you can answer your insurer, your lawyer, and your customers with facts.
Faster back to normal
We contain the incident and recover your systems and accounts in a deliberate order, so you stop the damage without wiping out the evidence you'll need later.
Evidence that holds up
We preserve proof with a proper chain of custody, so if this ends up with an insurer, a regulator, or law enforcement, what we collected stands on its own.
Hidden access shut down
We hunt for the quiet footholds attackers leave behind — forwarding rules, hidden inbox rules, lingering sessions — so they can't walk back in after you think it's over.
The Standards Behind It
NO PRESSURE.
JUST A PLAN.
Cybersecurity gap, IT problem, or just not sure where to begin? We'll listen first, recommend second, and only propose what actually serves you.