Respond · NIST CSF 2.0

Incident Response & Digital Forensics

When something's gone wrong, we find out what happened, stop the bleeding, and get you running again.

In Plain English

Incident response is what we do when something has already gone wrong: a compromised email account, ransomware, a fraudulent wire, a system acting strangely. We step in to figure out what's happening, stop it from spreading, and get you back to normal. Digital forensics is the evidence side of that work: carefully collecting and preserving the proof of what occurred, then analyzing it to reconstruct how the attacker got in, what they touched, and what was taken.

How It Actually Works

The Technical Reality

The current federal playbook for this is NIST SP 800-61 Revision 3, published in 2025. It organizes incident response around the same NIST Cybersecurity Framework (CSF 2.0) functions used across the rest of security. Three of those functions run continuously, before anything ever goes wrong, and exist to make response possible: Govern, Identify, and Protect. The actual incident response is the other three: Detect (noticing something is wrong), Respond (containing and stopping it), and Recover (restoring your systems and operations).

Here's a correction worth making, because a lot of older guidance is still floating around. For years the standard described a fixed four-phase lifecycle: Preparation, then Detection & Analysis, then Containment/Eradication/Recovery, then Post-Incident Activity. Revision 3 retired that model. Preparation isn't a phase you do once at the start; it's the ongoing Govern, Identify, and Protect work that supports response but isn't part of the response itself. If a vendor is still selling you the old four boxes, they're working from a superseded standard.

Digital forensics is the part that answers 'what actually happened, and can we prove it.' We collect and preserve evidence with a documented chain of custody — meaning every piece is handled and tracked so it would hold up later, whether for an insurer, a lawyer, or law enforcement. Then we analyze it to reconstruct the event: tracing how an attacker moved, reviewing mail and audit logs, and finding things like hidden inbox rules an attacker left behind to quietly forward or delete your email.

The output is a documented timeline, in plain language: how they got in, what they accessed, what they took, and what we did about it. That timeline is what turns a frightening unknown into something you can actually act on, report on, and close out.

The Incident-Response Model

NIST's 2025 guidance (SP 800-61 Rev. 3) organizes incident response around the Cybersecurity Framework. Three functions run continuously to prepare you; three are the response itself.

Continuous — prepares you to respond

Govern

Set and monitor your risk strategy and policy.

Identify

Know your assets and your current risk.

Protect

Put safeguards in place to limit the blast radius.

The incident response itself

Detect

Find and analyze the attack as it happens.

Respond

Contain it, eradicate it, and communicate.

Recover

Restore operations — and capture the lessons.

Source: NIST SP 800-61 Rev. 3 · aligned to the NIST CSF 2.0 Functions.

In Your Business

What It Looks Like For You

For a small or midsize business, an incident usually starts with Microsoft 365: an employee's account gets phished, and suddenly invoices are going out from a name you trust or replies are quietly disappearing. We get into the account and the audit logs, confirm whether the attacker was in, look for the hidden inbox rules they use to hide their tracks, reset what needs resetting, and lock the door behind them. Then we walk you through a clear timeline of what they reached and what they didn't — so you know exactly what you're dealing with, and what (if anything) you're legally obligated to disclose.

The Value

What You Get Out Of It

A real timeline, not a guess

You get a documented account of how they got in, what they touched, and what was taken, so you can answer your insurer, your lawyer, and your customers with facts.

Faster back to normal

We contain the incident and recover your systems and accounts in a deliberate order, so you stop the damage without wiping out the evidence you'll need later.

Evidence that holds up

We preserve proof with a proper chain of custody, so if this ends up with an insurer, a regulator, or law enforcement, what we collected stands on its own.

Hidden access shut down

We hunt for the quiet footholds attackers leave behind — forwarding rules, hidden inbox rules, lingering sessions — so they can't walk back in after you think it's over.

Frameworks & Sources

The Standards Behind It

NIST SP 800-61 Revision 3The 2025 federal guide to incident response, organized around the CSF 2.0 functions. It supersedes the older four-phase model.
NIST CSF 2.0 (SP 1300)The framework whose functions structure the work: Detect, Respond, and Recover are the response; Govern, Identify, and Protect support it.
MITRE ATT&CKThe knowledge base of real attacker tactics and techniques we use to interpret what the evidence shows an attacker did.
CISAThe federal cybersecurity agency whose advisories and reporting guidance inform how we contain and disclose incidents.
FBI IC3The FBI's Internet Crime Complaint Center, where incidents like wire fraud and business email compromise are reported.
Start With a Free 30-Minute Conversation

NO PRESSURE.
JUST A PLAN.

Cybersecurity gap, IT problem, or just not sure where to begin? We'll listen first, recommend second, and only propose what actually serves you.

connor@tremodi.com