Cyberange

Consulting · DFIR · Retained & Emergency

When the breach lands, the next hour decides the next two years.

A retained DFIR team is on a 90-minute activation clock. Whether the incident is a domain-wide ransomware fire or a single suspect endpoint, our investigators arrive evidence-first — preserving chain of custody, contain­ing without scorch­ing, and producing reporting that a regulator, an auditor, or a court will accept.

Retain a team Emergency activation

The first hour problem

By the time you have finished interviewing vendors, the evidence is gone.

Most organisations meet their incident response provider for the first time during an active breach. The early hours that decide regulator outcomes, insurer outcomes, and dwell-time outcomes get spent on RFPs and contracts. By the time the IR firm is engaged, IT has rebuilt the affected host and the volatile memory is gone.

01

Volatile evidence dies fast

RAM, network connections, attacker process trees — gone the moment a well-meaning admin reboots the affected host. Once it is gone, no forensic tool will recover it.

02

Containment damages evidence

Pulling the network cable, killing the service, kicking the user out — every one of those actions changes what an investigator can later reconstruct. The right sequence matters.

03

Regulator clocks start at hour zero

CERT-In requires reporting within 6 hours of detection. Insurance policies demand specific evidence-preservation steps. None of that is improvisable.

Two engagement modes

Retain in peacetime. Activate in wartime. Same team, both modes.

RETAINER

Annual retainer · readiness baseline

A retained team that knows your environment before the incident. Quarterly tabletop exercises, an annual evidence-preservation drill, a live runbook stored in your tenant — and a 90-minute SLA when something real lands. The hours retained roll over to live response if the year is quiet, so you pay for readiness without paying for theatre.

  • · 90-minute activation SLA · 24×7 hotline
  • · Quarterly tabletops with execs, IT, SOC, legal, comms
  • · Annual evidence-preservation drill on a live target
  • · Pre-staged forensic tooling and chain-of-custody templates
  • · Pre-cleared NDA + DPA · ready to subpoena nothing

EMERGENCY

Emergency activation · live breach

For organisations without a retainer who are in incident now. Faster than a fresh procurement: a pre-cleared engagement letter, a remote-deployed forensic agent on the affected hosts within hours, and an on-the-ground investigator pair if the incident requires it. Hour-zero scope is preservation; everything else comes after.

  • · Activation in single-digit hours, not days
  • · Pre-cleared standard engagement letter — no procurement loop
  • · Remote forensic agents · on-site investigators on request
  • · Coordination with your insurer, your regulator, your counsel
  • · Conversion to retainer post-incident is straightforward

Methodology

Seven phases. Evidence preserved at every one of them.

The lifecycle maps to NIST SP 800-61 and SANS PICERL. Containment happens before eradication — never simultaneously — so evidence is collected before it is destroyed. Recovery happens after both, verified with the same forensic tooling used to investigate.

Seven-phase DFIR lifecycle: activate, preserve, contain, investigate, eradicate, recover, report. ACTIVATE90-min SLA · ROE · scopePRESERVEmemory · disk · logsCONTAINisolate · without erasingINVESTIGATEtimeline · TTPs · scopeERADICATEevict · close vectorsRECOVERrebuild · verify · monitorREPORTregulator · audit · boardCHAIN OF CUSTODY · UNBROKEN FROM PHASE 02 ONWARDCOURT- AND REGULATOR-ADMISSIBLENIST SP 800-61 · SANS PICERL · ISO/IEC 27035CERT-IN 6-HOUR REPORTING WINDOW · ON THE CLOCK FROM PHASE 01

Forensic specialisms

The discipline beneath the response.

Every incident reaches for a different combination of disciplines. We carry all of them in-house so the team that arrives is the team that finishes — not a chain of subcontractors with handoff loss in the middle.

Host forensics

Disk imaging, file-system timeline reconstruction, registry analysis, prefetch / shimcache / amcache extraction, NTFS journal recovery.

Memory forensics

Live RAM capture and analysis. Process trees, injected code, network sockets, decrypted credentials, attacker tooling that never touched disk.

Network forensics

Full PCAP and NetFlow analysis. C2 beaconing identification, lateral-movement reconstruction, exfiltration sizing, DNS tunnel detection.

Malware reverse engineering

Static and dynamic analysis of attacker tooling. Configuration extraction, IOC derivation, capability assessment, attribution-grade signature work.

Cloud forensics

AWS, Azure, GCP, and SaaS-tenant investigation. Control-plane log analysis, IAM-trail reconstruction, snapshot-based evidence acquisition.

ICS / OT forensics

PLC firmware extraction, HMI log analysis, engineering-station investigation. The discipline most generalist IR firms simply do not staff.

Sample incident · ransomware · hour by hour

A ransomware fire, response-side.

A representative timeline of a retained-team activation on a domain-wide ransomware event. Identifying details are anonymised; phase pacing and decisions are drawn from recent live engagements.

  1. T+0:00

    Activation · hotline call

    Client reports encrypted files across multiple file servers. We confirm scope by phone in three minutes and dispatch the on-call investigator pair. Bridge call opens.

  2. T+0:18

    Preservation kicks off

    Pre-staged forensic agents push to a chosen subset of affected and adjacent hosts. Volatile memory captured first, then disk. Chain-of-custody logging begins.

  3. T+1:30

    On-site arrival · IR commander seated

    On-site investigator joins the war room. Client SOC, IT, legal, comms, and exec sponsor briefed. NIST 800-61 roles assigned. Communications protocol locked.

  4. T+3:00

    Patient-zero identified

    Memory analysis of the first encrypted host surfaces the loader. Hash and C2 IOC pushed to TI workbench. Initial-access vector — exposed RDP via leaked credential — confirmed from auth logs.

  5. T+4:30

    CERT-In notification filed

    Within the 6-hour window. We co-author the notification with the client’s legal team. Insurer informed in parallel; their preferred negotiator engaged.

  6. T+8:00

    Containment complete

    Compromised credentials revoked, lateral-movement paths severed, RDP exposure closed at the perimeter, EDR isolation applied to identified attacker footholds. Encryption stopped spreading at T+5h45m.

  7. T+24:00

    Eradication begins

    Full host rebuilds from clean baselines for affected systems. Domain-wide credential reset for privileged accounts. Eviction verified via fresh memory captures on rebuilt hosts.

  8. T+72:00

    Recovery + interim report

    Critical services restored, monitored under heightened detection rules for a 30-day window. Interim regulator-grade report delivered with full timeline, IOCs, scope assessment, and remediation roadmap.

T+30 days · Final report

Full forensic narrative. Confirmed dwell time, scope of access, exfiltration assessment, attribution-grade IOC and TTP catalogue, remediation verification, and a lessons-learned tabletop run with the client's executive committee. Regulator, auditor, insurer, counsel — same report, different briefings.

What you walk away with

A breach you can explain. A defence you can prove.

Court-admissible evidence

Hash-verified images, unbroken chain of custody, expert-witness availability if matters proceed.

NOTE · Applies to engagements scoped for litigation or law-enforcement referral. Not every incident proceeds to court — for routine cases the same evidence discipline still feeds the regulator and insurer outputs below.

Regulator-grade narrative

CERT-In, SEBI, RBI, IRDAI, sector-CSIRT, foreign DPA — same evidence, audience-tuned briefings.

Insurer-aligned reporting

Cyber-insurance policy language is satisfied: causation, scope, remediation, all evidenced.

Hardened posture by exit

The eradication is verified, the gaps are mapped, the remediation roadmap is signed off before we leave.

Worked under

  • NIST SP 800-61 r2
  • SANS PICERL
  • ISO/IEC 27035
  • ENISA IM guide
  • CERT-In · 6-hr window
  • RFC 3227 · evidence collection

Practice

"The breach is not the worst thing that will happen to you. The worst thing that will happen to you is finding out, eight months later, that you did not preserve the evidence to know what the breach actually was."
DFIR · operational principleThe case for evidence-first response, learned across nearly a decade of post-incident engagements and regulator-grade reporting.

Retain

Put a team on the clock in peacetime.

Quarterly tabletops, annual drills, a 90-minute SLA when it matters.

Retain a team

Activate

Already in incident? Call now.

Pre-cleared engagement letter. Activation in single-digit hours. Preservation first.

Emergency activation