[email protected]
Call us : 1(800) 325-1874
Free Counsultancy
Your Partner in Cyber Defense and IT Compliance
Active breach or suspected compromise? Our incident response team is on standby 24/7. Call 1-800-325-1874

Incident Response

When a breach hits, every minute expands the blast radius. Our certified DFIR team engages within one hour, contains the threat, performs full forensic analysis, and restores operations — with regulator-ready documentation at every step.

Engage IR team now Or secure a retainer

Under 1-hour response

Retainer clients receive SLA-backed activation within 60 minutes of the initial call — 24 hours a day, every day of the year.

Contain first, investigate second

We immediately stop the bleeding — isolating hosts, blocking C2, revoking credentials — then methodically reconstruct the full attack narrative.

Regulator & insurer ready

Every engagement produces forensic-quality documentation accepted by cyber insurance carriers, regulators, and law enforcement.

Features

A full-lifecycle Digital Forensics & Incident Response capability

Every engagement is led by GCFA-, GCIH-, and GREM-certified responders following NIST SP 800-61r2 and SANS PICERL methodology — the standards regulators, auditors, and cyber insurance carriers expect.

Rapid containment

EDR-driven host isolation, firewall C2 blocking, credential revocation, and domain-wide Kerberos ticket invalidation — executed within the first hour to limit blast radius.

Deep forensic analysis

Memory acquisition and volatility analysis, disk forensics, log correlation across SIEM and EDR telemetry, and malware reverse engineering to recover the complete attacker timeline.

Validated recovery

Clean rebuild procedures, controlled re-admission of isolated hosts, credential rotation, and monitoring tuning to ensure the adversary has no path back in.

Defensible documentation

Chain-of-custody artifact handling, executive after-action report, technical forensic timeline, and compliance-ready attestations for regulators, insurers, and legal counsel.

How does it work?

Retainer clients call our 24/7 hotline and reach a senior responder within 60 minutes. We triage the severity, mobilize the DFIR team, and begin containment while your internal IT continues business-critical operations. Throughout the engagement, we provide daily situation reports to leadership, legal, and insurance contacts — with the final after-action dossier delivered within 10 business days of closure.

For organizations without a retainer, emergency engagements are billed at standard hourly rates with best-effort response times. We strongly recommend securing a retainer before an incident occurs — both to guarantee SLA-backed response and to satisfy cyber insurance policy requirements.

Methodology

A six-phase lifecycle aligned to NIST SP 800-61r2

Every incident — whether a ransomware event, business email compromise, or insider-threat investigation — follows the same disciplined methodology trusted by federal agencies, Fortune 500 security teams, and Big Four auditors.

01

Detection

Triage the initial alert, confirm malicious activity, and classify incident severity (P1–P4).

02

Analysis

Scope the compromise, identify affected assets, and determine attacker objectives.

03

Containment

Isolate affected hosts, block C2, revoke credentials, and prevent lateral movement.

04

Eradication

Remove persistence mechanisms, kill attacker sessions, and close exploited vulnerabilities.

05

Recovery

Validate clean state, restore services, re-admit users, and confirm monitoring integrity.

06

Lessons Learned

Produce after-action report, run tabletop exercise, and harden controls against recurrence.

Capabilities

What happens inside an iSECTECH IR engagement

Every phase backed by specialized tooling, documented procedures, and senior engineers with thousands of hours of real-world breach experience.

SANS PICERL · NIST 800-61r2

Triage & Rapid Containment

Within the first hour we classify incident severity, mobilize the appropriate response team, and execute containment: EDR-driven host isolation, firewall-level C2 blocking, domain credential rotation, Kerberos TGT invalidation, and immediate removal of compromised accounts from privileged groups. Every action is logged with timestamps, operator identity, and technical justification — preserving evidentiary value for later proceedings.

MITRE ATT&CK® · STIX 2.1

Forensic Analysis & Root Cause

Memory acquisition via volatility frameworks, disk forensics across affected endpoints, SIEM and EDR log correlation, and malware reverse engineering reconstruct the complete attacker timeline: initial access vector, persistence mechanisms, credential theft, lateral movement path, data staging, and exfiltration attempts. Every indicator is documented with MITRE ATT&CK® technique IDs and shared in STIX format for downstream blocking.

IBM 2024 · iSECTECH tracked

Dwell Time & Business Impact Reduction

IBM's 2024 Cost of a Data Breach Report found that organizations containing breaches within 30 days saved an average of $1.2 million over those that didn't. Our median time-to-contain across retainer clients is under 60 minutes — an order of magnitude ahead of the 204-day industry average for undetected breaches. Faster containment directly translates to lower business interruption, smaller data loss, reduced regulatory penalty exposure, and lower cyber insurance claim amounts.

Insurer-accepted · Regulator-ready

After-Action Report & Lessons Learned

Within 10 business days of incident closure, you receive a comprehensive dossier: executive narrative for the board, technical forensic timeline for engineering, indicators-of-compromise export for threat intel sharing, MITRE ATT&CK® technique mapping, remediation roadmap with priority scoring, and compliance appendix for regulatory disclosures. An optional tabletop exercise based on the real incident is included for retainer clients — turning a breach into a training asset.

Retainers & emergency rates

Lock in guaranteed response before you need it

Without a retainer, emergency IR engagements run $450–$750 per hour with no SLA and no guarantee of availability during a widespread event. A retainer gives you a pre-signed MSA, locked-in rates, and priority response when every minute costs money.

Starter Retainer

IR Readiness

For small businesses and SMBs needing a signed IR partner to satisfy cyber insurance requirements and basic regulatory readiness.

$7,500 / yr
20 pre-paid hours · 4-hour SLA
  • 24/7 hotline access
  • 4-hour initial response SLA
  • Pre-signed MSA & SOW templates
  • Annual IR plan review
  • Overage rate: $325/hr (vs $600 emergency)
  • Unused hours convert to tabletop exercise
Secure retainer
Most chosen
Professional Retainer

IR Standard

The standard retainer for mid-market organizations with compliance obligations (SOC 2, HIPAA, PCI DSS) and cyber insurance requirements.

$24,000 / yr
80 pre-paid hours · 1-hour SLA
  • 24/7 hotline · 1-hour SLA
  • Dedicated senior responder lead
  • Annual tabletop exercise included
  • Quarterly threat-briefing sessions
  • EDR / SIEM integration pre-onboarding
  • Overage rate: $275/hr (vs $600 emergency)
  • Regulator & insurer documentation included
Secure retainer
Enterprise Retainer

IR Elite

For regulated enterprises, financial services, healthcare systems, and organizations under DFS-500, CMMC, or FedRAMP with zero-tolerance for dwell time.

$60,000+ / yr
200+ hours · 30-min SLA
  • 24/7 hotline · 30-minute SLA
  • Named dedicated IR director
  • Semi-annual tabletop exercises
  • On-site response option (CONUS)
  • Threat-hunting sprints included
  • Overage rate: $225/hr
  • Board-level briefings on request
Talk to sales
Emergency engagement without a retainer: standard rate is $600/hour weekdays, $750/hour after hours and weekends, with best-effort response (typically 4–12 hours during peak periods). Most cyber insurance policies now explicitly require a DFIR retainer as a condition of coverage — according to Gartner, carriers increasingly view retainers as a minimum readiness control. Securing a retainer before an incident both lowers your total cost of response and satisfies your insurer's due-diligence expectations.
Service level agreement

SLA commitments you can hold us to

Every retainer tier carries specific, contractually-binding response commitments. No "best effort" language, no escape clauses.

Milestone
IR Readiness
IR Standard
IR Elite
Hotline answered by senior responder
< 15 min
< 5 min
< 5 min
Initial triage & severity classification
< 60 min
< 30 min
< 15 min
DFIR team mobilized & remote response begins
< 4 hrs
< 1 hr
< 30 min
On-site deployment (CONUS)
Add-on
< 48 hrs
< 24 hrs
Preliminary incident report delivered
5 business days
3 business days
48 hours
Full after-action report delivered
15 business days
10 business days
7 business days
FAQs

Frequently asked questions

Common questions about incident response engagements and retainers. Talk to our IR director for anything else.

We think we might be breached right now — what should we do?
Call our 24/7 hotline: 1-800-325-1874. Do not shut down affected systems — doing so destroys volatile forensic evidence. Do not pay any ransom or communicate with threat actors before engaging professional responders. Preserve logs, EDR alerts, and email artifacts. We'll walk you through immediate containment steps on the first call while our DFIR team mobilizes.
Do we really need a retainer if we have cyber insurance?
Yes — and increasingly your insurance policy requires one. Gartner reports that cyber insurance carriers now typically require organizations to have a DFIR retainer as a minimum readiness control, and Arctic Wolf's 2024 carrier survey found 32% of carriers explicitly require an IR plan or retainer to provide coverage. Organizations with retainers saw premium savings of 10% or more. A retainer gives you pre-signed paperwork, locked-in rates, and guaranteed response — none of which cyber insurance itself provides.
What's the difference between emergency IR and a retainer?
Emergency IR is ad-hoc response to an active incident without a pre-existing relationship — you pay time-and-materials at premium rates ($600–$750/hr), with no SLA and no guaranteed availability during widespread events like major ransomware campaigns. A retainer is a pre-signed annual agreement with locked-in rates ($225–$325/hr), contractual SLAs (as fast as 30 minutes), and priority access. During industry-wide incidents like MOVEit or Log4Shell, retainer clients get served first.
What happens if we don't use all our retainer hours?
Unused hours don't expire into dead money. They convert at 1:1 into proactive services: tabletop exercises, IR plan development, playbook authoring, threat hunting sprints, IOC sweeps, EDR rule tuning, or security awareness training for your staff. Many retainer clients use their hours proactively and stay fully prepared — the retainer pays for itself even in a year with no incidents.
What certifications do your DFIR responders hold?
Every responder on the iSECTECH DFIR team holds at minimum GCFA (GIAC Certified Forensic Analyst) or GCIH (GIAC Certified Incident Handler). Senior leads additionally hold GREM (reverse engineering malware), GNFA (network forensic analysis), and CISSP. We provide redacted responder CVs as part of procurement, and our documentation is regularly accepted by FBI Cyber Division, state AGs, HHS OCR, and major cyber insurance carriers.
Can you support us through ransom negotiation?
Yes, when legally and ethically appropriate. We work alongside outside counsel and your cyber insurance carrier's approved negotiation vendor to evaluate threat actor credibility, assess decryption viability, manage OFAC compliance screening, and coordinate payment logistics if authorized. We strongly advocate for recovery from backups whenever feasible — payment is an absolute last resort, not a primary strategy.
How do you handle chain of custody for legal proceedings?
Every forensic artifact is acquired using write-blockers, hashed at acquisition (SHA-256), logged in a chain-of-custody register, and stored in encrypted evidence repositories with access audit trails. Our procedures follow ACPO (UK) and NIST SP 800-86 (US) guidelines, and our reports have been admitted as evidence in state and federal proceedings. Retainer clients get evidence retention for the full contract period; emergency clients receive a one-time copy.
Do you report to law enforcement or regulators on our behalf?
No — only you can make reporting decisions about your own incident. We provide the forensic evidence, technical documentation, and regulatory-disclosure templates your counsel and internal compliance team need to make informed decisions. We coordinate directly with law enforcement (FBI, Secret Service, state AGs) and regulators (HHS OCR, SEC, state breach-notification authorities) only when you explicitly authorize that coordination.
Resources & insights

Learn more about incident response

Playbooks, case studies, and regulatory guidance from the iSECTECH DFIR team.

Playbook

The first 60 minutes of a ransomware incident: a CISO's runbook

The exact sequence of decisions to make, calls to place, and containment actions to execute in the critical first hour — before investigators even arrive.

Read more
Case Study

52 minutes to contain: a manufacturing ransomware event

How an iSECTECH retainer client stopped a LockBit affiliate mid-encryption, recovered production within 18 hours, and avoided a $2.4M ransom demand.

Read more
Guide

Choosing an IR retainer: what your insurance carrier actually wants

The specific retainer provisions that satisfy modern cyber insurance underwriters — and the language in many retainer contracts that will fail their review.

Read more

Don't wait for a breach to find a responder

Three ways to engage — whether you have an active incident right now or want to lock in protection before the worst happens.

Active breach? Call 1-800-325-1874

Our 24/7 hotline connects you directly to a senior responder within minutes. No gatekeepers, no triage tickets — just expert help.

Secure a retainer

Book a 30-minute conversation with our IR director. We'll size the right tier for your environment and have your contract ready for signature within 5 business days.

Download the IR runbook

Free 22-page incident response runbook template, ready to customize for your organization — includes escalation trees, comms templates, and first-hour checklists.

Stay Secure with the Latest Cyber Security News and Trends

Browse All Categories

Threat Landscape

IoT Security

Social Engineering

Zero Trust

Incident Response

Cloud Safety