Cybersecurity · Incident Response

You’re not alone at 3am.

24/7 incident response from senior practitioners who have led recoveries for Israeli banks, payment processors, and government agencies. Containment within hours. Recovery within days. Lessons that prevent the next one.

Active incident right now?

Call our emergency line, +972 active line for verified prospects, for response within 30 minutes, 24/7.

Set up an IR retainer
How we engage

The first 72 hours of a real breach.

Based on our actual response playbook. Times are typical for engagements where you have an IR retainer with us; without a retainer, expect each phase to take 2-3x longer due to onboarding friction.

Hour 0 · Detection & engagement

Verified call. Authorized scope. Bridge established.

Your designated contact reaches our 24/7 line. We verify identity via pre-shared protocol, confirm authorization to act, and establish a secure bridge with your security/IT leads. Initial incident commander assigned within 15 minutes.

Hours 1-4 · Triage & containment decisions

Scope assessment. Containment plan. Decisions documented.

We assess the scope based on initial indicators. The containment decision matrix gets walked through with your leadership: isolate the affected systems immediately (downtime, faster recovery) or watch the attacker (preserve evidence, monitor for lateral movement). Every decision documented for the post-incident report.

Hours 4-12 · Containment execution

Active containment. Evidence preservation. Stakeholder briefing.

Containment executed per the agreed plan. Forensic evidence preserved (memory dumps, disk images, log exports) before any system changes that would destroy artifacts. Executive briefing prepared for your board, CEO, and (if relevant) legal counsel.

Hours 12-24 · Investigation & impact assessment

Root cause analysis. Data impact scope. Disclosure decisions.

We trace the attack from initial access to current state. Impact assessment includes what data was accessed, what data was exfiltrated, and what data could have been modified. Legal and PR teams (yours or our partners) receive a factual briefing for disclosure decisions.

Hours 24-48 · Recovery planning & execution

Eradication. Recovery. Hardening.

Confirmed eradication of the attacker’s persistence mechanisms. Recovery to a known-good state begins. Hardening applied to prevent re-entry through the same vector. Affected accounts rotated, certificates rotated, secrets rotated, monitoring tuned to detect the specific TTPs observed.

Hours 48-72 · Stabilization & reporting

Production stable. Board report delivered. Lessons captured.

Production environment stabilized and verified. Initial board-ready report delivered: what happened, what was affected, what we did, what we recommend. Full forensic report follows within 2 weeks. Lessons learned session scheduled with your security team.

The cost of waiting until you’re breached.

Most organizations call an IR firm during the incident. By then, you’re paying 3-5x more for the same response, and losing time in the most expensive way.

A retainer puts our team on standby with pre-authorized contracts, pre-shared protocols, pre-built communication channels, and pre-deployed forensic tooling on your critical systems. When you need us, the friction is zero. Without a retainer, the first 12 hours of an incident are consumed by paperwork, NDAs, master services agreements, authorization scopes, contact verification, tool deployment. Those are 12 hours the attacker uses to entrench.

Our retainer clients typically reach containment 6-12 hours after detection. Our non-retainer engagements typically reach containment 36-72 hours after detection. Same team. Same skills. Different starting conditions.

Three retainer levels.

All retainers include guaranteed response time, pre-shared protocols, and discounted hourly rates during incidents. Higher tiers add proactive activities throughout the year.