Incident response — pick up the phone, we're already on the bridge in 30 minutes
24/7 breach hotline staffed by US-based GCFA / GCIH responders. Ransomware, business email compromise, data exposure, insider threats. We arrive on the bridge in under 30 minutes, contain in hours, deliver a board-ready post-mortem in days.
Hotline pickup is direct to a senior responder, not a queue. Retainer engagements skip the credential dance and go live in under 12 minutes.
12-mo average: 17 minutes
this year, all sectors
per ransomware engagement
denied or shorted on our watch
Three ways to engage. One hotline, one bridge, one chain of custody.
Two retainer options for when you want the discount, the named responder, and the rehearsals. Emergency hourly when the building is on fire and you need us today. All three lanes feed the same SOC, the same GCFA leads, and the same insurance-aligned reporting format.
- 24/7 breach hotline with senior responder pickup
- 8 prepaid response hours (rolls forward, never expires inside the term)
- IR plan template tailored to your stack and headcount
- Pre-signed engagement letter on file, zero paperwork at 3am
- Cyber insurance carrier panel pre-clearance (Beazley, Chubb, AIG, Coalition, At-Bay and 9 more)
- Annual readiness review and IR plan update
- Everything in IR Retainer
- 40 prepaid response hours (5x the base tier)
- Quarterly tabletop exercise: ransomware, BEC, insider, third-party scenarios
- Drafted IR runbook customized to your environment, network diagrams included
- Named lead responder with direct cell, knows your environment cold
- Annual purple-team exercise with detection-engineering feedback loop
- Board-ready quarterly readiness report
- Engagement letter via DocuSign in under 10 minutes
- Senior responder on the bridge inside 90 minutes of countersign
- Same playbooks, same forensic stack, same chain-of-custody discipline
- Same cyber-insurance reporting format your carrier expects
- Post-incident option to roll into a retainer at the discounted rate
- No long-term commitment if you'd rather pay-per-incident going forward
Different fires, different first moves. Here is exactly what happens in hour one.
Every retainer client gets a copy of these playbooks during onboarding. They are written so a non-technical executive can read them on a Sunday morning and understand what we are doing and why.
| Incident type | First 60 minutes | What we contain by hour 4 |
|---|---|---|
| Ransomware encryption | Identify patient zero, isolate via EDR network containment, block C2 at the firewall, snapshot affected systems for forensics. Engage Coveware for negotiation track in parallel. | Lateral movement halted. Encryption stopped. Backup integrity verified. Decision matrix delivered: restore vs negotiate. |
| BEC + wire fraud attempt | Force password rotation + revoke all sessions for compromised mailbox, pull mail rules, contact bank fraud line on three-way call to recall wire if in flight. | Mailbox secured, malicious rules removed, audit trail captured for FBI IC3 filing. Wire reversed if flagged within the 72-hour window. |
| Insider data exfil | Preserve under chain of custody (do not tip off the user), pull email and USB activity, image laptop if accessible, freeze cloud sync tokens. | Full timeline of what was taken, when, and where it went. Declaration ready for HR, counsel, and any TRO motion. |
| Cloud token theft | Revoke OAuth grants, rotate impacted IAM credentials, force MFA re-enroll, pull CloudTrail / Azure Activity / GCP Audit logs for the access window. | Blast radius mapped: every API call the stolen token made, every resource it touched, every secret it could have read. |
| Web app compromise | Take the app behind a maintenance page or WAF block, snapshot the host and DB, pull access logs, identify the exploit path (SQLi, RCE, deserialization). | Patched or rolled back, malicious accounts disabled, webshell removed, DB integrity verified. Public-facing return-to-service plan drafted. |
| Phishing-led credential theft | Reset compromised account, revoke sessions and refresh tokens, hunt for inbox forwarding rules, sweep tenant for the phishing template against other users. | All affected accounts secured, phishing infrastructure reported for takedown, awareness email sent to the org with the actual lure for recognition. |
| Third-party / supply-chain breach | Inventory every integration, API key, and shared credential with the breached vendor. Rotate everything. Review logs for anomalous calls from the vendor's IP space. | Vendor-side blast radius scoped. Your environment confirmed clean or contaminated. Counsel briefed on contractual notification triggers. |
Every retainer engagement gets the full 28-page playbook library on day one. Ask for a redacted sample chapter.
Sunday at 6:14 AM. Ransomware on every server. No ransom paid, full insurance claim approved.
A 95-employee construction firm in Tampa, FL caught a Conti-variant deployment via brute-forced RDP. They were a Retainer Pro client. This is exactly what happened. Names changed, timing real.
"Bayshore Construction" · 95 employees · Tampa, FL
- 06:14:22 CrowdStrike Falcon fires high-confidence ransomware behavior alert on FILE-SRV-02. Auto-containment isolates the host within 9 seconds.
- 06:15:01 Hotline auto-page to Priya Venkatesh (Tampa IR Lead). She calls the on-call CFO at 06:16. Bridge invite sent.
- 06:31:48 Bridge live with CFO and IT director. Velociraptor sweep already running across all 142 endpoints. Network containment expanded to 2 additional file servers showing pre-encryption activity.
- 07:08:14 Patient zero confirmed: BID-MGMT-01, a Server 2012 R2 box with RDP exposed to the internet. 3,400+ failed logons in the prior 48 hours, success at 03:42 from a Belarusian IP.
- 08:47:33 Lateral movement halted. Encryption stopped at 3 servers, 2 saved before encryption. Domain controllers verified clean. Cyber insurance carrier (Coalition) notified, claim opened.
- 09:15:00 Decision matrix delivered to leadership: immutable Veeam backups intact, last good restore point 04:00 the same morning. Restore path is 14 to 18 hours. Negotiation track placed on hold.
- Mon 03:42 Restored. 18 hours end to end. All file servers operational from immutable backup. Zero data loss beyond the 6 hours between 04:00 backup and 06:14 attack window. No ransom paid.
- Day 12 Final post-mortem delivered to board. Insurance claim paid in full: $147,000 covering response hours, lost productivity, and remediation. RDP retired company-wide, MFA on all remote access, 2012 R2 hosts decommissioned.
Reports your carrier accepts. Evidence your counsel can file. Notifications your regulator expects.
Every engagement produces a deliverable package built for the three audiences that actually matter after a breach: the cyber insurance carrier, your breach counsel, and (if the incident is reportable) the regulator. We've never had a claim denied on our watch.
When it's 3 AM and you call the hotline, these are the people who pick up.
Our IR team is in-house across Tampa, Orlando, Chicago, Atlanta, and Detroit. No overseas tier-one wall, no chat-only handoff. Every responder has run a P1 incident before they take the on-call rotation.
Five questions. Honest answers.
What does "sub-30-minute response" actually mean?
From the moment your hotline call connects to a responder, we commit to having a named GCIH or GCFA lead on a Zoom or Teams bridge within 30 minutes, screen-sharing your environment with you, with a containment plan being drafted in parallel. Our 12-month average is 17 minutes from hotline pickup to bridge online.
Retainer clients are faster: their pre-approved access tokens, network diagrams, and engagement letters are already on file, so we skip the credential dance and the paperwork. Retainer Pro clients also have a named lead with a direct cell, which usually shaves another 5 to 8 minutes.
Will you negotiate the ransom?
We do not negotiate ransoms ourselves. We work with two pre-vetted ransomware negotiation firms, Coveware and GroupSense, and bring them onto the bridge if negotiation becomes the right call. We give you the data they need to start the conversation: variant identification, known leak-site behavior of the threat actor, and historical pay-vs-no-pay outcomes for that group.
In 147 incidents handled this year, only 4 ended in payment. The other 143 either restored from immutable backups, decrypted with a known leaked key, or accepted the loss because the data was non-critical. We will tell you honestly when payment is the wrong move, and just as honestly when it's the only viable path.
How does this work with our cyber insurance?
We are panel-approved or pre-approved by 14 major cyber carriers including Beazley, Chubb, AIG, Travelers, Coalition, At-Bay, Corvus, CFC, Hiscox, Tokio Marine HCC, Zurich, Cowbell, Resilience, and Cysurance. Engaging us inside your panel means your policy responds without a coverage fight.
Every report we deliver is structured to the format your carrier's claims team expects: incident timeline, indicators of compromise, scope of access, data-affected analysis, remediation steps, and lessons learned. Zero failed claims to date when we were on the engagement from hour one. If you are not sure whether we are on your carrier's panel, we can confirm in 5 minutes.
Do you handle breach-notification legal requirements?
We do not give legal advice, but we work directly with your breach counsel under attorney-client privilege. If you do not have one yet, we partner with four firms with deep cyber bench: Mullen Coughlin, BakerHostetler, Constangy, and Lewis Brisbois.
Our forensic findings drive their notification analysis: which states require notice (we maintain the 50-state matrix), which regulators (HHS for HIPAA, state AGs, SEC for material public-company incidents under Item 1.05), and what the notification window looks like. We deliver evidence in formats counsel can actually file, not just dump as raw artifacts.
Can you help even if we don't have a retainer yet?
Yes. Emergency engagements without a retainer are billed at $475/hour with a $9,500 minimum for the first 24 hours. We can be on the bridge within 90 minutes of a signed emergency engagement letter, which we can execute via DocuSign in under 10 minutes. The hotline is (888) 574-5120 and pickup goes directly to a senior responder.
Most clients then move to an IR Retainer once the immediate fire is out, because the retainer rate works out to roughly one-third the emergency rate when you factor in prepaid hours, and it includes the prevention work (tabletops, runbook drafting, carrier pre-clearance) that keeps the next incident smaller.
Don't wait until you need us at 3 AM.
Most of the calls we field are from companies whose IT lead just realized they have nobody to call. Get an IR retainer in place this week. The hotline number, the engagement letter, the carrier pre-clearance, the runbook. All of it on file before you need it. The base IR Retainer is $4,800 for the year, less than the price of a single emergency response hour after the fact.