Emergency response with insurer-recognized retainers. Ransomware, BEC, insider threat, malware reverse engineering — and the post-incident reports that regulators accept under PIPEDA, GDPR and HIPAA.
From first contact to the final regulator-facing report. Every step is documented, every artifact preserved.
Breach triage, containment, forensics. Senior responder on the bridge as soon as you engage. Scoped at engagement, retainer fast-lane for active accounts.
Investigation, scoping, backup validation, recovery. We work in parallel with backup teams and breach counsel to compress restore-to-business timelines.
Threat-actor communications, demand validation and proof-of-decryption testing. Engagement-based premium pricing; we do not advise on payment — that is counsel's call.
BEC investigation: intrusion vector, attacker dwell time, mailbox rule manipulation, wire diversion trace. Reports built for insurer and counsel — and for criminal referral if appropriate.
Suspected internal exfiltration: USB, cloud, print, mobile. We reconstruct user activity with timestamped artifacts that survive HR and arbitration.
Static and dynamic reverse engineering of malware samples. C2 attribution, IOC extraction, capability mapping. Specialist premium work.
Proactive hunt for existing intrusions across endpoints, identity and cloud. Engagement-priced. Often a precursor to retainer onboarding for high-risk clients.
Executive tabletop exercises and IR playbook development. Custom scenarios mapped to your environment, regulators and insurer requirements.
Root-cause analysis and regulator-facing reports for PIPEDA, GDPR, HIPAA. Bundled with response engagements or available standalone for third-party report review.
A retainer turns one-off engagements into predictable annual contracts with pre-negotiated rates and reserved response capacity. When the incident hits, the contract, IR plan and chain-of-custody templates are already in place.
Most retainers self-fund: a single avoided emergency-rate engagement or insurer-negotiated discount typically covers the annual prepay.
Questions counsel, IT and CISOs ask us mid-incident. Read these before the breach so you don't have to read them during it.
Depends on your engagement type. Retainer clients: priority bridge access. New engagements: move to a senior responder as soon as scope and access are confirmed.
The fastest containment cost is the retainer cost you've already paid.
That's counsel's decision, not ours. We provide the forensic facts needed to decide: scope of compromise, what data was actually exfiltrated, the threat actor's reputation for honoring payment and the technical recovery options if you don't pay.
We do not negotiate with threat actors or facilitate payment. Specialist ransomware negotiators exist if you choose that path — we work alongside them.
Canada's federal Personal Information Protection and Electronic Documents Act requires organizations to notify the Privacy Commissioner and affected individuals when a breach of personal information poses a "real risk of significant harm." In effect: any reasonable likelihood the data could be misused.
We produce the PIPEDA report (timeline, scope, mitigation, ongoing risk), assist counsel with the OPC notification and handle equivalent provincial requirements (PHIPA in ON, Bill 64 in QC, PIPA in BC / AB).
IR is operational: stop the bleeding, evict the attacker, restore operations, contain regulatory exposure. Time-pressured. Forensics is investigative: reconstruct how it happened, identify the threat actor, build evidence for civil or criminal action. Less time-pressured.
Both happen in most engagements. We integrate them — forensic preservation runs in parallel with containment so we don't burn evidence to restore service.
Yes. Common patterns: departing-employee data theft, privileged-user abuse, contractor exfiltration, credential-sharing or sale and vendor-side insiders. Tooling: user-behavior analytics (UEBA), endpoint imaging, email and Slack review, cloud activity logs, badge data correlation.
Insider investigations are often conducted covertly — we image before the employee is interviewed and we preserve chain of custody to keep options open for civil action.
Pre-paid response capacity scoped at engagement. Three tiers — Bronze, Silver and Gold — each providing reserved response capacity, tabletop exercises and a named senior responder for incidents.
The retainer also pre-negotiates the engagement letter so terms are settled before any incident occurs.
Yes. Immediate actions: revoke OAuth tokens, force password reset, remove mailbox rules (auto-forward, hide-in-folder), review and tighten conditional access, preserve the UAL. We can do this as soon as we have bridge contact.
Then we reconstruct the attack path, identify any wire-fraud emails sent and coordinate with insurance / counsel / banking to attempt recovery of in-flight payments.
