C · 04 / Incident Response & DFIR

When the clock starts,
we’re already moving.

Ransomware at 2:14 AM. A wire that left at 4:47 PM for a vendor you’ve never heard of. A departing engineer’s laptop with customer data that shouldn’t have been there. The difference between a quarter-ending footnote and a quarter-ending disaster is the first six hours — and whether the people on the bridge know what they’re doing. Our DFIR hotline is tied directly to the same Memphis command center that runs physical response. One command. One timeline. One written record at the end.

Request IR Retainer Call DFIR Hotline · (202) 222-2225
DisciplineDFIR
CodeC · 04
Hotline24/7 · live pickup
CommandMemphis · unified
Triage SLA45 min (retainer)
Containment< 4 hrs engagement
Written report24 / 72 hrs
ToolingEnCase · FTK · Axiom
45 min
Triage SLA
Retainer clients · hotline call to senior responder on a bridge
< 4 hrs
Containment kickoff
First containment actions from engagement · written or verbal authority
24 / 72
Written reports
Hour-24 factual brief · hour-72 preliminary examiner report
24/7
DFIR hotline
Live-human pickup · 2.1 rings average · routed through Memphis
01 / What DFIR solves

The six-hour window
between a signal
and a crisis.

Digital Forensics and Incident Response isn’t one thing. It’s the discipline of running a cyber crisis the same way a fire marshal runs a structure fire — containment first, preservation in parallel, investigation on a timeline, written record at the end. Four problems, one integrated response.

Ransomware is a business-continuity event, not an IT ticket

By the time you see the ransom note, the adversary has typically been inside for 8–21 days. Backups are often already compromised. Domain controllers are usually encrypted. Recovery without a clear containment plan leads to reinfection inside a week. We run containment, coordinate the negotiation-vendor handoff if it comes to that, and preserve the forensic record your insurer, counsel, and possibly the FBI will want later.

BEC wire fraud is a 72-hour window, then it’s gone

Business Email Compromise costs US businesses more than ransomware every year — and the recovery rate on a fraudulent wire drops sharply after the first 72 hours. FinCEN’s Rapid Response Program and the FBI’s IC3 Financial Fraud Kill Chain both depend on speed. We run the parallel bank-recall, IC3, and forensic-investigation workstreams from the first call.

Insider threats land in employment court

Departing-employee data theft, privileged-user abuse, fraud by staff — every insider investigation ends up in arbitration, employment litigation, or a settlement. That means chain-of-custody matters from the first minute. We scope the preservation plan with your counsel before collection starts, image the systems, and produce an examiner report suitable for a court exhibit.

Breach-notification deadlines arrive whether you’re ready or not

HIPAA’s 60-day clock starts at discovery, not containment. 48 states have breach-notification laws with their own windows, their own AG-notification thresholds, their own consumer-letter content rules. GLBA’s revised Safeguards Rule added a 30-day FTC notification window. Your breach coach drives the letters; we drive the forensic record the letters are built on.

02 / Four-stage IR protocol

Same cadence as
physical response.
One command.

Every incident we accept runs the same four-stage protocol, timestamped by our Memphis command center and logged to your matter file. The cadence mirrors our physical-security alarm-response protocol deliberately — same dispatch, same clock discipline, same written-report finish — because when the cyber and physical sides both hand you a single timeline at the end of the week, your board and your insurer are looking at one story, not two.

T+00:00Stage 01 · Alert

Hotline pickup & intake

Live dispatcher answers the DFIR hotline at our Memphis command center in an average 2.1 rings, 24/7/365. The dispatcher takes structured intake — caller, organization, contact path, apparent incident type — and pages the on-call senior responder. For retainer clients, your named responder is on a bridge and scoping within 45 minutes of the intake call; on-call engagements are best-effort on the same pickup but without the guaranteed triage SLA. Every inbound call is recorded and timestamped.

T+00:45Stage 02 · Triage

Senior responder scoping call

Within 45 minutes the on-call senior responder is on a secure bridge with you, your IT lead, and — if you have one — your cyber-insurance breach coach and panel counsel. Scope is established in writing before any containment action: what systems are in scope, what preservation is needed, what counsel has authorized, what the insurer’s approved-vendor position is. If a written engagement letter doesn’t exist yet for on-call clients, it gets emailed and e-signed on the bridge. No billable forensic work happens without authority on record.

T+<4:00Stage 03 · Containment

Containment, preservation, investigation in parallel

Within four hours of engagement, containment actions are underway — network segmentation, credential rotation, endpoint isolation, blocking known indicators, pulling the compromised mailbox session, whatever the event requires. Preservation runs in parallel with containment, not after it: memory captures on affected systems before power cycles, forensic images before rebuilds, log exports before retention windows close. Remote collection where possible; a responder physically dispatched to any TN or MS site inside the same business day where on-site collection is required.

T+24/72Stage 04 · Report

Hour-24 brief & hour-72 written examiner report

By hour 24, you have a written factual brief — what we know, what we don’t, what we’re still collecting, where the evidence points. By hour 72, a preliminary examiner report with methodology, artifact list, chain-of-custody log, hash verifications, initial findings, and open questions. Written so your breach coach can calendar notification deadlines and your insurer can scope reserves. The final examiner report follows engagement close, signed under penalty of perjury, suitable for a litigation exhibit if the matter travels.

03 / Capabilities & common scenarios

What the hotline
actually covers.

DFIR as a category is broad. These are the four scenarios we accept engagements on, the tooling we use, the breach-notification regimes we coordinate around, and the cyber-insurance panel work we’re built to integrate with.

Incident scenarios we accept

We scope to what we can do well. If an engagement falls outside our competence — nation-state APT hunt requiring classified-intel access, industrial-control-system event requiring vendor-specific SME — we say so on the triage call and refer, rather than learn on your dime.

  • RansomwareContainment, negotiation-vendor coordination, backup validation, rebuild supervision, recovery oversight
  • Business Email CompromiseFinCEN bank-recall coordination, IC3 / FBI Financial Fraud Kill Chain filing, mailbox forensics, dwell-time scoping
  • Insider threatDeparting-employee data theft, privileged-user abuse, corporate-systems harassment — under counsel, with court-ready chain-of-custody
  • Phishing & account takeoverCredential-compromise scoping, MFA-fatigue incidents, OAuth-consent phishing, cloud-session hijack investigation
  • Data exfiltrationExfiltration path reconstruction, log analysis, artifact recovery, notification-impact scoping for counsel

Forensic tooling & methodology

Industry-standard tooling, court-accepted methodology, version-pinned workstation builds, and written chain-of-custody from the first acquisition forward. Every artifact we produce is built to travel to deposition.

  • ImagingEnCase · FTK Imager · Magnet Axiom · dd/dc3dd for hardware-assisted cases
  • Memory & live responseVolatility · Rekall · KAPE · Velociraptor for live-triage telemetry
  • IntegritySHA-256 hash verification at acquisition and at every handoff · MD5 alongside for legacy court exhibits
  • Chain of custodyWritten sheet · tamper-evident storage · Memphis evidence locker · LE-compatible transfer
  • Team credentialsTeam-level target: GIAC GCFA (Certified Forensic Analyst) & GCIH (Certified Incident Handler) — current hiring focus

Breach-notification coordination

We don’t practice law and we don’t file breach-notification letters. What we do produce is the forensic record your breach coach needs to calendar the right deadlines — affected-individual counts, data categories, dwell time, evidence of exfiltration versus mere access — in the format counsel uses to drive the statutory clock.

  • HIPAA Breach Notification Rule60-day clock from discovery · HHS OCR reporting · 500+ threshold for OCR public disclosure
  • GLBA SafeguardsRevised FTC rule · 30-day FTC notification on 500+ affected consumers
  • State breach-notification lawsAll 48 US states with statutes · AG-notification thresholds (CA, NY, TX, MA & others) · credit-bureau notice where required
  • Sector-specificSEC cyber-disclosure rule (Form 8-K Item 1.05) · NYDFS Part 500 · PCI-DSS reporting chain
  • ScopeWe produce the forensic record · your breach coach drives the letters

Cyber-insurance coordination

Cyber policies almost always require the carrier to approve the IR vendor before covered costs start accruing. Pick the wrong firm first and the claim is denied. We coordinate with your breach coach from Stage 02 onward so the engagement tracks cleanly against the policy.

  • Panel coordinationWork alongside the major carriers and breach-coach firms · one-time waiver where needed
  • Counsel-led engagementEngagement typically runs under outside counsel for work-product protection
  • Covered-cost scopingOur hourly rate, forensic tooling, and written-report cadence match the policy’s covered-cost categories
  • Insurance$1M cyber · $5M GL · $2M professional
  • License & footprintTennessee PLSC Lic. #14310 · Memphis command center · TN + MS full physical dispatch
HIPAA60 days · HHS OCR GLBA30 days · FTC State laws48 US states SEC 8-K Item 1.054 business days NYDFS Part 50072 hrs PCI-DSSAcquirer chain FinCEN / IC3< 72 hrs optimal
04 / Retainer vs on-call

Pre-engaged, or
first-call, same hotline.

We offer two engagement models on the same hotline, staffed by the same responders. Retainer clients get a guaranteed triage SLA, a reduced hourly rate, a pre-executed master services agreement, and prepaid hours that draw down against the retainer. On-call clients pay standard rate, sign the MSA at call time, and wait in queue behind retainer engagements when the hotline is busy. Most mid-sized organizations with cyber insurance carry a retainer because the insurer’s policy often requires a pre-engaged IR vendor to begin with — and because the MSA negotiation at 3 AM is not where you want to lose the first four hours.

RetainerRecommended

DFIR RetainerPre-engaged · guaranteed SLA · reduced rate

Annual retainer with a bank of prepaid hours. Triage SLA of 45 minutes from hotline intake to senior responder on a bridge. Containment kickoff within four hours of engagement. Pre-executed master services agreement and counsel-led work-product protection framework. Reduced hourly rate against the retainer bank; unused hours convert to tabletop exercises, purple-team engagements, or roll forward one quarter.

  • Triage SLA45 minutes · guaranteed · credited on breach
  • Containment kickoff< 4 hours from engagement · written authority
  • MSAPre-executed · counsel-led engagement framework · work-product protection
  • RateReduced hourly · draw against prepaid retainer bank
  • Insurance alignmentPre-confirmed position with your cyber carrier’s approved-vendor list
  • Unused hoursTabletop exercises · purple-team · roll forward one quarter
  • ReportingQuarterly posture review with your CISO / IT lead · annual tabletop
On-Call

On-Call DFIRFirst-call · standard rate · MSA at call time

Same hotline, same responders, no retainer in place. MSA is negotiated and e-signed on the triage bridge; forensic work starts after authority is on record. Best-effort response — no guaranteed triage SLA — and the hourly rate is standard DFIR market. Appropriate for organizations without cyber insurance requiring a pre-engaged vendor, or for single-incident engagements outside the retainer scope you already carry with another firm.

  • TriageBest effort · no guaranteed SLA · queue behind retainer engagements
  • ContainmentFollows MSA e-signature on the triage bridge
  • MSANegotiated & e-signed at call time · retainer clients skip this
  • RateStandard DFIR market hourly · no retainer discount
  • Insurance alignmentBest-effort carrier coordination · approved-vendor status checked live
  • Minimum engagementTypically 40 hours of forensic work to produce a usable examiner report
  • Path forwardMost on-call clients convert to retainer after one engagement
05 / DFIR FAQ

The questions every
GC, CISO, and CFO
eventually asks.

The questions we get most on RFPs, counsel-led breach-readiness calls, and the first five minutes of a triage bridge — answered specifically, not generically. If yours isn’t here, call the DFIR hotline at (202) 222-2225 and we’ll answer it on the spot.

Q · 01How fast can you respond to a cyber incident?
The Memphis command center picks up on the DFIR hotline 24/7 at an average 2.1 rings. Retainer clients get a guaranteed initial-triage call within 45 minutes of intake — a senior responder on a bridge, scoping the event, pulling history, and giving you the first set of containment instructions. Containment actions kick off within four hours of engagement. On-call clients are best-effort on the same steps but without the SLA. We do not require you to wait for a contract to sign before we start triage on a retainer — that’s the point of the retainer. For on-call engagements, the MSA is e-signed on the triage bridge before billable forensic work begins.
Q · 02Do you negotiate with ransomware actors?
We do not pay ransoms on your behalf and we do not hold ourselves out as a ransomware-negotiation firm. What we do is coordinate with specialist negotiation vendors already on your cyber-insurer’s approved panel — or recommended ones if you don’t have a policy — manage the communication channel, preserve the forensic evidence while talks are ongoing, and ensure every action taken is documented in a way your insurer, your breach coach, and law enforcement can use later. Payment decisions sit with you and your counsel; OFAC sanctions screening is mandatory before any funds move, and a sanctioned-entity match generally takes the pay option off the table entirely. Our role is containment, forensics, and the written record — not counterparty communication with the adversary.
Q · 03Do you pay the ransom for us?
No. We are not a licensed money-services business, we do not wire cryptocurrency on behalf of clients, and we would not recommend a firm that did so without proper licensing and OFAC compliance. If the decision is made to pay — with your counsel, insurer, and board aligned — the payment is executed by a specialist vendor with MSB licensing, sanctions screening, and wallet-attribution protocols. We facilitate the vendor handoff and retain the forensic record of the transaction so the event is fully documented for your carrier, your auditors, and any subsequent litigation. The decision to pay and the legal liability for paying are yours; our role is preserving the record.
Q · 04Do you work with my cyber insurer?
Yes. Cyber-insurance policies almost always require the carrier to approve the incident-response vendor before covered costs start accruing — choose the wrong firm first and the claim is denied. We coordinate with the carrier’s breach coach (typically panel counsel), confirm that our engagement falls inside the approved-vendor list or seek a one-time waiver, and scope our work to match the policy’s covered-cost categories so your claim tracks cleanly. We have worked alongside the major cyber carriers and breach-coach firms on more than one engagement, and we understand the reporting cadence they expect — daily status updates, written hour-24 brief, hour-72 preliminary examiner report, final report on engagement close. On a retainer we pre-confirm our approved-vendor position with your carrier at policy renewal, so the question is settled before the incident happens.
Q · 05What evidence do you preserve, and how?
For every engagement we produce bit-for-bit forensic images of affected systems using industry-standard tooling — EnCase, FTK Imager, or Magnet Axiom depending on the target — with cryptographic hash verification (SHA-256 minimum, MD5 alongside for legacy court exhibits) recorded at acquisition. Volatile memory is captured live when the system is still powered, using Volatility, Rekall, or KAPE depending on the platform. Every artifact is logged to a written chain-of-custody sheet with the acquirer’s name, timestamp, hash, and handoff record; physical evidence is stored in tamper-evident bags in our Memphis evidence locker until the matter closes or counsel directs transfer. Network logs, endpoint telemetry, email gateway records, and cloud audit trails are pulled per a written preservation plan tailored to the matter, with retention-window analysis so nothing ages out mid-engagement.
Q · 06Can you testify in court?
Yes. Our senior responders maintain the credentials and methodology discipline needed to qualify as expert witnesses — our team is building toward GIAC GCFA (Certified Forensic Analyst) and GCIH (Certified Incident Handler) as team-level credentials, and our senior lead carries prior experience testifying in civil employment and breach matters. We write every engagement as if it will end in deposition: documented methodology, reproducible workstation builds, version-pinned tooling, written chain-of-custody from the first acquisition forward, and a signed examiner report. If your matter heads to litigation, the forensic artifacts and reports we produce are built to travel. We do not overstate our bench — our team is actively expanding its certification footprint, and we are transparent with counsel about which responder on a matter holds which credentials.
Q · 07What is the difference between an MDR service and an IR retainer?
Managed Detection and Response (MDR) is the 24/7 tripwire — it watches your endpoints, your network, and your cloud for malicious activity and alerts you when something is happening. Incident Response (IR) is what happens after the tripwire fires. An IR retainer means the responders — the people who actually go into a ransomware-encrypted domain controller and figure out how the adversary got in — are pre-engaged with a guaranteed SLA and a pre-executed MSA, so the clock-starts-now phase of a crisis doesn’t stall in procurement. MDR tells you there’s a fire; IR puts it out. Most mid-sized organizations carry both. We offer both — see our Managed SOC page for the MDR side of the same command center.
Q · 08Do you handle business email compromise (BEC) wire-fraud recovery?
Yes, and the first 72 hours matter enormously. On a BEC wire-fraud report, we immediately coordinate three parallel workstreams. First, a FinCEN Rapid Response Program filing through your bank to attempt funds recall — your bank’s fraud department is the right channel, and the faster they get the request the more likely the correspondent bank holds the funds. Second, an IC3 complaint to the FBI’s Internet Crime Complaint Center — IC3 is the gateway for the FBI’s Financial Fraud Kill Chain on wires above $50,000 that left the US in the last 72 hours, and the Kill Chain team has a meaningful track record on funds recall when activated in time. Third, a forensic investigation of the compromised mailbox to identify the intrusion vector (typically credential theft plus MFA bypass or a forwarding rule), establish the attacker’s dwell time, and rule out other compromised accounts in your tenant. Wire-fraud recovery rates fall sharply after 72 hours, so the value of the service is speed.
Q · 09Can you handle insider-threat investigations?
Yes. Insider investigations — departing-employee data theft, privileged-user abuse, financial fraud by staff, harassment via corporate systems — are a significant share of the DFIR caseload and they require more discipline, not less, because the outcome often lands in employment or civil litigation. We work under privilege via your outside counsel (Upjohn warnings where applicable), follow a written preservation plan before any collection, preserve the employee’s system before termination paperwork is signed where possible so the collection is clearly within scope of the employment relationship, and produce an examiner report suitable for an arbitration or court setting. Every insider engagement is scoped in writing with counsel before collection starts — we do not start imaging systems on a verbal instruction.
Q · 10How do breach-notification deadlines actually work?
Breach-notification law in the US is a patchwork. If PHI (protected health information) is involved, HIPAA’s Breach Notification Rule gives you 60 days from discovery to notify affected individuals and HHS OCR — and breaches of 500 or more individuals go on the OCR public wall of shame within a similar window. Financial-services firms face GLBA Safeguards Rule notification (revised FTC rule, 30-day window to the FTC for breaches affecting 500+ consumers). All 48 US states with breach-notification laws have their own timing — many as short as 30 days, a few require law-enforcement notification alongside, and state attorney general thresholds vary widely. Public companies face SEC Form 8-K Item 1.05 within four business days of determining materiality. We do not practice law, but we produce the forensic record a breach coach needs to calendar the right deadlines — affected-individual counts, data categories, dwell time, evidence of exfiltration versus mere access — and we coordinate with panel counsel on the timeline.
Q · 11What about state attorney general notification?
Most of the 48 state breach-notification statutes require notification to the state attorney general’s office — sometimes only above a threshold of affected residents (California: 500+, New York: any, Texas: 250+), sometimes always. A few require credit-reporting agency notification on top. The notification letters themselves have content requirements that differ by state — Massachusetts, for instance, prohibits naming the specific type of data involved in the initial consumer letter, while Tennessee allows it. Your breach coach drives the paperwork; we drive the forensic record that the paperwork is built on, delivered in the format counsel uses.
Q · 12Do you have an on-site response capability or is this all remote?
Both. The majority of DFIR work — endpoint triage, log analysis, memory forensics, email search — is done remotely with your consent and with client-owned collection agents or our forensic toolkit deployed to your environment. Where physical collection is required — a locked-out domain controller, an air-gapped OT network, physical evidence that must be hand-walked to preserve chain-of-custody — we dispatch a responder to any site in Tennessee or Mississippi inside the same business day. Our Memphis command center is the single point of coordination for both the remote workstream and the physical dispatch. The cyber responder on the bridge and the uniformed officer walking the server room report to the same dispatch, run the same timeline, and hand you a single written record at engagement close. One command.
06 / Next Step

Set the retainer
before the clock starts.

A senior responder will walk through your environment, your cyber-insurance posture, and your breach-notification obligations, then deliver a retainer proposal scoped to your risk inside five business days. No cost. No pitch. If you’re in the middle of an incident right now — call the hotline. The retainer conversation happens later.

Request IR Retainer Call DFIR Hotline · (202) 222-2225