Get in touch
Incident response & recovery

When the bridge is open, decisions own the outcome.

We join the response as the decision-making layer alongside forensics, legal and your team — owning the playbook, the executive comms, and the programme rebuild that lives after the incident closes.

  • On the bridge within the hour for active incidents.
  • A response playbook tested before you need it.
  • Programme rebuild, not just a forensics report on the shelf.
  • First-hour engagement
  • Executive-level comms
  • Regulator-ready notifications
  • Post-incident rebuild
When this is for you

Four shapes the call usually takes.

  • You are in an active incident and need a decision-maker beside the executive team.

    Forensics is engaged, legal is engaged, the bridge is loud. What is missing is the seat that owns the response timeline, the comms ladder and the moments where the company has to choose. We fill that seat.

  • The incident is contained but the recovery has stalled.

    The forensics report is in. The technical fixes are partly done. The team is exhausted. Customer comms keep slipping. We pick up the recovery as a programme with owners, deadlines and a closeout that an auditor and a board will accept.

  • You inherited an incident that closed badly.

    Root cause unclear, lessons-learned never published, regulators still corresponding. We retro the response, rebuild the controls that the incident exposed, and produce the artefact that lets the company say "this is closed".

  • You have never been in a real incident and the board is asking why not.

    Playbook, escalation tree, retainer relationships with forensics and counsel, tabletop exercise with the executive team. The first real incident is not the rehearsal — the rehearsal is the rehearsal.

How the engagement runs

Active response, then recovery, then rebuild.

Three modes, one continuous relationship. The team that runs the bridge is the team that rebuilds the programme.

  1. 01

    First-hour engagement hour 0–24

    Join the bridge. Establish the response timeline, the comms cadence and the named officers for customer, regulator and board communication. Hand-shake forensics and counsel, set the containment-vs-observation boundary, surface the first hard decisions to the executive.

  2. 02

    Containment, comms, regulator notification day 1–14

    Drive the daily incident command. Draft customer notifications, regulator filings (GDPR Article 33, NIS2 24h/72h, sector-specific), board updates and the public statement. Sit alongside legal, communications and the response team — the executive sends, the company decides.

  3. 03

    Recovery & programme rebuild week 2–8

    Run the post-incident review, publish lessons learned in a form the board accepts, rebuild the controls the incident exposed. Translate forensic findings into a remediation programme that ships — not a binder.

  4. 04

    Closeout & resilience handover week 6–12

    Tabletop with the executive team to test the new playbook against a fresh scenario. Document the engagement, hand the playbook back to a named owner inside the company, and stay on retainer for the next escalation if you want it.

Outcomes

What "closed" actually looks like.

01

A response timeline the company can defend

Every decision, every notification, every escalation captured with a timestamp and an owner. The artefact regulators, insurers and customers ask for — and the one most incidents fail to produce.

02

Customer and regulator comms that landed cleanly

Notifications drafted to the standard a sophisticated buyer accepts. No corrections, no follow-up filings, no "we'll get back to you with more detail next week" pattern.

03

A rebuilt programme, not just a fix

The controls the incident exposed re-implemented and tested. The root causes — not just the symptoms — addressed. A closeout document a future auditor will read once and accept.

04

An organisation that has rehearsed the next one

A working playbook, named on-call owners, tested escalation paths, and an executive team that has run a tabletop together. The next incident is hard. The next incident is not unrehearsed.

From the practice
"The first hour of an incident is decision-shaped, not technical-shaped. The forensics will come; the lawyers will come; the right question is who is sitting next to the CEO answering 'now what?' — and whether that person has done it before."

— Adam Gresh, Purple Dragon Cybersecurity

Frequently asked

Common questions, direct answers.

We think we are in an incident right now. What is the first step?

Call us. The single most important first decision is whether to contain or observe — and that decision is rarely reversible. We will join the bridge inside the hour, help you set that boundary, and stay on the bridge until the immediate containment plan is owned.

Are you a forensics firm?

No. We work alongside forensics, legal counsel and the cyber-insurance panel. Our role is the decision-making layer: who owns what, what gets said externally, when to involve regulators, what the board sees, and how the response handover lands. Forensics tells you what happened; we make sure the company recovers from it.

We are not in an incident — can you still help?

Yes — and arguably this is the right time. Pre-incident, we build the playbook, run the tabletop with the executive team, and define the bridges, on-calls and external-counsel relationships that the first hour will depend on. The playbook that was rehearsed once is worth more than the binder that was written and filed.

How long does the engagement run?

In an active incident: typically 2–6 weeks of intensive support, then 4–8 weeks of programme stabilisation. Pre-incident readiness: 4–6 weeks to build and test the playbook end-to-end. Retainer models available for ongoing on-call coverage.

Do you communicate with regulators and customers directly?

We draft, we advise, we sit alongside the executive — but the company's named officers send the regulator notification and own the customer line. That separation matters legally and operationally; we make sure the company is making informed decisions, not voicing ours.

Engage an incident response lead

Active incident — reply within one business hour. Pre-incident readiness — within one business day.

Talk to a security operator.

Tell us what you're trying to ship, what's stalled, or which buyer security review is up next. We work with companies across the EU, EEA and US — and we reply within one business day.

Get in touch

By submitting you agree to our privacy policy.