How quickly can your team respond to an active incident?

Retainer clients receive a guaranteed response time SLA with pre-onboarded environment documentation, enabling immediate action. For ad hoc engagements, we initiate an emergency assessment call within hours of contact and deploy resources based on the scope and severity of the incident. Response speed is meaningfully faster with a retainer because environment documentation, network diagrams, and critical system inventories are already on file.

Should we pay the ransomware demand?

This is a business decision that depends on backup integrity, data sensitivity, attacker credibility, and legal considerations — not a blanket yes or no. Our team assesses the ransomware variant, evaluates whether a working decryptor exists publicly, validates backup integrity and recovery time, and provides a clear picture of your options. In cases where payment is the least bad option, we support the negotiation and transaction process. We never recommend payment without a thorough assessment of alternatives.

What data do you need to start a forensic investigation?

We begin with whatever you have. In the best case, that includes endpoint logs, network flow data, SIEM alerts, and intact systems to image. In the worst case — where logs have been deleted or systems have been formatted — we work with what survives. Our forensic analysts are experienced at reconstructing attack timelines from partial evidence. The most important thing is to stop making changes to affected systems immediately, which preserves the evidence that is still available.

What is an IR retainer and how does it work?

An IR retainer is a pre-paid agreement that gives your organization priority access to our incident response team. Upon signing, we conduct an onboarding session to document your environment — network architecture, critical systems, backup posture, key contacts, and legal counsel. This documentation stays on file so that when an incident occurs, response begins in minutes rather than requiring a full environment discovery under crisis conditions. Retainers typically include a set number of response hours, quarterly tabletop exercises, and proactive threat hunting.

Do you support breach notification requirements?

Yes. Breach notification obligations vary by industry and state — HIPAA requires notification to HHS within 60 days of discovery, many states have their own breach notification laws with different timelines and thresholds, and SEC rules require material cybersecurity incident disclosure within four business days. Our team coordinates with your legal counsel to produce accurate breach scope assessments, supports notification drafting, and advises on timing to meet regulatory deadlines without creating additional liability through premature or inaccurate disclosures.

Incident Response

When Seconds Count: Incident Response That Minimizes Damage

Incident response services provide rapid breach containment, digital forensics, and guided recovery when a security incident occurs. Vigil Cyber's incident response team works to minimize damage, preserve evidence for insurance claims and law enforcement, and restore normal operations — with response initiated within one hour of engagement.

Engage Our IR Team Get a Retainer Quote

Critical Window

What Happens in the First Hour, Day, and Week

Incident response is not one event — it is a structured sequence of actions executed against a ticking clock. Our team knows exactly what to do at each phase, because we have done it hundreds of times.

The First Hour

Emergency triage call to assess scope and severity

Network isolation of affected systems to stop lateral movement

Preservation of volatile memory and log evidence

Initial attacker eviction and credential resets

Notification of key stakeholders and legal counsel

The First Day

Full forensic disk imaging of affected endpoints

Log correlation to identify attack timeline and patient zero

Malware analysis and IOC extraction

Scope determination — what data was accessed or exfiltrated

Interim hardening measures for unaffected systems

Communication to regulators if required by law

The First Week

Root cause analysis and full incident timeline

Clean rebuild or reimaging of compromised systems

Credential hygiene sweep across the entire environment

Vulnerability remediation that enabled the breach

Post-incident security hardening recommendations

Written incident report for insurance and regulatory use

Our Capabilities

Full-Spectrum Incident Response

From forensic investigation through recovery and hardening, our team delivers every capability your organization needs — without the overhead of building an in-house IR team.

Digital Forensics

Evidence Preservation and Analysis

Understand exactly what happened, when, and how — with court-admissible documentation.

Our forensic analysts image affected systems, reconstruct attacker activity from logs and artifacts, and produce a documented timeline of the breach. We preserve evidence in a format acceptable for legal proceedings, insurance claims, and regulatory investigations — protecting your organization from downstream liability.

Ransomware Response

Encryption Incident Management

Recover systems and data without paying the ransom — or make an informed decision if you must.

Ransomware response requires speed and precision. We identify the ransomware variant, assess decryption options, evaluate backup integrity, and manage recovery sequencing. When paying the ransom is unavoidable, we support the negotiation and cryptocurrency transaction process while maximizing the likelihood of functional decryption keys.

Recovery and Hardening

System Restoration and Security Uplift

Return to operations on a more secure foundation than you had before the incident.

Recovery is not just restoring backups. We validate backup integrity before restoration, rebuild compromised systems from clean images, and implement the security controls that would have prevented the breach. The post-incident environment is hardened — not just restored to its pre-breach vulnerable state.

Communication and Notification Support

Regulatory and Customer Communication

Meet legal notification obligations without creating additional liability.

Data breach notifications carry legal deadlines and evidentiary weight. Our team coordinates with your legal counsel to produce factually accurate breach scope assessments, supports the drafting of regulatory notifications to HIPAA OCR, state attorneys general, and SEC, and advises on customer communication timing and content.

Containment Strategy

Stop the Bleeding — Then Eliminate the Root Cause

Containment is not a single action. It is a sequence of coordinated steps executed to isolate affected systems without destroying the forensic evidence needed to understand the full scope of the breach. Move too fast and you destroy evidence. Move too slow and the attacker expands their foothold.

Our incident response team has built containment playbooks for ransomware, business email compromise, data exfiltration, and insider threats. Each playbook is adapted to your specific environment — your network architecture, your critical systems, your recovery time objectives.

Recovery is not complete when systems are restored. Recovery is complete when the root cause has been eliminated, the environment has been hardened against re-compromise, and your team understands what happened and why.

Containment Approaches We Deploy

Network Segmentation and Isolation

Isolating affected VLANs, subnets, or individual hosts to stop lateral movement while maintaining critical business operations on unaffected systems.

Identity and Credential Lockdown

Resetting compromised accounts, revoking active sessions, disabling suspicious service accounts, and enforcing MFA across the environment.

Command and Control Disruption

Identifying and blocking attacker C2 infrastructure at the DNS and network layer to sever the attacker's remote access to compromised systems.

Endpoint Isolation and Evidence Preservation

Taking affected endpoints offline in a forensically sound manner — preserving volatile memory and disk state for investigation while preventing further damage.

Communication Support

Breach Notification and Communication Support

How your organization communicates during and after a breach can be as consequential as the breach itself. Legal obligations, regulatory timelines, customer trust — all are in play simultaneously.

Breach scope assessment for regulatory notification thresholds

HIPAA breach notification to HHS Office for Civil Rights

State attorney general notifications under state breach laws

SEC material cybersecurity incident reporting support

Customer and employee notification letter review

Cyber insurance carrier breach notification coordination

Legal hold and evidence preservation guidance

Board and executive communication briefing support

Media statement review for factual accuracy

Recommended

IR Retainer

A retainer means we are already familiar with your environment when an incident occurs. Onboarding documentation, network diagrams, and critical system inventories are on file. Response starts in minutes, not hours.

Pre-onboarded environment documentation on file
Guaranteed response time SLA
Priority escalation ahead of ad hoc engagements
Quarterly tabletop exercises included
Lower hourly rates than ad hoc response
Proactive threat hunting included

Get a Retainer Quote

Ad Hoc Response

If you don't have a retainer in place and an incident occurs, we still respond. Ad hoc engagements begin with an emergency assessment call to scope the situation and deploy the appropriate resources.

No commitment required before an incident
Emergency assessment call initiated within hours
Full IR team mobilized based on scope
Written incident report delivered post-engagement

Report an Active Incident

Want to understand how ransomware attacks unfold?

Read our Ransomware Response Playbook →

Related Resources

Article

Frequently Asked Questions

Questions organizations ask before — and during — an incident.

Ready to Secure Your Business?

Get a free security assessment and discover how Vigil Cyber can protect your organization for a fraction of the cost of building an internal team.

24/7

SOC Coverage

<1hr

Response Time

99.9%

Uptime SLA

Schedule a Consultation Call (980) 300-8737