Incident response & crisis management

The incident ends. The business keeps running. The evidence holds.

When you call, a responder answers, and triage begins on that call: what to isolate, what to preserve, what not to touch. We contain the attack, evict the attacker, and get you operating again, working alongside your executives, IT and legal. Everything we do is forensically sound, so the findings stand up later: to your insurer, your regulator, or a court.

Call 1300 743 433Not urgent? Book a call about readiness instead.

What happens when you call.

You speak to a responder, not a call centre. On that first call we triage: the immediate containment moves, what evidence to preserve and how, what to say and not say internally. If we engage, work starts under an agreed scope with rates confirmed in writing first. We don’t take advantage of a bad night.

What we respond to

  • Ransomware and extortion
  • Business email compromise and payment redirection
  • Network intrusions and data theft
  • Insider incidents  →  insider investigations
  • AI-enabled fraud, including deepfake authorisation fraud  →  AI security
  • Industrial and OT incidents

How we work an incident.

  1. Triage and containment

    Stop the spread. Preserve the evidence. Stabilise.

  2. Investigation

    Establish what the attacker did, how they got in, and what they took. Forensic method throughout.

  3. Eviction and recovery

    Remove access, close the entry path, restore operations in priority order agreed with your leadership.

  4. Hardening and handover

    The re-compromise window is real. We close it, then hand you a plain-language account of what happened and what to change, in business terms your board can act on.

Regulatory relevance

  • SOCI Act: incident reporting obligations for critical infrastructure entities
  • Cyber Security Act 2024: ransomware payment reporting
  • OAIC: notifiable data breach scheme
  • Legal and insurance: evidence standards for proceedings and claims. We work these requirements alongside your counsel, and our forensic discipline means nothing we do compromises them.

Crisis management while we respond.

Containment is only half the incident. While our responders work the technical problem, your executives face a parallel one: what to tell the board, when to notify the insurer and the regulator, what staff and customers hear, and when silence becomes a decision of its own. We sit in that room too, in the breach-coach role, working alongside your counsel and your insurer so obligations, evidence and communications all point the same way.

The advice stays honest because it’s first-hand: the people briefing your executives are inside the investigation, so you hear what is actually known, what isn’t yet, which decisions can’t wait, like authorising containment and preserving evidence, and which must, like attribution and final numbers. Nothing arrives third-hand, and nothing gets dressed up.

Boards that have rehearsed this hour handle it better. Our tabletop exercises →

Questions we’re asked before the first call.

Do you work with our cyber insurer?

Yes. We understand policy requirements and work with insurers and brokers so the claim process runs on evidence, not argument.

We already have an IT provider. Do they get replaced?

No. Your IT team or MSP knows your environment; we know attackers. Incidents go best when both work together, and we’re used to leading that partnership.

What does it cost?

Scope and rates are agreed in writing before work begins, even at 2am. Retainer clients have pre-agreed rates and a response commitment. See the retainer.

What if we’re not sure it’s an incident?

Call. Triage on that first call costs you nothing and telling you “this looks benign, here’s what to check” is a fine outcome for both of us.

1300 SIEGED. Answered 24/7.

A responder picks up. Triage begins on the call.