24/7 Emergency Response
Active Cyber Incident?
Our incident response team is available 24/7/365. Call now — every minute matters.
1 (866) 400-DFIRFollow the steps below while our team is en route.
Immediate Actions
Critical First Steps
Take these immediate actions while waiting for our response team. Every decision in the first minutes of an incident affects your recovery.
DO NOT:
- Do NOT power down affected computers — this destroys valuable volatile memory evidence
- Do NOT delete or rename any files — this can destroy evidence, compromise investigation, and make file restoration impossible
- Do NOT attempt to "clean" or run anti-virus software — this can alter evidence and system state, potentially making file recovery impossible
- Do NOT restore from backups without professional guidance — this can overwrite evidence and potentially destroy any chance of recovering affected files
- Do NOT stop a running encryptor — interrupting the encryption process could leave files in an incomplete state, making restoration impossible
DO:
- Disconnect affected systems from the network immediately (unplug network cables / disable Wi-Fi)
- Document any unusual behavior, error messages, or system changes
- Take photos of any error messages or unusual screens
- Identify and isolate any other potentially affected systems
- Keep affected systems powered ON unless specifically instructed otherwise
Preparation
Information to Gather
While waiting for our response team, please gather the following information if readily available.
Incident Timeline
- When the incident was first noticed (exact date and time if possible)
- What symptoms or unusual behavior were observed
- Any recent changes or updates to affected systems
System Details
- Number and types of systems affected (servers, workstations, mobile devices)
- Hardware specifications including makes, models, and serial numbers of affected devices
- Network configuration and connectivity status of affected systems
Organization Information
- Total number of users in the organization and number of affected users
- Number of physical locations and which ones are affected
- Inventory of potentially compromised accounts (usernames, email addresses, affected systems)
- List of accounts that may need immediate credential changes
Business Impact
- Critical business functions or services currently affected
- Types of data potentially at risk (customer data, financial records, intellectual property)
- Estimated business impact and operational disruption level
Contact
Alternative Contact Methods
Secure Email
For non-urgent communication or to send documentation related to the incident.
[email protected]