Incident Response Intelligence Hub
Ransomware containment, BEC response, forensic investigation, and what to do in the first hours of a breach. Resources for IT teams, security leaders, and anyone who needs to respond — fast.
What Good Incident Response Looks Like
The first 24 hours of an incident set the trajectory for everything that follows. Decisions made under pressure — about what to shut down, who to call, whether to pay — have enormous long-term consequences for recovery time, legal exposure, insurance claims, and public disclosure obligations.
Effective incident response isn't improvised. It requires pre-agreed procedures, pre-approved access for your response team, and a forensic investigation that can answer the questions your lawyers, insurance carrier, and regulators will ask later: What was accessed? When did it start? Is the attacker still in the environment?
We publish here because understanding IR — even at a conceptual level — helps organizations make better decisions before, during, and after incidents. If you want a retainer so you're prepared before something happens, read about our IR retainer. If you're in an active incident, contact us now.
Latest IR Articles
2026 Cloud Detection Strategy: Moving Beyond Visibility to Actionable Risk Context
Cloud security is shifting from simple visibility to identity-centric risk context. Defenders must adapt detection strategies for cross-platform threats.
JanelaRAT (BX RAT Variant): Detection and Defense for Latin American Financial Institutions
JanelaRAT targets Brazil banks with 14k+ attacks stealing financial data via keylogging and screen capture. Defend against this BX RAT variant.
Shadow AI in Healthcare: Strategies to Mitigate PHI Risks from Unauthorized AI Tools
Clinicians using unsanctioned AI expose patient data. Defenders must enforce governance and DLP to limit the blast radius.
REvil and GandCrab Attribution: Detecting TTPs of the UNKN Operation
German authorities identify 'UNKN' (Daniil Shchukin) as leader of REvil/GandCrab. Detect and remediate these ransomware TTPs.
Cookie-Controlled PHP Web Shells & Cron Persistence: Detection & Remediation
Attackers are evading detection by using HTTP cookies to control PHP web shells and establishing persistence via cron on Linux servers.
VA EHR Modernization Resumes: Security Hardening for Michigan Deployments
VA reactivates EHR Modernization at Michigan sites. Defenders must secure new interoperability gateways and data transfer protocols.
Intel: BYOVD Ransomware (Qilin/Warlock) & Storm-1175 Rapid Attacks — April 2026
Surge in ransomware using BYOVD to disable EDRs; Storm-1175 breaches networks in under 72 hours; Lynx and Lamashtu claim new victims.
Axios npm Supply Chain Attack: Detection and Incident Response for Versions 1.14.1 and 0.30.4
Axios npm versions 1.14.1 and 0.30.4 confirmed compromised. Immediate secret rotation and host containment required.
Frequently Asked Questions
Prepare for Incidents Before They Happen
IR retainer clients have pre-agreed SLAs and pre-approved access — so we can move immediately when an incident occurs.