IT Security Incident?
We help immediately.
Every minute counts during a cyberattack. Our experienced Incident Response Team is available around the clock to contain threats and minimize damage.
Immediate Steps During a Security Incident
Follow these steps while you wait for our team to respond.
Stay calm
Panic leads to mistakes. Take a deep breath and act systematically.
Isolate systems
Disconnect affected systems from the network, but do NOT power them off.
Preserve evidence
Do not modify anything on affected systems. Document everything with photos and notes.
Contact us
Call us immediately. Our Incident Response Team will take it from here.
Our Incident Response Process
Identification & Analysis
We analyze the incident, identify the attack vector, and determine the extent of the compromise across your infrastructure.
Containment
Immediate measures to contain the attack and prevent further damage to your systems and data.
Eradication
Removal of malware, closing security vulnerabilities, and thorough cleanup of all compromised systems.
Recovery
Secure restoration of your systems and data. Verification that all threats have been fully eliminated.
Documentation & Lessons Learned
Detailed report on the incident, measures taken, and recommendations to prevent future attacks.
Scenarios we see every day
The more precisely we can assess what kind of incident is unfolding, the faster the response runs. The following scenarios cover more than 80 % of the emergency calls we receive from sectors such as manufacturing, trades, healthcare, municipalities, energy supply, logistics and financial services.
Ransomware & encrypted file servers
From construction companies to medical practices: typical vectors are exposed RDP services, compromised VPN access and opened phishing attachments. We isolate, secure forensic artefacts, assess the payment question with you and restore business capability in a prioritised way.
Business email compromise (BEC) & invoice fraud
Compromised Microsoft 365 mailboxes, manipulated SMTP rules, CEO-fraud schemes, fraudulent payment requests. We review MFA configuration, inspect audit and unified-audit logs, identify mailflow rules and support communication with banks and insurers.
Data exfiltration & GDPR notification
Exfiltration via cloud storage, USB media or API abuse. We assess the type, scope and sensitivity of affected data, support the 72-hour notification to the supervisory authority and help structure communications to affected individuals.
Compromised cloud & SaaS accounts
AWS, Azure or Google Cloud root accounts, OAuth-app infiltrated tenants, token theft via info-stealers. We revoke sessions, rotate keys, review IAM policies and analyse CloudTrail and Entra ID logs for attacker traces.
Insider incidents & sabotage
Discreet departures with data exfiltration, disgruntled admin accounts, deliberate sabotage. Discreet forensics, legally usable documentation (considering labour law, criminal code and GDPR), coordinated communication with HR, data protection and legal.
KRITIS / NIS2 notifiable incidents
For incidents notifiable under KRITIS, NIS2, the German Energy Act or BSIG, we walk you through all deadlines (24-hour early warning, 72-hour incident notification, 30-day final report), including the technical documentation required by the BSI and the supervisory authorities.
Frequently asked questions on incident response
The questions we hear most often in an emergency – answered concisely and honestly. For further questions you can reach us anytime via the emergency hotline.
- How fast can you be operational remotely or on site in an emergency?
- After your call you reach a qualified incident responder within fifteen minutes. Remote access for technical triage is typically active within one hour; on-site deployment in North Rhine-Westphalia, the Rhineland and the Ruhr area starts within four to eight hours depending on the time of day.
- What does an incident-response engagement cost?
- The first call including initial situation assessment is free of charge. We then work on day-rate basis with transparent time budgets. For SMEs we recommend our incident-response retainer: a small monthly fee secures guaranteed response times and sets up the contractual and organisational basics up front.
- Should we pay the ransom in a ransomware case?
- We generally recommend examining all alternatives first: backups, decryption tools (e.g. via NoMoreRansom.org), legal advice, insurance requirements. Payment guarantees neither recovery nor confidentiality from the attacker and may be problematic under sanctions or tax law. We assess the situation with you in a structured way.
- How do you document the incident in a legally usable way?
- All forensic steps are logged, evidence is preserved according to recognised standards (BSI guide, NIST SP 800-86) and tracked with hashes and chain-of-custody. The final report is structured so that it can be used with supervisory authorities, insurers and, if necessary, in criminal proceedings.
- Do you also support communication with customers, employees and authorities?
- Yes. Together with our network of data protection officers and specialist lawyers we provide templates and expertise: GDPR notification, KRITIS/NIS2 notification, client communication, internal employee updates, press statements. You decide, we support.
- What happens after the acute phase?
- After containment and recovery we hand over a structured report including root-cause analysis, concrete hardening recommendations and a prioritised action list. On request we accompany implementation, set up a SOC/SIEM or build an incident-response plan so that you are clearly better prepared for the next incident.
- Do you work with cyber insurers?
- Yes. We are familiar with the processes of common cyber insurance policies (including Hiscox, Allianz, AIG, Chubb), meet evidence-preservation and documentation requirements and coordinate directly with your insurer or panel forensic provider when needed.