Under attack right now?
Reach us before you read on. Every minute shortens the recovery, and the first hour decides whether this stays an event or becomes a headline.
Not your bad day yet? Good. The rest of this page is how the response works, and how to be ready before one comes.
In the first hour of a breach, the difference between a contained event and a headline is how fast someone who knows what they are doing takes control. We are that team, and we move immediately.
Our responders combine the iTDC's speed with deep forensic experience. We contain the active threat, preserve the evidence, work out exactly what happened, and bring you back to safe operations. Then we close the gap that let it in, so the same door does not open twice.
What happens after you press send
Your message is read
URGENT subject lines route straight to the on-call Principal Engineer. No queue, no ticket form.
Triage call
What you are seeing, what changed, and what is at risk. You leave the call knowing what to protect and what to leave untouched.
Access and evidence
Scoped access is granted, evidence preservation begins, and containment options are weighed against your operations.
Containment in motion
A named lead, a working channel, and the first containment steps agreed and moving. The clock starts working for you.
A representative first hour. The actual sequence depends on access and the incident.
Five phases, run in parallel where speed demands it
A disciplined process built on established incident response practice, compressed by AI-assisted investigation so containment and understanding happen together.
Identify
Confirm the incident, scope the blast radius, and stand up the response.
Contain
Cut the attacker's access and stop the spread, with your operations in the loop.
Eradicate
Remove the foothold, close the entry path, and verify the threat is gone.
Recover
Bring systems back safely from clean state, watching for any return.
Learn
A clear account of what happened, and the fixes that stop a repeat.
Calm, fast, and on the record
Speed when it matters
We engage immediately and work the first hours hard, because that is when containment is won or lost.
Evidence preserved
We contain without destroying the forensic trail, so you keep your options for legal, insurance, and disclosure.
Clear communication
Plain updates your leadership, Board, and regulators can act on, with no jargon and no spin.
Ready before, stronger after
Incident response is sharpest when it does not start cold, and it is wasted if nothing changes afterward.
Response retainer
Pre-agreed terms, guaranteed response times, and a team that already knows your environment, so engagement is instant.
Tabletop exercises
Rehearse the bad day before it happens, so your team moves with practiced calm under pressure.
Digital forensics
The deep investigation into how the attacker got in and what they touched, run by our DFIR practice.
Hardening after
The gap that let them in gets closed, and the lessons flow into your ongoing defenses.
Where IR sits in VIGILE
Implement the response, Learn the lesson
Incident Response is the Implement and Learn motions under pressure. We contain and recover, then every finding feeds back into the loop so your posture climbs from the incident rather than just surviving it.
See how VIGILE works ›Top 10 questions, frequently asked
Contact us immediately at contact@stfox.com with URGENT in the subject, and avoid wiping or rebuilding systems before we speak, because that can destroy the evidence we need. We will engage fast, help you contain the immediate threat, and preserve the forensic trail.
No. We respond to new incidents as well as retained clients. That said, a retainer means we already know your environment and the paperwork is done, so engagement is instant. For many teams that head start is worth it.
Yes. We preserve evidence to the standard those processes require and provide clear, documented findings. We work alongside your counsel and insurer so the response supports your legal and coverage position rather than complicating it.
You get a clear account of what happened and a set of fixes that close the gap. Many clients then move to ongoing Managed Detection and Response so the next threat is caught earlier, and rehearse with tabletop exercises so the team is ready.
Immediately on contact for triage and scoping, with hands-on response following as access is granted. Mid-breach messages to contact@stfox.com with URGENT in the subject are read first.
A point of contact with authority, access to the affected environment, and whatever logs exist. Everything else, including the containment plan, is built from there.
Yes, and it is the normal mode: your team knows the environment, ours knows the adversary playbook. Roles are agreed in the first hour so nobody duplicates or destroys evidence.
Containment steps are chosen with evidence preservation in mind, and DFIR runs alongside response. Disk, memory, and logs are imaged before rebuild wherever the situation allows.
Guaranteed response times, pre-agreed access and legal terms, an onboarding that maps your environment in advance, and readiness exercises so the first hour of a real incident is rehearsed.
Response is Implement under pressure, and every incident feeds Learn: detections tuned, gaps closed, and the playbook sharpened for the next one.
Related services
Digital Forensics (DFIR)
The deep investigation into how it happened and what was touched.
Learn more ›ServiceManaged Detection and Response
Catch the next one earlier, before it becomes an incident.
Learn more ›ServiceCyber Resilience & Continuity Validation
Rehearse the bad day so the real one goes better.
Learn more ›Do not face it alone
Whether you are mid-incident or preparing for the day one comes, talk to a Principal Engineer now.