Frequently Asked Questions

ForgeWork is a cybersecurity consultancy and engineering firm based in Belgium. We provide four core services: incident response, threat assessment, security engineering, and training and exercises. Alongside our consulting work, we develop purpose-built security tools including DFIR Assist for incident response operations, the Malware Analysis Academy for analyst training, and IR TTX Training for tabletop exercises. Everything we build originates from needs we identified during real client engagements, and every tool is field-tested before release.

ForgeWork is headquartered in Belgium. We work primarily with organizations across Europe, though our services and platforms are available globally. For incident response engagements, we maintain the ability to deploy both remotely and on-site depending on the nature of the incident and the client's location. Our training platforms are accessible from anywhere with an internet connection, and we have supported teams across North America, the Middle East, and the Asia-Pacific region.

We serve organizations across five primary sectors: government, financial services, healthcare, technology, and critical infrastructure. These are industries where security failures carry significant consequences, whether regulatory, financial, or related to public safety. Our team brings sector-specific knowledge to every engagement, understanding not just the technical challenges but also the regulatory frameworks and operational constraints that shape security decisions in each industry. You can learn more about our approach on our About page.

You can reach us through the contact form on our website or by emailing [email protected]. For active security incidents requiring urgent assistance, use the emergency contact option on our homepage. We monitor the emergency channel around the clock and maintain a response SLA of under four hours. For general inquiries about services, training, or partnerships, we typically respond within one business day.

Yes. While we are based in Belgium and the majority of our consulting engagements are with European organizations, we regularly work with clients in other regions. Remote incident response and threat assessment work can be conducted effectively across geographies. Our training platforms — DFIR Assist, Malware Analysis Academy, and IR TTX Training — are used by teams worldwide with no geographic restrictions. For on-site work outside Europe, we evaluate each request individually and can typically accommodate engagements with sufficient lead time.

When you report an incident, our team immediately initiates a structured triage process. Within minutes, a senior responder will contact you to understand the scope, gather initial indicators, and begin coordinating the response. We prioritize containment to stop ongoing damage, then move into evidence preservation and forensic investigation. Throughout the engagement, you will have a dedicated point of contact and receive regular status updates. We follow a disciplined methodology covering containment, evidence collection, root cause analysis, eradication, and recovery. Learn more about our incident response services.

We maintain a response SLA of under four hours, with 24/7 availability. For retainer clients, initial contact from a senior responder typically occurs within thirty minutes to one hour of the incident being reported. Our team operates around the clock, so the time of day or day of the week does not affect our response time. For organizations that need guaranteed rapid response, we recommend an IR retainer agreement, which ensures pre-allocated capacity and pre-established access to your environment. Contact us to discuss retainer options.

Yes, when appropriate and with your authorization. We have experience coordinating with law enforcement agencies across multiple jurisdictions, including national cyber crime units and CERT teams. We understand the evidentiary standards required for criminal proceedings and maintain forensic chain of custody throughout our investigations to ensure that evidence is admissible if prosecution is pursued. The decision to involve law enforcement is always yours. We will advise you on the implications and help facilitate the process if you choose to proceed.

An IR retainer is a pre-arranged agreement that guarantees you priority access to our incident response team when a security event occurs. Without a retainer, response times depend on team availability at the moment you call. With a retainer, you get a guaranteed SLA, pre-established communication channels, pre-authorized access procedures, and a team that already understands your environment. Retainers also typically include proactive services such as annual readiness assessments and tabletop exercises. Organizations in high-risk sectors or those handling sensitive data benefit most from this arrangement. Reach out to learn more.

Every incident response engagement concludes with a comprehensive report that includes a detailed timeline of the incident, technical findings from the forensic investigation, root cause analysis, a complete list of indicators of compromise, and prioritized remediation recommendations. We also provide an executive summary suitable for board-level communication. For retainer clients, we include trend analysis across engagements and strategic recommendations for improving your security posture. All reports are written to be actionable, with clear next steps your team can implement immediately.

A vulnerability assessment is a broad scan of your environment to identify known weaknesses in systems, configurations, and software versions. It prioritizes coverage and provides a comprehensive inventory of potential issues. A penetration test goes deeper: our operators actively attempt to exploit vulnerabilities, chain findings together, and demonstrate the real-world impact of security gaps. Penetration testing answers the question "what can an attacker actually achieve?" rather than just "what vulnerabilities exist?" Most organizations benefit from both. Learn more about our threat assessment services.

The right frequency depends on your risk profile, regulatory requirements, and rate of change. As a general guideline, we recommend vulnerability assessments quarterly, penetration testing annually at minimum, and security architecture reviews whenever significant infrastructure changes occur. Organizations in highly regulated industries such as financial services or healthcare may need more frequent assessments to satisfy compliance requirements. We also recommend ad-hoc assessments after major changes like cloud migrations, mergers, or new product launches. Contact us to discuss a testing cadence that matches your needs.

A security architecture review is a thorough examination of your infrastructure design, network segmentation, identity and access management, data flows, and security control placement. We analyze how your systems are interconnected, where trust boundaries exist, and whether your defenses are appropriately layered to detect and contain threats. The review includes documentation analysis, stakeholder interviews, technical inspection of configurations, and threat modeling against your specific risk landscape. The output is a detailed report with architectural recommendations prioritized by risk and implementation effort. See our security engineering services for more details.

Yes. We believe that identifying problems without helping solve them delivers incomplete value. After every assessment, we offer remediation support ranging from advisory guidance to hands-on implementation. Our security engineering team can work alongside your staff to fix vulnerabilities, harden configurations, improve detection capabilities, and implement architectural changes recommended in the assessment. We also provide verification testing after remediation to confirm that issues have been properly addressed. This end-to-end approach is part of our commitment to knowledge transfer and lasting improvement.

Yes. While we are not a compliance-only firm, many of our services directly support compliance objectives. Our threat assessments, security architecture reviews, and incident response capabilities align with requirements under NIS2, ISO 27001, GDPR, and sector-specific regulations. We help organizations build security programs that satisfy regulatory requirements as a natural outcome of good security practice, rather than treating compliance as a standalone checkbox exercise. If you need specific gap analysis against a regulatory framework, reach out and our team can scope an engagement tailored to your compliance needs.

A tabletop exercise is a facilitated discussion-based session where your team walks through a simulated security incident scenario. Participants respond to evolving situation updates, make decisions, communicate across roles, and work through the challenges of incident management without the pressure of a real event. TTX sessions reveal gaps in your incident response plans, communication procedures, and decision-making processes before a real incident exposes them. Our tabletop exercises through IR TTX Training are role-based and scored across five dimensions, providing measurable outcomes rather than just qualitative observations.

The ideal group size depends on the scope and objectives of the exercise. For technical incident response exercises focused on the security team, groups of eight to fifteen participants work well. For broader organizational exercises that include executive leadership, legal, communications, and IT operations, groups of fifteen to thirty are common. Larger exercises can be effective with proper facilitation, but we generally recommend keeping groups small enough that every participant is actively engaged rather than observing passively. We can advise on the right composition based on your specific training objectives.

Absolutely. Customization is central to how we design training and exercises. For tabletop exercises, we build scenarios based on threats relevant to your industry, your infrastructure, and your specific risk landscape. For technical training, we can tailor content to match your team's skill level, the tools they use, and the types of threats they are most likely to encounter. Custom training engagements begin with a scoping conversation where we understand your objectives, assess your team's current capabilities, and design a program that addresses your specific gaps. Contact us to start the conversation.

The Malware Analysis Academy is designed to serve analysts across a range of skill levels, from those who are new to malware analysis through to experienced practitioners looking to deepen specific skills. The platform's six learning paths are structured progressively, starting with foundational concepts like file format analysis and basic static techniques, and advancing through dynamic analysis, reverse engineering, automation scripting, and advanced persistent threat analysis. Each module clearly indicates its prerequisites, so analysts can enter the curriculum at the point that matches their current ability.

Yes. We offer on-site training for organizations that prefer in-person delivery. On-site sessions are particularly effective for tabletop exercises, where face-to-face interaction enhances the realism of the scenario, and for hands-on technical training where instructors can provide direct support. On-site training is available across Europe, and we can accommodate requests in other regions on a case-by-case basis. We also offer remote training delivery for teams that are distributed or prefer virtual formats. Many clients use a combination of both approaches. Get in touch to discuss your preferred format.

DFIR Assist is our incident response platform, designed to bring structure, speed, and consistency to the way teams handle security incidents. The platform provides over forty pre-built runbooks for common incident types, evidence tracking with chain-of-custody documentation, automated artifact collection workflows, and collaborative investigation workspaces. It was built by our own incident responders to solve the coordination and process challenges they encountered during real engagements. DFIR Assist is used by both our internal team and external organizations managing their own incident response operations.

The Malware Analysis Academy is a structured online training platform offering six learning paths containing more than eighteen in-depth modules and over twenty-five reference cheatsheets. Each module combines theoretical instruction, tool demonstrations, and hands-on practical exercises using real-world malware samples in controlled environments. Analysts progress through modules at their own pace, with each learning path building systematically on the skills developed in previous ones. The platform tracks progress and provides practical assessments to validate skill acquisition. Teams can use it for onboarding new analysts or upskilling existing staff.

5D scoring is the structured evaluation framework used during tabletop exercises on the IR TTX Training platform. The five dimensions are: detection (how quickly and accurately the team identifies the threat), decision-making (quality and timeliness of decisions under pressure), communication (clarity and effectiveness of information sharing), coordination (how well different roles and teams work together), and containment (effectiveness of actions taken to limit the incident's impact). Each dimension is scored during the exercise, producing quantitative metrics that teams can track over multiple sessions to measure improvement.

It depends on the platform. IR TTX Training is designed for participants across all levels of technical ability, including executives, managers, legal counsel, and communications staff, as well as technical responders. No coding or security expertise is required to participate in a tabletop exercise. The Malware Analysis Academy, however, is a technical training platform. While its foundational modules are accessible to those with basic IT knowledge, the more advanced learning paths assume familiarity with operating systems, networking, and programming fundamentals. DFIR Assist is intended for incident response practitioners with existing technical skills.

Yes, all three platforms are designed with team use in mind. IR TTX Training is inherently a team activity, with role-based scenarios that require multiple participants working together. The Malware Analysis Academy supports team licensing with progress tracking and reporting features that let managers monitor skill development across their analyst team. DFIR Assist includes collaborative investigation workspaces where multiple responders can work on the same incident simultaneously. For organizations looking to build or scale their security capabilities, our platforms provide a structured foundation for team-wide development.

Data security during engagements is a responsibility we take extremely seriously. All client data is handled according to strict protocols that include encryption in transit and at rest, access controls limited to the engagement team, and defined retention and destruction schedules. For incident response work, we maintain forensic chain of custody throughout the investigation. We operate in compliance with GDPR and applicable data protection regulations. Sensitive findings are communicated through encrypted channels, and all engagement data is securely destroyed after the agreed retention period. Read our full privacy policy for details.

Yes. We sign non-disclosure agreements as standard practice before any engagement begins. We understand that security work requires access to sensitive information about your environment, vulnerabilities, and incident details, and we treat that trust with the gravity it deserves. We are happy to work with your standard NDA or to provide ours for review. For incident response retainer clients, the NDA is established as part of the retainer agreement so that no time is lost on paperwork when an urgent incident occurs. Contact us to begin the process.

Our data protection policy is grounded in GDPR compliance and the principle of data minimization. We collect and process only the data necessary to deliver the services you have engaged us for. Personal data is protected with appropriate technical and organizational measures, and we maintain clear records of processing activities. We do not share client data with third parties unless required by law or explicitly authorized by the client. Our full privacy policy details your rights regarding data access, correction, and deletion. We are transparent about our practices and welcome questions about how we protect your information.