24/7 Incident Response & Digital Forensics for European Organizations
If your organization is facing ransomware, account compromise, data theft, cloud intrusion, or active attacker activity, ForgeWork helps you contain the incident, preserve evidence, investigate root cause, support regulatory reporting, and guide recovery.
First response as fast as possible, 24/7. Phone is fastest for active attacks. The intake form below is fine for triage when an attacker is not actively moving.
Editorial standards · NIS2 / GDPR / DORA-aware · DFIR Assist platform · Free playbooks
Right now — before we arrive
If you suspect an active intrusion, the next 30 minutes matter. These are the actions to take (and avoid) before any responder — us or anyone else — engages.
- Do not wipe affected systems. Reimaging or restoring from backup before forensic collection destroys the evidence we need to find the root cause.
- Disconnect compromised hosts from the network, but do not power them off. Pulling the network cable (or disabling Wi-Fi / disabling the virtual NIC) stops attacker activity while preserving volatile memory evidence.
- Preserve logs. Windows Event Logs, EDR telemetry, cloud audit logs (AWS CloudTrail, Azure Activity, M365 Unified Audit), firewall, and email gateway. Many of these have short default retention — extend retention now if you can.
- Note the exact time of detection and the indicators you observed. A short, time-stamped written log of what you saw and what you did is more useful than memory two days into a response.
- Restrict admin credential use; rotate them after triage. Avoid logging in to compromised systems with privileged accounts — assume credential theft is in scope until proven otherwise.
- Avoid contacting the attacker until you have a plan. Early or uncoordinated communication can accelerate destructive action or weaken negotiation posture.
- Notify your legal counsel and your cyber insurer. Do not delay. Many policies require prompt notification, and counsel needs to be in the loop before regulatory clocks (NIS2 24h, GDPR 72h) start running.
What we do in the first 4 hours
These are the activities a ForgeWork response team executes in the opening window of an engagement. The clock starts when we accept the engagement and your designated contact is on the call with us.
Triage call, scope assessment, stop-the-bleeding actions
Secure call with your designated incident commander. We capture what is known, what systems are affected, what containment actions you have already taken, and the regulatory posture (NIS2 in scope? GDPR personal data? DORA?). We agree the immediate stop-the-bleeding actions: account lockouts, segment isolation, blocking known indicators. We move communication to an out-of-band channel that does not depend on potentially compromised infrastructure.
Secure evidence collection begins
We start structured artifact collection using DFIR Assist playbooks: memory captures from affected endpoints, EDR telemetry exports, cloud audit log pulls, identity provider logs, and network telemetry. Collection runs in parallel with containment — we do not wait for "the investigation to start" before we start preserving evidence, because attackers actively destroy it.
Containment plan + decision: isolate, monitor, or hunt
With initial scope visible, we present a containment decision: isolate (cut attacker access now, accepting that we may not yet see their full footprint), monitor (constrain lateral movement while observing to map scope), or hunt (active sweep across the estate for known indicators before showing our hand). Each path has trade-offs between security, evidence quality, and business continuity. We present those trade-offs in business terms; your leadership decides.
Forensic acquisition expands; regulatory clock guidance
Acquisition widens to additional endpoints, identity systems, and cloud tenants based on what triage surfaced. In parallel, we brief your legal team on the regulatory clock: under NIS2 the early-warning window is 24 hours from awareness; under GDPR Article 33 the supervisory-authority window is 72 hours; under DORA, financial entities have classification and notification obligations on a similar cadence. We provide the technical facts that feed those notifications.
Why ForgeWork
We do not claim customers we do not have. Here is what we do offer.
Methodology
Our engagements follow NIST SP 800-61 incident-handling phases (Preparation, Detection and Analysis, Containment / Eradication / Recovery, Post-Incident Activity), executed against structured playbooks for the incident classes we see most often: ransomware, business email compromise, cloud intrusion, malicious insider, and data exfiltration. Our writing standards and the discipline we hold ourselves to are documented on our Editorial standards page.
Tooling
Response engagements are executed on DFIR Assist, our digital forensics workflow platform. DFIR Assist gives our responders structured artifact playbooks, scripted collection routines, and a consistent investigation surface so that the work is reproducible and auditable rather than dependent on one engineer's memory.
Regulatory fluency
European incidents have non-negotiable regulatory clocks. We work alongside your legal counsel to support reporting under:
- NIS2 Directive — early warning within 24 hours of awareness; full incident notification within 72 hours; final report within one month. (See our explainer: NIS2 and incident response.)
- GDPR Article 33 — notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.
- DORA — incident classification and reporting obligations for financial entities, including major-incident notification to competent authorities.
Practitioners' experience
Our practitioners have handled incidents across regulated sectors, including financial services, healthcare, manufacturing, and public-sector organizations, and bring that experience to ForgeWork engagements. We deliberately describe this in terms of practitioner experience rather than customer logos: ForgeWork is a young firm; the people in it are not.
What happens after the response
The end of the immediate crisis is not the end of the engagement. Useful response work continues after containment.
- Forensic report. Technical findings, attack timeline, attacker actions reconstructed from evidence, indicators of compromise (IOCs), and root-cause analysis. Structured for executives, technical teams, legal counsel, and regulators.
- Recovery & hardening recommendations. Prioritized, scoped, dated. Not a generic checklist — recommendations are specific to what the attacker did and what your environment looked like.
- Tabletop exercise to rehearse next time. A facilitated walk-through of a realistic scenario based on what we just saw, so your team executes the response better the second time.
- DFIR Assist workflows for your team. Where appropriate, the artifact playbooks and investigation workflows we used are made available to your internal team so future first-response work moves faster.
How we engage
We engage on emergency authorization or retainer. Emergency rates apply for active incidents; preventive engagements (retainer, readiness review, tabletop) are quoted per scope.
We do not publish a fixed price list, because incident scope is the dominant cost driver and a single "per-hour" or "per-incident" number would either over-promise or over-charge. Instead, we commit to honest scoping: after the initial triage call, you receive a written scope and rate sheet before substantive work begins. For active emergencies, work begins under an emergency authorization while the written scope is being prepared in parallel.
Retainer vs. emergency engagement
Retainer clients get pre-scoped access, lower rates, a guaranteed response window, and quarterly readiness checks. Emergency engagements have higher rates and depend on our availability when you call. If your organization has cyber insurance, check your policy — many insurers offer premium discounts or require an active IR retainer.
Common questions
We think we've been breached. What should we do right now?
See the checklist above. The short version: do not wipe, do not power off compromised hosts, preserve logs, write down what you saw and when, do not contact the attacker, notify legal and insurance. Then call us or fill in the triage form.
How fast does ForgeWork respond?
Our published target is first response as fast as possible, 24/7, for emergency engagements and retainer clients. The first-response clock starts when we receive your phone call or your emergency intake form. Retainer clients have a faster path to substantive action because procurement and access are pre-arranged.
Do we need to involve law enforcement?
Often yes. Many jurisdictions and regulations include mandatory reporting obligations that may involve law enforcement notification — NIS2, GDPR, and sector-specific frameworks each define their own requirements. Beyond legal obligations, law enforcement involvement can be useful: agencies like Europol's EC3 and national CERTs provide threat intelligence, coordinate with international partners, and support takedown operations. We advise on reporting obligations and facilitate coordination. We do not provide legal advice — that is your counsel's role.
Can you help with NIS2 / GDPR / DORA notification?
We provide the technical findings that feed regulatory notifications, and we work closely with your legal team to make sure the technical narrative is accurate, complete, and meets regulator expectations. We have supported notifications under NIS2 (24h early warning, 72h notification), GDPR Article 33 (72h personal-data-breach notification), and DORA incident classification for financial entities.
What if we don't have an incident response plan?
Many organizations that contact us during an incident don't have a formal plan. We bring the methodology, structure, and experience to guide the response regardless. After the incident, developing and testing an IR plan should be a priority — and is one area where our proactive engagements (tabletop exercises, readiness reviews) can help.
Related resources
- Ransomware Response: The First 60 Minutes — practical guide to the critical first hour after a ransomware detection.
- Why your incident response plan matters — the case for investing in preparation before a crisis hits.
- NIS2 and incident response — what the 24h and 72h windows actually require.
- Incident response checklist — downloadable checklist for the first 24 hours of an incident.
- DFIR Assist — ForgeWork's digital forensics workflow platform.
- Editorial standards — how we write, what we will and will not claim.
Active incident? Call now.
Phone is fastest. The intake form is fine for triage when an attacker is not actively moving. First response as fast as possible, 24/7.