Editorial standards · NIS2 / GDPR / DORA-aware · DFIR Assist platform · Free playbooks

Right now — before we arrive

If you suspect an active intrusion, the next 30 minutes matter. These are the actions to take (and avoid) before any responder — us or anyone else — engages.

Request emergency triage

Do not include logs, credentials, passwords, screenshots with personal data, malware samples, or sensitive evidence in this form. We will move to a secure channel (Signal / PGP) for those details after first contact.

Is an attacker active right now?

Form submissions reach our on-call team at [email protected]. We respond as fast as possible, 24/7. For active attacks, call +32 2 315 25 83.

What we do in the first 4 hours

These are the activities a ForgeWork response team executes in the opening window of an engagement. The clock starts when we accept the engagement and your designated contact is on the call with us.

Hour 0

Triage call, scope assessment, stop-the-bleeding actions

Secure call with your designated incident commander. We capture what is known, what systems are affected, what containment actions you have already taken, and the regulatory posture (NIS2 in scope? GDPR personal data? DORA?). We agree the immediate stop-the-bleeding actions: account lockouts, segment isolation, blocking known indicators. We move communication to an out-of-band channel that does not depend on potentially compromised infrastructure.

Hour 0 – 1

Secure evidence collection begins

We start structured artifact collection using DFIR Assist playbooks: memory captures from affected endpoints, EDR telemetry exports, cloud audit log pulls, identity provider logs, and network telemetry. Collection runs in parallel with containment — we do not wait for "the investigation to start" before we start preserving evidence, because attackers actively destroy it.

Hour 1 – 2

Containment plan + decision: isolate, monitor, or hunt

With initial scope visible, we present a containment decision: isolate (cut attacker access now, accepting that we may not yet see their full footprint), monitor (constrain lateral movement while observing to map scope), or hunt (active sweep across the estate for known indicators before showing our hand). Each path has trade-offs between security, evidence quality, and business continuity. We present those trade-offs in business terms; your leadership decides.

Hour 2 – 4

Forensic acquisition expands; regulatory clock guidance

Acquisition widens to additional endpoints, identity systems, and cloud tenants based on what triage surfaced. In parallel, we brief your legal team on the regulatory clock: under NIS2 the early-warning window is 24 hours from awareness; under GDPR Article 33 the supervisory-authority window is 72 hours; under DORA, financial entities have classification and notification obligations on a similar cadence. We provide the technical facts that feed those notifications.

Why ForgeWork

We do not claim customers we do not have. Here is what we do offer.

Methodology

Our engagements follow NIST SP 800-61 incident-handling phases (Preparation, Detection and Analysis, Containment / Eradication / Recovery, Post-Incident Activity), executed against structured playbooks for the incident classes we see most often: ransomware, business email compromise, cloud intrusion, malicious insider, and data exfiltration. Our writing standards and the discipline we hold ourselves to are documented on our Editorial standards page.

Tooling

Response engagements are executed on DFIR Assist, our digital forensics workflow platform. DFIR Assist gives our responders structured artifact playbooks, scripted collection routines, and a consistent investigation surface so that the work is reproducible and auditable rather than dependent on one engineer's memory.

Regulatory fluency

European incidents have non-negotiable regulatory clocks. We work alongside your legal counsel to support reporting under:

Practitioners' experience

Our practitioners have handled incidents across regulated sectors, including financial services, healthcare, manufacturing, and public-sector organizations, and bring that experience to ForgeWork engagements. We deliberately describe this in terms of practitioner experience rather than customer logos: ForgeWork is a young firm; the people in it are not.

What happens after the response

The end of the immediate crisis is not the end of the engagement. Useful response work continues after containment.

How we engage

We engage on emergency authorization or retainer. Emergency rates apply for active incidents; preventive engagements (retainer, readiness review, tabletop) are quoted per scope.

We do not publish a fixed price list, because incident scope is the dominant cost driver and a single "per-hour" or "per-incident" number would either over-promise or over-charge. Instead, we commit to honest scoping: after the initial triage call, you receive a written scope and rate sheet before substantive work begins. For active emergencies, work begins under an emergency authorization while the written scope is being prepared in parallel.

Retainer vs. emergency engagement

Retainer clients get pre-scoped access, lower rates, a guaranteed response window, and quarterly readiness checks. Emergency engagements have higher rates and depend on our availability when you call. If your organization has cyber insurance, check your policy — many insurers offer premium discounts or require an active IR retainer.

Common questions

We think we've been breached. What should we do right now?

See the checklist above. The short version: do not wipe, do not power off compromised hosts, preserve logs, write down what you saw and when, do not contact the attacker, notify legal and insurance. Then call us or fill in the triage form.

How fast does ForgeWork respond?

Our published target is first response as fast as possible, 24/7, for emergency engagements and retainer clients. The first-response clock starts when we receive your phone call or your emergency intake form. Retainer clients have a faster path to substantive action because procurement and access are pre-arranged.

Do we need to involve law enforcement?

Often yes. Many jurisdictions and regulations include mandatory reporting obligations that may involve law enforcement notification — NIS2, GDPR, and sector-specific frameworks each define their own requirements. Beyond legal obligations, law enforcement involvement can be useful: agencies like Europol's EC3 and national CERTs provide threat intelligence, coordinate with international partners, and support takedown operations. We advise on reporting obligations and facilitate coordination. We do not provide legal advice — that is your counsel's role.

Can you help with NIS2 / GDPR / DORA notification?

We provide the technical findings that feed regulatory notifications, and we work closely with your legal team to make sure the technical narrative is accurate, complete, and meets regulator expectations. We have supported notifications under NIS2 (24h early warning, 72h notification), GDPR Article 33 (72h personal-data-breach notification), and DORA incident classification for financial entities.

What if we don't have an incident response plan?

Many organizations that contact us during an incident don't have a formal plan. We bring the methodology, structure, and experience to guide the response regardless. After the incident, developing and testing an IR plan should be a priority — and is one area where our proactive engagements (tabletop exercises, readiness reviews) can help.

Related resources

Active incident? Call now.

Phone is fastest. The intake form is fine for triage when an attacker is not actively moving. First response as fast as possible, 24/7.