Active testing only with written authorisation
~/tholim_
← Services
§02·05 · Service · Incident triage & forensics support

If something looks wrong at 02:14 in the morning, write to us.

An on-call engagement model for the period between "we noticed something odd" and "we know what we are dealing with". We help you triage, contain without destroying evidence, preserve the artefacts that matter, and hand off to deeper specialists when scope demands it. Not a 24/7 SOC. Not a SaaS. A small set of operators on retainer or pay-as-you-go.

Investment
from €150/hrretainer from €1,500/mo
Response window
Hours, not days
Scope
Triage & hand-off
Coverage
Web · Cloud · Email
Channels
Slack · Signal · PGP
§01 · Where we help

Four phases of a contained incident.

We do not replace a full IR firm. We help you avoid the most expensive mistake of an early incident — destroying the evidence you needed to scope the breach in the first place.

§01·01

Initial triage

  • ·Define what you actually saw vs what you suspect
  • ·Triangulate scope across logs, alerts, customer reports
  • ·Identify the smallest set of additional signals that would resolve the unknowns
  • ·Decide whether the situation is an incident or an indicator
§01·02

Containment guidance

  • ·Targeted containment that does not destroy forensic evidence
  • ·Credential / token revocation order without locking out remediation
  • ·Network isolation patterns that preserve the analyst's view
  • ·Communications guidance to internal stakeholders during early hours
§01·03

Evidence preservation

  • ·Cloud account snapshot capture (volumes, instances, logs)
  • ·Memory and disk capture protocols when in scope
  • ·Chain-of-custody documentation that holds in subsequent legal review
  • ·Log retention extension where the default rotation would destroy evidence
§01·04

Hand-off to specialists

  • ·Law-enforcement-grade forensics partners (warm referral, not cold lookup)
  • ·Counsel introduction for breach-notification jurisdictions
  • ·Insurer notification workflow
  • ·Customer-comms support if a public statement is required
§02 · What this is not

A clear boundary so the right help arrives.

When the situation is past the boundary below, we will tell you on the first call and warm-introduce a partner who actually does that work.

  • ×Not 24/7 SOC. We respond in hours during the business window of the EU or your timezone if pre-agreed; we do not operate a follow-the-sun NOC.
  • ×Not full DFIR. Once an incident requires full forensic acquisition, attribution work, or court-ready chain-of-custody beyond preservation, you need a dedicated firm — we help you choose and onboard one.
  • ×Not breach negotiation. Ransomware payment negotiation, threat-actor communications, and similar work are out of scope and out of our ethical comfort zone.
  • ×Not insurance arbitration. We document for your insurer's claims process; we do not represent you against them.

Get on the retainer list before you need it.

A small monthly fee buys you a known number to call and a known protocol to follow. Hourly engagement is available without retainer but the response window stretches in proportion.

Add to retainer →