What is incident response?

Incident response is the organized approach to addressing and managing a cybersecurity breach or attack. It includes detection, containment, eradication, recovery and post-incident analysis. The goal is to minimize business disruption, limit damage, reduce recovery time and preserve evidence for legal or regulatory proceedings. Sherlock Forensics follows the NIST SP 800-61 incident response framework.

How quickly can Sherlock Forensics respond to an incident?

We provide 24/7 incident response. For retainer clients, our SLA guarantees initial triage within 1 hour and on-site or remote response within 4 hours. For non-retainer engagements, we begin triage within 2-4 hours of initial contact. Call 604.229.1994 for immediate assistance.

What should we do if we suspect a ransomware attack?

Immediately isolate affected systems from the network - do not power them off, as volatile memory contains critical forensic evidence. Do not attempt to negotiate with attackers or pay ransom without professional guidance. Document what you see, preserve logs and call our incident response line. We will guide you through containment, evidence preservation and recovery options.

What is an incident response retainer?

An incident response retainer is a pre-negotiated agreement that guarantees priority response when an incident occurs. Benefits include reduced response times (1-hour SLA), pre-established legal frameworks, familiarity with your environment and predictable pricing during a crisis. Unused retainer hours can be applied to proactive services like penetration testing or risk assessments.

Does Sherlock Forensics help with regulatory notification requirements?

Yes. We assist with breach notification requirements under PIPEDA, BC FIPPA and sector-specific regulations. Our post-incident reports document the scope of compromise, affected data and remediation actions taken - providing the evidence required for notification to the Office of the Privacy Commissioner of Canada and affected individuals.

Incident Response for Mid-Market | Ransomware Response Team

Incident Response

24/7 breach containment. Forensic triage. Rapid recovery.

Incident response is the organized approach to detecting, containing, eradicating and recovering from cybersecurity breaches. Sherlock Forensics provides 24/7 incident response for mid-market organizations across Vancouver and British Columbia, covering ransomware, business email compromise, AI-generated phishing campaigns, deepfake social engineering, LLM data exfiltration and nation-state intrusions with NIST SP 800-61 aligned methodology.

When a breach occurs, response time determines outcome. Our incident response team provides immediate containment, forensic evidence preservation, root cause analysis and coordinated recovery - minimizing business disruption while building the evidentiary record needed for legal, regulatory and insurance proceedings.

Active Incident? Call Now All Services

24/7

Incident hotline

<1hr

Retainer SLA

20+

Years DFIR experience

Capabilities

Incident Response Services

01 - Triage

Rapid Triage & Containment

Immediate assessment of scope, threat actor presence and active data exfiltration. Network isolation, endpoint quarantine and credential rotation to stop the bleeding.

02 - Ransomware

Ransomware Response

Variant identification, encryption analysis, decryption feasibility assessment, backup integrity verification and coordinated recovery. We help you evaluate all options before making payment decisions.

03 - BEC

Business Email Compromise

Investigation of compromised email accounts, mail flow analysis, forwarding rule detection and scope-of-access determination. Identification of accessed data and fraudulent transactions.

04 - Forensics

Digital Forensic Investigation

Forensic imaging, log analysis, memory forensics and malware analysis to determine the attack vector, dwell time, lateral movement and extent of compromise.

05 - Recovery

Recovery Coordination

System rebuilding, data restoration from clean backups, environment hardening and phased return to production. Coordination with IT, legal and executive teams throughout recovery.

06 - Post-Incident

Post-Incident Analysis

Root cause documentation, lessons learned, control gap identification and remediation roadmap. Breach notification support for PIPEDA, BC FIPPA and sector-specific regulations.

Threat Landscape

Common Incident Types

Incident Type	Indicators	Response Priority
Ransomware	Encrypted files, ransom notes, service disruption	Critical - immediate containment
Business Email Compromise	Unauthorized mail rules, wire fraud attempts	High - time-sensitive financial exposure
Data Exfiltration	Unusual outbound traffic, large data transfers	Critical - active data loss
Insider Threat	Unauthorized access, privilege abuse	High - evidence preservation critical
Supply Chain Compromise	Malicious updates, compromised vendor access	Critical - scope assessment required
Deepfake Social Engineering	Fabricated video/audio, voice clone fraud, synthetic identity impersonation	High - authentication verification, media forensics
AI-Generated Phishing	Highly personalized lures, flawless language, scaled spear-phishing campaigns	High - pattern analysis, sender authentication
LLM Data Exfiltration	Sensitive data leakage via AI assistants, prompt injection to extract training data or internal documents	Critical - immediate access revocation, scope assessment

Incident Response Retainer

Preparation beats panic.

An incident response retainer gives you a pre-negotiated engagement framework so that when a breach occurs, the response begins immediately - not after contract negotiations, scope discussions and procurement cycles.

1-hour initial triage SLA, 4-hour response SLA
Pre-established legal framework and NDA
Environment familiarization and playbook development
Unused hours applicable to pen tests or risk assessments
Priority access to forensic examiners - guaranteed availability

Discuss a Retainer

Frequently Asked Questions

Incident Response FAQs

What is incident response?: Incident response is the organized approach to addressing cybersecurity breaches - detection, containment, eradication, recovery and post-incident analysis. We follow the NIST SP 800-61 incident response framework to minimize disruption and preserve evidence.
How quickly can Sherlock Forensics respond to an incident?: We provide 24/7 incident response. Retainer clients receive 1-hour initial triage and 4-hour response SLAs. Non-retainer engagements begin triage within 2-4 hours of initial contact. Call 604.229.1994 for immediate assistance.
What should we do if we suspect a ransomware attack?: Immediately isolate affected systems from the network - do not power them off, as volatile memory contains critical evidence. Do not negotiate with attackers or pay ransom without professional guidance. Document what you see, preserve logs and call our incident response line. Refer to CISA StopRansomware for additional guidance.
What is an incident response retainer?: A retainer is a pre-negotiated agreement guaranteeing priority response. Benefits include reduced response times, pre-established legal frameworks, environment familiarity and predictable pricing during a crisis. Unused hours can be applied to proactive services like pen testing or risk assessments.
Does Sherlock Forensics help with regulatory notification?: Yes. We assist with breach notification under PIPEDA, BC FIPPA and sector-specific regulations. Our post-incident reports document compromise scope, affected data and remediation actions for the Office of the Privacy Commissioner of Canada.

Authority Resources

Standards & References

Response Frameworks

Related Services

Certifications

Our DFIR team holds forensic and incident response credentials.

CISSP

Get Started

Under attack right now?

For non-emergency assessments, order a security audit online.

Order Online

Active Incident? Call Immediately.

Our incident response team is available 24/7. Do not wait until Monday morning. Do not power off affected systems. Call now and we will begin triage immediately.

Call 604.229.1994

Incident Hotline: 604.229.1994
Availability: 24/7/365 - including holidays
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada