Cyber Incident Response
Our analysts are on the line right now. If your organisation is under attack, call our 24/7 incident line. Within minutes, a senior DFIR analyst begins remote triage. We have closed hundreds of incidents across ransomware, APT, and BEC. CREST-accredited. UK-based. No minimum spend to mobilise.
Every Hour Without Containment
Costs You £50,000.
Ad-hoc incident response means cold-starting a relationship during the worst day of your career. Retainer clients get analysts who already know their Active Directory, their backup posture, and their regulatory obligations.
The fastest recorded eCrime breakout time in 2025 was 27 seconds (CrowdStrike 2026 Global Threat Report). When the call comes at 3am, the analyst who picks up already knows your environment.
Get a Retainer QuoteThe First 60 Minutes
No hold music. No ticket queues. Here is exactly what happens after you call our 24/7 incident line.
You call our 24/7 incident line
Senior analyst on the phone, triage begins
Containment actions begin
Initial breach assessment checkpoint. CEO briefing notes ready.
Incident Response Process
From initial emergency call to full recovery. Our structured process ensures rapid containment, thorough investigation, and complete eradication.
Emergency Contact and Triage
Call our 24/7 incident line or contact us via the portal. Within minutes, a senior analyst begins triage, assessing the scope, severity, and immediate containment priorities.
Containment and Forensic Scoping
We deploy remote containment tooling, isolate affected systems, and begin forensic evidence collection. We scope the full investigation based on the threat landscape and affected assets.
Investigation and Root Cause
Full forensic analysis across endpoints, identity, network, and cloud. We reconstruct the attack chain, identify the initial access vector, and determine the extent of data compromise.
Eradication and Recovery
Threat actors are removed, persistence mechanisms eradicated, and systems rebuilt to a secure baseline. We provide a full post-incident report with remediation recommendations and lessons learned.
Incident Response Capabilities
A breach in progress is not a project. It is a crisis. Our analysts have responded to hundreds of incidents across financial services, healthcare, legal, and government. Every finding is documented and translated into language your board can act on.
Swift IT Recovery and Data Restoration
Rapid recovery of enterprise IT systems and restoration of business-critical data. We minimise downtime and get your organisation operational as quickly as possible.
Advanced Persistent Threat Containment
Containment of APTs in complex IT environments. Our analysts isolate threat actors, eradicate persistence mechanisms, and secure your environment against re-entry.
UK Regulatory and GDPR Advice
Expert guidance on ICO notification requirements, GDPR obligations, and regulatory reporting timelines. We help you meet legal obligations while managing reputational risk.
Digital Forensics UK CREST Team
Court-admissible forensic analysis across endpoints, servers, and cloud environments. We reconstruct the full attack timeline to establish root cause and data exposure scope.
Incident Communications and Press Releases
Support with internal and external communications, stakeholder briefings, and press releases. We help you control the narrative during the most critical hours.
Threat Actor Negotiation and Sanction Checks
When required, we conduct threat actor negotiation with full OFAC and UK sanction screening.
How Precursor Incident
Response Works
Precursor cyber incident response combines rapid containment, forensic investigation, and expert remediation, powered by analysts who have responded to hundreds of major cyber incidents across every sector.
Rapid Triage and Containment
Within hours of engagement, our analysts assess the scope of compromise, isolate affected systems, and deploy containment measures to halt lateral movement and data exfiltration. Speed is everything during a live breach.
Digital Forensics and Evidence Preservation
We conduct forensic imaging and analysis across endpoints, servers, and cloud environments. Evidence is preserved supporting regulatory investigations, insurance claims, and potential legal proceedings.
Root Cause Analysis
Our team reconstructs the full attack timeline: initial access vector, privilege escalation, lateral movement, and data exposure. Every finding is documented so you understand exactly what happened and can prevent recurrence.
Remediation and Hardening
We eradicate persistence mechanisms, rebuild compromised systems, and implement immediate hardening measures. Credential resets, patching, network segmentation, and logging uplift are standard.
Offensive Intelligence Feedback Loop
Findings from every incident feed directly into our CREST-accredited penetration testing and MDR detection rules. Organisations using Precursor for both offensive and defensive security receive a continuously strengthening posture.
IR Retainer from £8,500/year
The retainer is how your responders know your environment before the breach. At inception, we scope your critical systems, capture your identity architecture, and document your backup posture. When the call comes at 3am, the analyst who picks up already knows your AD structure, your cloud footprint, and your regulatory obligations.
Pre-agreed access to CREST-accredited incident responders who already know your environment.
Available via telephone, portal, and email around the clock. Named incident commander for retained clients.
We scope your organisation at inception. When the call comes, we already know your AD structure, cloud footprint, and regulatory obligations.
Our retainer integrates with your policy to protect indemnity and lower premiums.
Consultancy credits to create or improve your IR plan, validated with a tabletop exercise.
Retainer clients receive preferential pricing, making the retainer self-funding after a single engagement.
Incident Response Services
Specialist incident response capabilities available as standalone engagements or as part of your retainer.
Emergency Cyber Breach Support
Immediate remote and on-site response for active cyber attacks.
Digital Forensics Investigation
Court-admissible forensic analysis by a UK CREST team.
IR Retainer Services
Pre-agreed access to responders who know your environment.
Post-Incident
Vulnerability Assessment.
After containing an incident, our offensive team assesses the vulnerabilities that enabled the breach. We then test your hardened environment to confirm the gaps are definitively closed. Findings feed back into MDR detection rules for continuous monitoring.
Confirm the gaps are closedPenetration Testing
Validate your hardened environment against real attack techniques.
Managed Detection (MDR)
24/7 monitoring with custom rules from your incident findings.
Security Operations Centre
UK-based SOC with CREST-accredited analysts.
Threat Hunting
Proactive hunts for indicators of compromise in your environment.
Explore Our Full Service Catalogue
Incident response is one component of a comprehensive security programme. Explore our full range of offensive and defensive security services.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Active incident? Call us now.
If your organisation is under attack, call our 24/7 incident line. A senior DFIR analyst will be on the phone within minutes. For retainer enquiries, book a scoping call.
Incident Response: Common Questions
Pricing, retainers, response times, and how our DFIR process works.
Incident response retainers typically range from £8,500 to £25,000+ annually depending on organisation size, complexity, and support level. A standard retainer for a mid-sized organisation (200-1,000 employees) averages £12,000/year including 24/7 availability, pre-scoped response planning, IR tabletop exercise, and cyber insurance integration. Emergency ad-hoc incident response (without retainer) is billed on time-and-materials basis, typically £1,500-£2,500 per consultant day with typical ransomware incidents requiring 7-15 days of effort (£10,500-£37,500 total cost). Retainer clients receive preferential rates (typically 20-30% discount on ad-hoc rates), guaranteed 4-hour on-site SLAs, and no minimum spend requirements for deployment. For comparison, the average ransomware incident costs £3.5 million in downtime, recovery, and reputational damage, making retainer pricing a fraction of potential breach cost.
Ad-hoc incident response (calling without a retainer) creates critical delays and higher costs during the most time-sensitive hours: (1) Cold engagement requires 2-4 hours for scoping calls, legal agreements, and payment terms before response begins. During a ransomware attack, every hour of delay means more encrypted systems. (2) Ad-hoc rates are 20-30% higher than retainer pricing (£2,500/day vs £1,800/day for retainer clients). (3) No guaranteed SLAs means you are competing with other incidents for analyst availability. (4) Responders start from zero knowledge of your environment, requiring additional discovery time. (5) No pre-established relationships with your cyber insurance provider, legal counsel, or executive team. Retainer clients receive immediate mobilisation (we already know your environment), preferential pricing, guaranteed SLAs, and proactive IR planning. The retainer cost (£12,000/year average) is recovered in the first 5-6 days of a single incident through rate savings and faster recovery.
The arithmetic is straightforward. A standard ransomware engagement at ad-hoc rates runs £10,500-£37,500 in consultant time alone, before you factor in downtime, ransomware payment, regulatory fines, and reputational damage. The retainer costs £8,500-£25,000/year. The arithmetic only works in the CFO's favour if nothing ever happens. Retainer clients also receive 20-30% discounted rates if they do engage, proactive incident response planning that satisfies ISO 27001 and Cyber Essentials Plus audit requirements, and a tabletop exercise that counts toward board assurance. The retainer is not insurance you 'use.' It is a capability that costs less than not having it.
While internal IT teams understand your infrastructure, they typically lack the specialised skills, tooling, and objectivity required for effective cyber incident response: (1) Incident response requires forensic investigation skills (memory analysis, malware reverse engineering, attack reconstruction) that IT operations teams do not use in daily work. (2) IT teams focus on restoring service; IR teams focus on understanding root cause and preventing recurrence. Prematurely rebuilding systems destroys forensic evidence. (3) Advanced threats require specialised tooling (CrowdStrike Falcon, EnCase forensics, Volatility memory analysis) and threat intelligence IT teams do not have. (4) IT teams are under extreme pressure during incidents. External specialists provide objective analysis without organisational politics. (5) Major incidents require 24/7 response for days or weeks. Most organisations use internal IT for initial containment and external IR specialists for forensic investigation, root cause analysis, and remediation planning.
Client confidentiality is paramount in cyber incident response and protected by multiple safeguards: (1) All engagements are conducted under strict NDA with explicit confidentiality clauses and professional indemnity insurance. (2) We operate under ISO 27001 certified information security management systems with access controls, encryption, and audit logging for all case data. (3) CREST accreditation requires demonstrated ethical standards and confidentiality practices with regular independent audits. (4) Forensic evidence and case files are stored in encrypted, segregated case management systems with role-based access. (5) We never disclose client names, breach details, or incident specifics without explicit written authorisation. We have responded to hundreds of high-profile breaches across finance, healthcare, and government without a single confidentiality breach.
While no IR provider can guarantee 100% data recovery (the threat actor already has access when you call), our track record demonstrates consistent success: (1) We contain active breaches in 90%+ of cases within 48-72 hours using rapid isolation, credential resets, and network segmentation. (2) We establish root cause and full attack timeline in 85%+ of cases. (3) Retainer clients receive proactive backup validation and IR planning to maximise recovery success before incidents occur. (4) Even in worst-case scenarios, our regulatory guidance, insurance liaison, and crisis communications minimise reputational and financial damage. Our goal is damage limitation, evidence preservation, and preventing recurrence.
Cyber incident response is the structured process an organisation follows to identify, contain, investigate, and recover from a cybersecurity breach. Precursor Security's cyber incident response service covers the full lifecycle: initial emergency triage, forensic investigation, threat eradication, system recovery, and post-incident reporting.
The NIST 800-61 incident response lifecycle defines four phases, commonly expanded to five in practice: (1) Preparation: establishing an IR plan, retainer, and response playbooks before an incident occurs; (2) Identification: detecting the incident, scoping its extent, and determining whether a breach has occurred; (3) Containment: isolating affected systems to halt lateral movement and data exfiltration; (4) Eradication and Recovery: removing threat actors, eliminating persistence mechanisms, and restoring systems to a secure baseline; (5) Post-Incident Review: root cause analysis, lessons learned, and hardening to prevent recurrence. Precursor Security follows this lifecycle on every engagement, with a typical ransomware incident moving from initial call to full eradication in 5-10 business days.
Under GDPR Article 33, you must notify the ICO within 72 hours of becoming aware of a personal data breach, provided the breach is likely to result in a risk to individuals' rights and freedoms. Not all cyber incidents trigger this obligation: if no personal data was accessed or exfiltrated, ICO notification may not be required. However, the 72-hour clock starts from the point of awareness, not the point of full investigation. Precursor's cyber incident response team assesses ICO notification requirements within the first hours of engagement and provides written guidance on whether and when to notify. We have supported hundreds of organisations through regulatory notification processes, including preparing notification drafts and managing ICO liaison.
Precursor Security responds to the full spectrum of cyber incidents including ransomware attacks, business email compromise (BEC), advanced persistent threats (APTs), data breaches, insider threats, supply chain compromises, and destructive malware. Our team has handled incidents across healthcare, financial services, legal, manufacturing, and critical national infrastructure.
Yes. Precursor Security is a CrowdStrike Incident Response Engagement Partner. We deploy CrowdStrike Falcon for endpoint visibility alongside our own proven tooling for complex environments including Microsoft Exchange, SharePoint, Citrix, Fortinet, and AWS.
An IR retainer is a pre-agreed engagement that ensures you have immediate access to expert responders who already understand your environment. Precursor's retainer includes 24/7 availability, pre-scoped response, incident response planning, tabletop exercises, and cyber insurance integration. It is proactive preparation, not just a phone number.
Yes. Our team provides expert guidance on ICO notification requirements, GDPR reporting obligations, and regulatory timelines. We help you meet legal obligations while managing reputational risk, and produce reports in formats suitable for regulators, insurers, and legal counsel.
Precursor Security is CREST accredited for both penetration testing and SOC operations. We hold ISO 27001, ISO 9001, and Cyber Essentials Plus certifications. Our analysts hold GIAC, OSCP, and CREST-level certifications relevant to digital forensics and incident response.