When Your Network Is Burning, Call the Forensic Examiner First
DFE-led incident response for ransomware, business email compromise, wire fraud, account takeover, data exfiltration, and supply-chain compromise. We follow NIST 800-61 lifecycle discipline, collect court-defensible evidence, and coordinate with your cyber insurance breach coach and outside counsel from minute one. Based in Raleigh, NC. Available right now.
Active Breach, or Planning Ahead?
Two very different conversations. The first one is on the phone within minutes. The second one is a 30-minute calendar invite. Pick the right door.
You think you are breached right now.
Ransom note on the screen. Wire-fraud email caught at the bank. Domain admin password reset you did not request. A CEO who texted you at 9pm from a phone number that is not theirs. Do not investigate on the compromised account. Do not power down the box. Do not pay anything. Call our live line, give us the 60-second snapshot, and we begin remote triage on the call.
Call Now: (919) 348-4912You want a retainer before you need one.
You are renewing cyber insurance and the carrier wants to know your IR firm. You are pursuing CMMC certification and the assessor wants documented IR procedures with named contacts. You watched a peer eat a six-figure ransomware bill last quarter. Book a planning call - we scope your environment, write the runbook, and put our team on standby.
Book a 30-Min Retainer CallNIST 800-61 Rev 2 Lifecycle, Honestly Run
The federal framework everyone references and not enough firms actually run. Four phases, in order. We will not skip steps because the customer is panicking, and we will not invent steps because the engagement clock is running. This is how a defensible response actually looks.
Petronella Technology Group structures every engagement against NIST Special Publication 800-61 Revision 2. That is the same framework Federal civilian agencies, DFARS-bound defense contractors, and the CISA Joint Cyber Defense Collaborative use to evaluate response maturity. It is the one your cyber insurance breach coach, your CMMC assessor, and your regulator already speak - aligning to it removes a translation step at the worst possible moment. Each phase below describes what we actually do in the field, what artifacts we produce, and where your team has to be in the loop.
Before the alarm goes off
This is the phase that determines whether everything else works. Preparation is where you decide, in calm conditions, who decides under pressure. We help you write the IR plan, build the runbooks, get the call tree right, and prove the muscle memory through tabletop exercises before a real incident tests it.
- Written incident response plan with named roles and authority
- Per-incident-type runbooks: ransomware, BEC, account takeover, data exfil
- 24/7 call tree including breach coach, outside counsel, insurer
- Pre-staged forensic toolkit, agent deployment, log-retention review
- Annual tabletop exercise with executives, IT, legal, and comms
- Cyber insurance policy review against actual coverage triggers
Is this actually an incident?
Most "we got hacked" calls turn out to be one of three things: a phishing email that was clicked but stopped at MFA, an unrelated outage that looks scary, or a real compromise that is bigger than first reported. Detection and analysis is the discipline of telling those three apart fast, without acting on a guess.
- Triage interview: what did you see, when, on which account
- EDR and SIEM telemetry review across endpoints and identity
- Microsoft 365 / Google Workspace unified audit log pulls
- Indicator of compromise (IOC) extraction and pivot
- Scope determination: number of affected accounts, hosts, data sets
- Severity classification mapped to your IR plan and insurance trigger
Stop the bleeding, then heal the wound
Containment is the surgical phase: cut attacker access without destroying the evidence that proves what they did. Eradication removes their footholds. Recovery brings systems back from validated, clean backups, in a sequenced order that does not just reintroduce the same compromise. This is the longest phase, and the one where rushing causes second incidents.
- Network-segment isolation, conditional access locks, session revocation
- Forensic imaging of involved hosts before any remediation
- Volatile memory capture for malware reverse-engineering handoff
- Attacker persistence removal: scheduled tasks, services, OAuth grants
- Sequenced recovery from validated offline or immutable backups
- Re-credentialing of identities, service accounts, API keys, certs
- Re-enabled monitoring to catch attacker re-entry attempts
What broke, and how we make sure it does not break again
The phase most firms skip. Post-incident activity is where the lessons of the breach actually become future controls. Done well, it turns a six-figure incident into a one-time tuition payment. Done poorly, you pay it again in 18 months.
- Written incident report for insurer, regulator, and internal stakeholders
- Root-cause analysis with technical and process findings
- Lessons-learned debrief with executive sponsor and IT lead
- Remediation plan with owners, deadlines, and verification criteria
- IR plan and runbook updates based on what we actually saw
- Optional follow-up tabletop replaying the real incident
What Counts as an Incident We Handle
Modern breach work is not one thing. It is eight or nine recurring patterns, each with its own evidence model, its own attacker economics, and its own regulatory clock. Here are the ones our team works most often.
Ransomware
Encryption events with extortion demand, double-extortion data-theft variants, ransomware-affiliate IAB ("initial access broker") chains. We coordinate decryption-feasibility analysis, negotiation policy with your insurer, and recovery sequencing from clean backups.
Business Email Compromise & Wire Fraud
Spoofed-CEO, vendor-impersonation, ACH redirect, and invoice-rewriting fraud. We pull Microsoft 365 unified audit logs, identify mailbox rules and OAuth grants, trace funds for your bank and FBI IC3 report, and document chain-of-custody for recovery.
Account Takeover
Single-user, mass-user, and service-account compromise across Microsoft 365, Google Workspace, and SSO providers. We revoke sessions, audit token grants, scope blast radius across cloud apps, and re-credential. Common precursor to BEC.
Data Exfiltration
Unauthorized export of customer records, intellectual property, source code, or regulated data (PHI, CUI, PCI). We trace the egress path, quantify what left, and prepare the evidence record your regulators and contractual notice obligations require.
Insider Threat
Departing employees taking data, privileged-user abuse, and policy violations that may be civil or criminal. Conducted under attorney direction with strict chain of custody and a documented scope agreement so the evidence is usable downstream.
Supply-Chain Compromise
Compromise that arrived through a vendor: MSP-pivot incidents, software-update injection, third-party SaaS integration abuse. We coordinate with the upstream vendor's IR team and document your downstream exposure for regulator and customer notice.
Ransomware-Affiliate IAB Pattern
"Pre-ransomware" intrusions where the access has been sold by an initial-access broker but the encryption has not happened yet. Catching the IAB pattern in this window prevents the encryption event entirely. Highest-leverage moment in modern IR.
Cloud Misconfiguration Exposure
Public S3 buckets, exposed databases, leaked secrets in code repositories, over-permissive OAuth grants. Always a breach decision: did anyone unauthorized access it. We answer that with logs.
BYOD & Corporate Mobile Compromise
Within our published forensic scope: company-managed and BYOD-enrolled mobile devices in a breach context. Outside scope: consumer iPhone extraction, custody work, jailbreak imaging.
Retainer vs. Ad-Hoc Engagement
Both paths work. One is dramatically less painful at 2:47am when your domain controller stops responding. The honest comparison.
Ad-hoc engagement is real and we take it. It is just more expensive per hour, slower to start, and more punishing on your team. If you have not signed a retainer with anyone yet, this is the meeting to schedule.
Forensic Evidence Handoff
Most "incident response" firms touch the evidence in ways that make it inadmissible later. We do not. Craig Petronella is a North Carolina-licensed Digital Forensic Examiner (DFE #604180), and our intake checklist is written to keep your evidence usable.
The most common breach-aftermath surprise is a phone call from outside counsel six months in: "Can we get the forensic image of the affected machine? We have a regulator request." If the answer is "we wiped it and reimaged," there is no answer to give. The evidence does not exist.
Petronella's incident response engagements include forensic-grade evidence collection by default, not as an upsell. That means: write-blocked disk imaging with MD5 and SHA-256 hash baselining, volatile memory capture, log preservation in original format with cryptographic integrity, and a chain-of-custody log signed by both the investigator and the client at every transfer. The evidence sits in our secure Raleigh lab until you say to release it, destroy it, or hand it off to outside counsel.
For matters that require deeper investigation than the IR engagement covers - civil litigation, regulator-driven forensic analysis, expert witness testimony - we transition the engagement to our companion digital forensics practice under the same DFE credential. The evidence chain does not break, because the people holding the evidence do not change. What we do not do, and tell you upfront: consumer mobile-device forensics, iPhone jailbreaking, custody / family-law device imaging, or private-investigator work. Honest scope is admissible scope.
Insurance Carrier, Breach Coach, Outside Counsel
An incident response engagement is rarely just you and us. Done right, it is a five-party orchestration: client, insurer, breach coach attorney, outside counsel, and IR firm. Getting the lanes right matters.
When you call us during an active breach, one of our first questions is "do you have cyber insurance?" That answer changes the next 15 minutes. If yes, you contact the carrier's claims line in parallel with engaging us, because most carriers require notice within a specific window and require pre-approval of vendors. We are panel-approved with multiple major US cyber carriers and can be engaged inside that framework.
Your carrier will likely assign a breach coach attorney whose job is privilege management, regulatory analysis, and notice coordination. We work under the breach coach's direction during active incidents, so our investigative work product is covered by attorney work-product doctrine. We do not freelance regulatory advice or draft notification letters - those are the breach coach's lane, and trying to be helpful in someone else's lane is how privilege gets pierced.
We coordinate, in lane, with: the carrier's claims adjuster (status, cost authorization, settlement-relevant findings), the breach coach attorney (privileged investigative findings, notification scope), your in-house or outside counsel (litigation hold, employee matters, vendor claims), the FBI and CISA where the incident type warrants, and your comms / PR resources where public notice is required. What we are not: we are not your law firm, your breach coach, your ransom negotiator, or your insurer's adjuster. Each is a separate licensed function. We are tightly scoped to investigation, containment, evidence preservation, and remediation - and we say so on the first call.
The Notification Window You Did Not Know Was Running
Every breach starts a clock. Several clocks, usually. Missing the window turns a recoverable incident into a regulatory enforcement action. Here are the deadlines our team tracks on every engagement, with your breach coach quarterbacking the actual notice.
GDPR Article 33 - Personal Data Breach Notification
If EU resident personal data is involved, the supervisory authority must be notified within 72 hours of becoming aware of the breach. Many US companies do not realize they are subject to GDPR until the breach happens.
SEC Cybersecurity Disclosure Rule (Public Companies)
Public companies must file Form 8-K Item 1.05 within four business days of determining the cybersecurity incident is material. Determination itself must be made "without unreasonable delay." Applies to many small-cap and mid-cap registrants.
DFARS 252.204-7012 - Cyber Incident Reporting
Defense contractors handling Controlled Unclassified Information (CUI) must report cyber incidents to the Department of Defense within 72 hours via the DIBNet portal. Required regardless of CMMC level (L1, L2, or L3).
HIPAA Breach Notification Rule (45 CFR 164.404-414)
Covered entities and business associates must notify affected individuals and HHS within 60 days of discovery, with parallel media notification for breaches affecting 500+ residents of a state. See our HIPAA compliance overview for the full notification matrix.
State Breach Notification Laws
All 50 states, DC, and US territories have breach notification statutes. Windows range from "without unreasonable delay" to specific day counts (45 in NC, 30 in some states for residents of that state). Multi-state incidents trigger multiple parallel clocks.
PCI DSS Incident Response Requirements
Card-data environments require an incident response plan covering the cardholder data environment. Acquiring bank and card brand notification typically required immediately upon confirmed compromise. Forensic investigator firm (PFI) engagement may be mandated.
Contractual Notification to Customers and Partners
Most B2B contracts now include breach-notification obligations to customers, often shorter than statutory windows (24 to 48 hours common). Vendor MSAs frequently impose parallel obligations on you. The breach coach inventories these in the first 24 hours.
Written IR Plan, Runbooks, & Tabletop Exercises
Roughly a third of our retainer work happens before any incident. It is the unglamorous half - and the half that decides how the dramatic half plays out.
A written incident response plan is a regulatory expectation under nearly every framework you might be subject to. CMMC IR.L2-3.6.1 requires an incident handling capability covering preparation, detection, analysis, containment, recovery, and user response. HIPAA Contingency Plan (45 CFR 164.308(a)(7)) requires response and reporting procedures. SOC 2 CC7.3 evaluates whether the entity responds to incidents through documented procedures. NIST Cybersecurity Framework 2.0 "Respond" function maps to all of the above.
The plan satisfies the framework. The runbooks satisfy reality. Generic IR plans die in the binder where they were written. Per-incident-type runbooks (ransomware, BEC, account takeover, data exfil, insider threat) are the operational documents your team actually opens at 2am. We write those with your environment's specifics: which EDR console to check first, which Conditional Access lock to flip, which carrier claims number is on file.
The tabletop is where the plan and runbooks get stress-tested in a low-cost environment. We facilitate a 90-minute exercise with your executive sponsor, IT lead, legal contact, and comms lead. A realistic industry scenario plays out turn by turn; we capture decisions, gaps, and friction. The output is a remediation list for the plan, the runbook, the call tree, or the underlying controls. Done annually, the muscle memory builds.
For retainer clients we run one tabletop per year as part of the retainer fee, which also satisfies CMMC IR.L2-3.6.3 ("Test the organizational incident response capability") for organizations pursuing certification at L1, L2, or L3, and matches the cadence most cyber insurance carriers expect. Additional sector-specific tabletops are available - for example a ransomware exercise scoped to a manufacturer's production control environment, or a BEC exercise scoped to an engineering firm's wire-transfer workflow.
What We Do, and What We Do Not Do
The clearest signal of a credible IR firm is whether they tell you, upfront, what they will not touch. Here is our line.
What We Do
Active scope - work our DFE-credentialed and CMMC-RP team performs directly.
- 24/7 breach triage, containment, eradication, recovery
- Forensic-grade evidence collection with chain of custody
- Ransomware response, decryption-feasibility, recovery sequencing
- BEC / wire-fraud investigation, M365 audit log work, FBI IC3 packaging
- Account takeover scoping across cloud apps and SSO
- Insider-threat investigation under attorney direction
- Written IR plans, per-incident-type runbooks, call trees
- Annual tabletop exercises with executives, IT, legal, comms
- Cyber insurance documentation, carrier coordination, direct billing
- Post-incident hardening and remediation verification
What We Do Not Do
Explicit out-of-scope - we route to vetted partners. Asking us to fake these would compromise your matter.
- We are not a law firm and do not provide legal advice
- We are not your breach coach (that role is your insurer-assigned attorney)
- We do not negotiate with ransomware threat actors directly
- We do not draft regulatory notification letters (breach-coach lane)
- We are not a public-relations or crisis-comms firm
- We do not run consumer mobile forensic extraction (no Cellebrite / Graykey)
- We do not jailbreak iPhones / iPads for evidence collection
- We are not a licensed private investigator
- We do not represent threat actors or provide attribution-only reports
- We do not take work we cannot personally defend on the stand
If your matter sits in the right-hand column, we tell you on the first call and route you to the right specialist. Honest scope is admissible scope.
How Engagement Costs Work
Incident response is difficult to fixed-price up front because the scope is set by what the attacker actually did, not by what was first reported. Here is how we structure it honestly.
Retainer Program
From annual retainer + capped hourlyAnnual retainer covers preparation work (IR plan, runbooks, tabletop, environment mapping, on-call SLA). Incident-time work draws against retainer hours at a locked, capped hourly rate. Includes one tabletop per year and annual IR plan refresh. Pre-approved with multiple major US cyber insurance carriers. Custom-quoted based on environment size, regulated-data scope, and required SLA tier.
Ad-Hoc Engagement
From standard T&M, per-incident SOWTime-and-materials billing on the active incident only. SOW signed before substantive work begins, scoped to triage / contain / investigate / report. Surge-priced during regional events. Slower start than retainer because MSA and access provisioning happen during the incident. Recommended only when a retainer is not already in place.
All quotes are custom and follow a no-pressure scoping conversation. Book a call and we will give you a real number.
Pair Incident Response With Prevention
Incident response is the right tool when something has gone wrong. These are the disciplines that reduce how often you need to pick it up.
Incident Response, Asked Directly
The questions we field most often, on the first call. Answered the way we actually answer them, not the way marketing would.
How fast can you actually start?
Retainer clients: inside 15 minutes business hours, within one hour after-hours. Ad-hoc engagements without a pre-existing MSA: usually one to four hours, because we sign the MSA, provision access, and get your environment in front of an investigator from cold. That gap is the strongest argument for a retainer.
Should I call you, or my cyber insurance carrier, first?
If you have cyber insurance, call both in parallel. Most policies require notice within a specific window (often 24 to 72 hours) and require pre-approval of vendors. Tell us you have a carrier, name them, and we will work inside the panel-approval process from minute one. If you are not sure whether you have cyber insurance, call us first - we help you check coverage during triage.
Do you negotiate with ransomware operators?
No. Direct ransomware negotiation has its own ethical, legal, and OFAC-sanctions complexity, and is correctly handled by dedicated negotiation firms under attorney privilege. If your matter requires negotiation, we coordinate with your breach coach to bring the right firm in. We handle the technical work - decryption feasibility, recovery sequencing, evidence preservation.
Do you work with the FBI or CISA?
Yes, when the incident type warrants it. For ransomware over a meaningful financial threshold, BEC wire-fraud incidents, and supply-chain compromise affecting critical infrastructure, we coordinate the FBI IC3 referral and the CISA Joint Cyber Defense Collaborative report where appropriate. The breach coach makes the final law-enforcement call; we package the evidence so the referral is actionable.
What if I do not have an IR plan, runbooks, or insurance?
You are not unusual and you are not disqualified from getting help. We can still respond. The engagement is more painful, regulatory clock pressure is harder, and post-incident exposure is greater - but the work gets done. We tell you on the first call which gaps are slowing the response so you can fix them during the engagement or immediately after.
Are you a CMMC-aligned IR firm?
Yes. Petronella Technology Group is a CMMC Registered Practitioner Organization (CyberAB RPO #1449). Our IR practice satisfies CMMC IR.L2-3.6.1 (incident handling), IR.L2-3.6.2 (incident reporting), and IR.L2-3.6.3 (incident response testing) for organizations pursuing certification at L1, L2, or L3. We coordinate DFARS 252.204-7012 reporting via the DIBNet portal when CUI is involved.
Can you support incidents outside Raleigh, NC?
Yes. Roughly 80% of our active IR work is performed remotely from our Raleigh lab, so geography is rarely the constraint. We support clients across the southeastern US and remotely nationwide. On-site investigator dispatch is available within the Research Triangle Region and into eastern North Carolina (Wilmington, Greenville). Outside that radius we work remotely or coordinate with regional partners.
Will the work be privileged?
Privilege is achieved when the engagement is structured under the direction of legal counsel (typically the insurer-appointed breach coach attorney). We structure our engagement letters to support that. Privilege is not automatic - if the engagement is not run under counsel, our work product is not protected by attorney-client or work-product privilege. The breach coach decides the structure; we follow it.
What evidence do you actually collect?
Where warranted: forensic disk images with hash baselining, volatile memory captures, EDR telemetry exports, M365 and Google Workspace unified audit logs in original format, firewall and proxy logs, identity provider logs, cloud audit logs (AWS CloudTrail, Azure Activity Log), and chain-of-custody documentation for every transfer. Collection is sized to the matter.
How do we get started on a retainer?
Book a 30-minute call through our contact form. We walk through your environment, regulatory scope, and current IR posture, then send a scoped proposal within a few business days. Standard onboarding takes two to four weeks (environment mapping, runbook drafting, tabletop scheduling, access provisioning, carrier alignment). If you are actively breached right now, call (919) 348-4912 instead.
Two Numbers, One Decision
If your network is on fire, call. If you want it harder to set on fire next time, book a call. Same Raleigh team, same DFE credential, same NIST 800-61 lifecycle.