Rapid Triage & Containment
Immediate assessment of scope, threat actor presence and active data exfiltration. Network isolation, endpoint quarantine and credential rotation to stop the bleeding.
Incident Response
Incident Response
24/7 breach containment. Forensic triage. Rapid recovery.
Incident response is the organized approach to detecting, containing, eradicating and recovering from cybersecurity breaches. Sherlock Forensics provides 24/7 incident response for mid-market organizations across Vancouver and British Columbia, covering ransomware, business email compromise, AI-generated phishing campaigns, deepfake social engineering, LLM data exfiltration and nation-state intrusions with NIST SP 800-61 aligned methodology.
When a breach occurs, response time determines outcome. Our incident response team provides immediate containment, forensic evidence preservation, root cause analysis and coordinated recovery - minimizing business disruption while building the evidentiary record needed for legal, regulatory and insurance proceedings.
24/7
Incident hotline
<1hr
Retainer SLA
20+
Years DFIR experience
Capabilities
Incident Response Services
Ransomware Response
Variant identification, encryption analysis, decryption feasibility assessment, backup integrity verification and coordinated recovery. We help you evaluate all options before making payment decisions.
Business Email Compromise
Investigation of compromised email accounts, mail flow analysis, forwarding rule detection and scope-of-access determination. Identification of accessed data and fraudulent transactions. Analyze exported Outlook mailboxes with Sherlock Forensics PST Viewer for forensic-grade email review.
Digital Forensic Investigation
Forensic imaging, log analysis, memory forensics and malware analysis to determine the attack vector, dwell time, lateral movement and extent of compromise. All evidence follows strict evidence handling procedures from acquisition through analysis. Create forensic disk images with Sherlock Forensics Disk Imager (free, resumable, three-pass SHA-256 verification). For rapid Android triage, Sherlock Forensics Android Acquirer can extract SMS, contacts, call logs and media via ADB.
Recovery Coordination
System rebuilding, data restoration from clean backups, environment hardening and phased return to production. Coordination with IT, legal and executive teams throughout recovery.
Post-Incident Analysis
Root cause documentation, lessons learned, control gap identification and remediation roadmap. Produce structured findings with our court-ready forensic reports tool. Breach notification support for PIPEDA, BC FIPPA and sector-specific regulations. After containment, the next step is assessment. Find the right security test for your situation.
Active Threats
Common Incident Types
| Incident Type | Indicators | Response Priority |
|---|---|---|
| Ransomware | Encrypted files, ransom notes, service disruption | Critical - immediate containment |
| Business Email Compromise | Unauthorized mail rules, wire fraud attempts | High - time-sensitive financial exposure |
| Data Exfiltration | Unusual outbound traffic, large data transfers | Critical - active data loss |
| Insider Threat | Unauthorized access, privilege abuse | High - evidence preservation critical |
| Supply Chain Compromise | Malicious updates, compromised vendor access | Critical - scope assessment required |
| Deepfake Social Engineering | Fabricated video/audio, voice clone fraud, synthetic identity impersonation | High - authentication verification, media forensics |
| AI-Generated Phishing | Highly personalized lures, flawless language, scaled spear-phishing campaigns | High - pattern analysis, sender authentication |
| LLM Data Exfiltration | Sensitive data leakage via AI assistants, prompt injection to extract training data or internal documents | Critical - immediate access revocation, scope assessment |
Incident Response Retainer
Preparation beats panic.
An incident response retainer gives you a pre-negotiated engagement framework so that when a breach occurs, the response begins immediately - not after contract negotiations, scope discussions and procurement cycles. Test your IR plan under pressure with a tabletop exercise before a real incident forces you to. Check your external attack surface with our free security scorecard.
- 1-hour initial triage SLA, 4-hour response SLA
- Pre-established legal framework and NDA
- Environment familiarization and playbook development
- Unused hours applicable to pen tests or risk assessments
- Priority access to forensic examiners - guaranteed availability
Since 20064.8/5 ratingSOC 2, PCI DSS, ISO 27001
Discuss a Retainer
Frequently Asked Questions
Incident Response FAQs
- What is incident response?
- Incident response is the organized approach to addressing cybersecurity breaches - detection, containment, eradication, recovery and post-incident analysis. We follow the NIST SP 800-61 incident response framework to minimize disruption and preserve evidence.
- How quickly can Sherlock Forensics respond to an incident?
- We provide 24/7 incident response. Retainer clients receive 1-hour initial triage and 4-hour response SLAs. Non-retainer engagements begin triage within 2-4 hours of initial contact. Call 604.229.1994 for immediate assistance.
- What should we do if we suspect a ransomware attack?
- Immediately isolate affected systems from the network - do not power them off, as volatile memory contains critical evidence. Do not negotiate with attackers or pay ransom without professional guidance. Document what you see, preserve logs and call our incident response line. Refer to CISA StopRansomware for additional guidance.
- What is an incident response retainer?
- A retainer is a pre-negotiated agreement guaranteeing priority response. Benefits include reduced response times, pre-established legal frameworks, environment familiarity and predictable pricing during a crisis. Unused hours can be applied to proactive services like pen testing or risk assessments.
- Does Sherlock Forensics help with regulatory notification?
- Yes. We assist with breach notification under PIPEDA, BC FIPPA and sector-specific regulations. Our post-incident reports document compromise scope, affected data and remediation actions for the Office of the Privacy Commissioner of Canada.
Authority Resources
Standards & References
Response Frameworks
Related Services
Certifications
Our DFIR team holds forensic and incident response credentials.
CISSP
Related
Further Reading
After a Data Breach in Canada
Legal obligations, notification requirements and recovery steps for Canadian organizations following a data breach.
Risk Management and Assessment
NIST CSF 2.0 and ISO 27001 aligned risk assessments to quantify your security posture before an incident occurs.
How to Prepare for a Security Audit
A practical guide to gathering documentation, scoping and preparing your team for a security assessment.
Industry-Specific Response
Incident Response by Sector
Each industry faces distinct threat profiles and regulatory requirements during incident response. We tailor our containment and recovery approach to your sector.
- Education cybersecurity for universities, school districts and research institutions
- Government cybersecurity for federal, provincial and municipal agencies
- Logistics cybersecurity for supply chain, shipping and warehousing operations
- Manufacturing cybersecurity for OT/ICS environments and production systems
Ransomware
Ransomware Response
Ransomware is the #1 reason organizations call Sherlock Forensics. The first 60 minutes determine whether you contain the attack or lose your network. Our response protocol: isolate affected systems without powering off (preserve volatile memory), block attacker communication channels, preserve forensic evidence for investigation and insurance claims, assess the blast radius to determine what data was accessed. Read our detailed ransomware response guide for the first 60 minutes.
We advise against paying ransoms without first consulting a forensic examiner. Paying does not guarantee data recovery. It does not prevent re-attack. And it may violate sanctions regulations. Sherlock Forensics has recovered data from ransomware incidents without payment by identifying encryption weaknesses, restoring from clean backups and applying decryption tools where available. Organizations that need guaranteed response times should consider an incident response retainer.
Get Started
Under attack right now?
For non-emergency assessments, order a security audit online.
Order OnlineActive Incident? Call Immediately.
Our incident response team is available 24/7. Do not wait until Monday morning. Do not power off affected systems. Call now and we will begin triage immediately.
Call 604.229.1994- Incident Hotline
- 604.229.1994
- Availability
- 24/7/365 - including holidays
- Burnaby Office
- Burnaby, BC, Canada
- Coquitlam Office
- Coquitlam, BC, Canada