// SERVICE · INCIDENT RESPONSE & IT FORENSICS

DFIR · Incident ResponseAvailable 24/7

Incident Response & IT Forensics. When systems are compromised, every hour counts.

We forensically analyze the cyber attack, contain its spread and restore your ability to act — from the attacker’s perspective, resilient and fast.

Whether an active ransomware attack, an ongoing IT emergency or an unresolved suspicion of compromise — we analyze the incident from the attacker’s perspective, preserve court-admissible evidence and guide a controlled recovery.

160 completed DFIR engagements. 100 % success rate. Built on military, intelligence and law-enforcement-adjacent operational experience.

Assess the situation — immediatelyBook an initial consultation →How we proceed →
Response in < 2hStrictly confidentialCourt-admissibleDETeam based in Germany
// 01 — WHEN YOU NEED US

Typical starting situations in case of cyber attack, ransomware and IT emergency.

Every hour without containment increases the damage — technically, financially and legally. We assess your situation, prioritize measures and restore your ability to act. Fast. Confidential. Resilient.

Ransomware attack — systems encrypted
Files inaccessible, ransom note appeared. Do NOT shut down systems — forensic evidence will be lost. Request incident response immediately.
Active hacker in the network
Unusual activity, lateral movement, new admin accounts — the attacker is still active in the system. IT forensics is racing against time.
Confirmed data exfiltration / cyber attack
Customer data, IP or financial data were exfiltrated. GDPR/NIS2 reporting deadlines are running — IT forensics is required to prove the scope of damage.
Suspected compromise
Log anomalies, unknown processes, suspicious logins — something is off. Professional IT forensics clarifies whether a cyber attack has taken place.
Regulatory / insurance requirement
BSI reporting obligation, cyber insurer requests an IT forensics report, criminal complaint after a cyber attack planned.
IT forensics second opinion
Your own IT team has already acted — independent, court-admissible IT forensics and a resilient assessment of the incident response approach.
// 02 — HOW WE PROCEED

We think like the attacker.
That’s why we find them faster.

Classic incident response teams follow checklists. We come from hacking — and know how attackers think, where they hide and what traces they leave behind in a cyber attack. That makes our IT forensics more precise and our response time measurably shorter.

Classic DFIR provider
Follows standard processes — attackers deviate from them
Looks for traces where they are expected — not where they are hidden
Recognizes persistence mechanisms only in hindsight
Longer containment times due to missing attacker context
ProSec Defense — built from hacking
We think like the attacker — and find what they have hidden
Known tactics, techniques & procedures (TTPs) from our own offensive experience
Persistence mechanisms are hunted proactively — not found reactively
Measurably shorter containment time through the attacker’s perspective
1
0–2h
Triage & scope
Immediate first contact. Situation assessment, severity, affected systems.
Output: situational picture
2
2–6h
Containment
Isolation of compromised systems and interruption of active attack paths — we know the routes attackers use.
Output: damage limitation
3
parallel
Evidence preservation
Forensically sound preservation of all relevant artifacts according to ISO 27037.
Output: chain of custody
4
ongoing
Forensics
We reconstruct the attack path from the attacker’s view — initial access, persistence, lateral movement, exfiltration. We know where hackers hide.
Output: attack timeline
5
ongoing
Coordination
Alignment with IT, management, legal, insurance, BSI.
Output: communication plan
6
once safe
Recovery
Controlled recovery, validation of systems, hardening against relapse.
Output: recovery plan
7
post-incident
Monitoring
Post-incident monitoring for reinfection, persistence remnants, new anomalies.
Output: monitoring report
8
final
Final report
Full forensic report for management, authorities, insurers, courts.
Output: forensics report

The difference to the competition: We are hackers ourselves. We know which backdoors attackers leave behind, which logs they delete and where they wait for a renewed attack. Classic DFIR teams find what is visible. We find what was hidden. That is why our mean time to recovery after ransomware is ∅ 12 days — far below the German market average of 23 days.

Important with ransomware: Do not shut systems down immediately. Volatile data (RAM, running processes) contain critical forensic traces — an uncontrolled shutdown destroys evidence and makes recovery considerably harder. Call first.

// 03 — WHAT YOU RECEIVE

Resilient results. For IT, management and legal.

Every incident response and IT forensics engagement ends with documented, usable outputs — so you remain able to act towards authorities, insurers and business partners.

Final forensic report (IT forensics)
Complete attack-path reconstruction through digital forensics — with timeline, IOCs, tactics (MITRE ATT&CK) and court-admissible documentation.
Containment & recovery plan
Prioritized measures for immediate stabilization, safe recovery and hardening against renewed access.
Evidence preservation & chain of custody
ISO 27037-compliant preservation of all artifacts — usable for criminal complaints, BSI reports and insurance claims.
IOC package & threat intelligence
Indicators of compromise, attacker profiles and MITRE mapping for your SOC or SIEM to prevent further attacks.
Crisis communication support
Support with internal statements, press releases, BSI reports and communication with supervisory authorities.
Lessons learned & hardening plan
Structured follow-up with concrete technical and organizational measures against recurrence.
// 04 — FROM THE FIELD

160 engagements. Ransomware, APT, insider threat. 100 % completed.

Anonymized insights from completed incident response engagements — with concrete IT forensics results, response times and outcomes. Details in the initial consultation.

Manufacturing · 1,200 employeesRansomware
Complete encryption of production IT — operations at a standstill
9 daysto full operation
€0ransom paid
100%data recovered
The ransomware group had 11 days of undetected access. We reconstructed the complete attack path, enabled an insurance reimbursement of €2.3M and hardened 140 critical systems against recurrence.
Financial services · mid-sizedAPT / data theft
APT group exfiltrated customer data unnoticed for 8 weeks
4hresponse time
BaFinreport delivered
0fines issued
Proof of the full exfiltration scope, GDPR-compliant report within the 72h deadline, regulator report for BaFin prepared — fine proceedings closed.
Healthcare · hospital groupInsider threat
Manipulated admin account — unnoticed sabotage over 3 months
72hto resolution
PPOcomplaint enabled
100%court-admissible
Complete forensic chain of evidence built for public prosecutor investigations. Perpetrator identified and charges filed. Hospital safely back in operation within 4 days.
Logistics · critical infrastructureSupply chain attack
Compromised software supplier — 3 companies affected
2hresponse time
BSIreport coordinated
3companies secured
Coordinated engagement across three companies simultaneously. Complete isolation within 4 hours. BSI reporting and coordination with authorities fully handled.
// 05 — WHY PROSEC DEFENSE

Incident response & IT forensics from Germany — the numbers speak for themselves.

160
Completed incident response engagements after cyber attacks
100% completion rate
<2h
Response time for IT emergencies or active cyber attacks
24/7/365
∅12
Days to full operation after total ransomware outage
Market average: 23 days
20+
Years of IT forensics & hacking experience in the team
Military · BKA environment · intelligence
// 06 — INCIDENT RESPONSE RETAINER

Able to act in an emergency —
before it happens.

A DFIR retainer is more than an emergency number. It ensures that in a cyber emergency you don’t first have to clarify responsibilities and communication channels — instead, a prepared, tested operating model is activated.

With guaranteed response times, included IT forensics contingents and a one-time initialization that synchronizes your organization, your IT service provider and our DFIR team in advance.

View retainer models →
P1 · 24/7First response to a critical cyber attack within 30–60 minutes
PackagesEssential · Professional · Premium — with included forensics and crisis manager contingents
SetupOne-time initialization with playbooks, tabletop exercise and SLA/OLA structure
// 07 — FREQUENT QUESTIONS

What managing directors and IT leads need to know in a cyber attack.

How fast does your incident response team react to an IT emergency?
In an IT emergency caused by a cyber attack or ransomware, we respond within 2 hours. Retainer clients are guaranteed an initial assessment within 2h and our incident response team is active remotely. A retainer completely eliminates any capacity caveat.
Should we shut down affected systems immediately during a ransomware attack?
No — that is one of the most common and most expensive mistakes with ransomware. An uncontrolled shutdown destroys volatile IT forensics data (RAM contents, active connections, running processes) that is irreplaceable for clarifying the cyber attack and for court-admissible evidence. In addition, some ransomware variants can trigger additional encryption routines on restart. Call first — our incident response team guides you through the right first steps.
Are your IT forensics results admissible in court?
Yes. Our IT forensics works according to ISO 27037 (preservation of digital evidence) with a complete chain of custody. The forensics reports have already been used in public prosecutor investigations after cyber attacks, BaFin proceedings and civil disputes. Several team members have experience from law-enforcement-adjacent environments.
Can you work with our cyber insurer after a cyber attack?
Yes — we prepare IT forensics reports specifically for insurance claims after cyber attacks, communicate directly with the insurer and document proof of damage so that reimbursement claims are maximally enforceable. In several cases we have enabled reimbursements of more than €1M.
How confidential is an incident response engagement?
Absolutely confidential. All incident response and IT forensics engagements run under strict NDA. We do not reference clients without explicit approval. Our team comes from military and intelligence environments where discretion is not an option but a prerequisite.
Do you help with the NIS2 reporting obligation after a cyber attack?
Yes. NIS2 and GDPR prescribe concrete reporting deadlines after a cyber attack (72h GDPR, 24h/72h NIS2). We coordinate the entire reporting chain — BSI, data protection authorities, regulators — and prepare all IT forensics documents. Mistakes in reporting obligations after IT emergencies have far-reaching legal and financial consequences.
SECURE CONNECTION ESTABLISHED
Encrypted & confidential
Transmission confirmed — your message has been submitted. Our team will get back to you confidentially and as soon as possible.
PROSEC DEFENSE · SECURE GATEWAY
Call nowHave you been hacked? →