Mobox.®
Mobox/Services/Cybersecurity/Incident Response

02 / INCIDENT-RESPONSE

Cybersecurity

Incident ResponseCybersecurityWhen it happens, we get you back on your feet fast.

When it happens, we get you back on your feet fast.

Digital Forensics & Incident Response (DFIR) service for ransomware, BEC, data breaches, APT intrusions. Containment, eradication, recovery and legal/regulatory support. Available on retainer or on-demand.

<2h

Response time with retainer

24/7

DFIR team availability

100%

Chain of custody preserved

§ A

Overview

When a cyber incident hits you, the first 24–48 hours are critical: contain, collect evidence, communicate. Every rushed decision costs more days of downtime.

Our DFIR team responds 24/7 with the SANS PICERL methodology, enterprise forensic tools and legal-regulatory coverage (Italian Data Protection Authority, ACN, sector authorities). We work on retainer to guarantee SLAs, or on-demand when you call us.

§ B

What's included

  • Initial triage and incident declaration
  • Containment (isolation, network segmentation, account lockdown)
  • Forensics on endpoint, server, cloud, email
  • Malware reverse engineering
  • Threat-actor negotiation (only where appropriate)
  • Eradication and clean-up
  • Recovery and post-incident hardening
  • Technical and legal reporting, notification support

§ C

Deliverables

What you get at the end — or along the way — of an engagement on Incident Response.

  1. D/01Reconstructed incident timeline
  2. D/02Indicators of Compromise (IoC) and TTPs
  3. D/03Forensic report for authorities
  4. D/04Lessons learned and recommendations
  5. D/05Executive and technical communication

§ D

Use cases

Ransomware

Immediate containment, decryptor assessment, recovery from backup, hardening to avoid recurrence.

Business Email Compromise

Compromised accounts, wire fraud, conversation exfiltration. Investigation and remediation.

Data breach

Scope determination, exfiltrated data, support for notification within 72h.

APT / state-sponsored

Targeted persistent campaigns requiring threat hunting and deep remediation.

§ E

Our process

01

Identification

Incident confirmation, initial scoping, team activation.
02

Containment

Isolation of compromised systems without destroying evidence.
03

Eradication

Removal of persistence, patching, credential rotation.
04

Recovery

Controlled service restoration, intensive monitoring.
05

Lessons learned

Post-mortem, defence improvements, future simulations.

§ F

Technologies

Velociraptor · KAPEVolatility · AutopsyCellebrite · Magnet AxiomCrowdStrike · SentinelOneSplunk · ElasticMISP · OpenCTI

Indicative stack. We adapt choices to your context, internal skills and existing constraints.

§ G

Frequently asked questions

Q/01How fast do you respond?+

With an active retainer we are on-call within 1–2 hours, 24/7. On-demand mobilisation typically in 4–8 hours.

Q/02Should I pay the ransom?+

Almost never. We assess case by case but advise against payment: data is often not recovered and crime gets funded. We focus first on backup recovery.

Q/03Do you cover legal aspects?+

We coordinate with your legal counsel and support notifications to the Italian DPA and ACN within statutory deadlines.

Other capabilities — Cybersecurity

Penetration Testing

We attack your systems before someone else does.

24/7 SOC

Eyes on your logs, always. Response in minutes, not hours.

NIS2 Compliance

From gap analysis to attestation: a pragmatic path.

Next step

Let's talk about incident response.

A 30-minute call to understand your context and whether we can really help. No commitment.

Get started All services