Incidents Handled Annually — 15-20 active engagements per year across ransomware, data breaches, and targeted attacks

Under Attack? We Contain First, Investigate inParallel.

Security Brigade delivers near 24/7 incident response and digital forensics for enterprises across India. From ransomware recovery to CERT-In 6-hour notification compliance, our DFIR team shuts down active threats while preserving forensic evidence for root cause analysis and regulatory reporting.

Request a Scoping Call Our Methodology
6,700+Assessments
700+Clients
150+Team
2006Founded

Trusted by India's leading enterprises

ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
ICICI Bank
HDFC
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Pharmeasy
BillDesk
Jubilant Foods
STEP 01

Immediate Containment

We close probable entry points and isolate compromised systems within hours, even before the full attack path is mapped. The priority is stopping lateral movement and data exfiltration.

STEP 02

Parallel Investigation and Forensics

While containment is underway, our DFIR team begins evidence preservation, log analysis, malware reverse engineering, and attack timeline reconstruction using ShadowMap for external threat intelligence.

STEP 03

Recovery, Reporting, and Hardening

We handle CERT-In 6-hour notifications, concurrent RBI and SEBI filings, ransomware negotiation where needed, system recovery, and deliver a comprehensive post-incident assessment with hardening recommendations.

What Is Cyber Incident Response?

Cyber incident response is the structured process of detecting, containing, investigating, and recovering from a cybersecurity breach or attack. It includes digital forensics to determine how the breach occurred, what data was affected, and what steps are needed to prevent recurrence and satisfy regulatory reporting obligations.

Incident Types WeHandle

From ransomware crises to insider threats, our DFIR team has handled it all

Ransomware Response and Recovery

Containment, negotiation assessment, decryption feasibility analysis, backup recovery, and full system restoration.

Data Breach Investigation

Identify scope of data exposure, determine exfiltration methods, preserve evidence for legal and regulatory proceedings.

Business Email Compromise

Email account takeover analysis, lateral compromise assessment, financial fraud impact determination.

Insider Threat Investigation

User activity forensics, privilege abuse analysis, data theft detection with chain-of-custody evidence preservation.

Advanced Persistent Threat Containment

Detect persistent backdoors, map attacker infrastructure, eliminate footholds across network and cloud environments.

Web and Application Compromise

Defacement recovery, web shell detection, application-layer attack investigation, and vulnerability remediation.

Cloud Infrastructure Breach

AWS, Azure, and GCP compromise investigation including credential abuse, misconfigurations, and lateral movement across cloud services.

Malware Analysis and Reverse Engineering

Static and dynamic malware analysis, indicators of compromise extraction, and threat actor attribution where possible.

Methodology

7 steps. Zero guesswork.

Every engagement follows this process through Lemon, our proprietary audit management platform.

Discovery
01

Triage and Rapid Mobilization

Within the first hour of engagement, our IR lead conducts a triage call to assess the nature, scope, and severity of the incident. We establish secure communication channels, identify key stakeholders, and mobilize the response team. ShadowMap is immediately deployed against the organization's external footprint to identify exposed assets, leaked credentials, and dark web chatter that may be related to the incident.

02

Immediate Containment

We close likely entry points early based on initial triage findings, even before the full attack path is reconstructed. This includes isolating compromised systems, revoking compromised credentials, blocking malicious IPs and domains, and deploying emergency firewall rules. The goal is to stop active data exfiltration and prevent lateral movement while preserving forensic evidence.

03

Evidence Preservation and Collection

Forensic images of affected systems are captured following chain-of-custody protocols. We collect and centralize logs from endpoints, servers, network devices, cloud services, email platforms, and security tools. Evidence handling follows standards acceptable for regulatory submissions and, where necessary, legal proceedings.

Testing
04

Deep Forensic Investigation

Our DFIR team performs timeline reconstruction, malware analysis, log correlation, and attack path mapping. We determine the initial compromise vector, map all attacker activity across the environment, identify all affected systems and data, and establish the complete scope of the breach. ShadowMap intelligence enriches the investigation with external context including dark web exposure, credential leaks, and related threat actor activity.

05

Regulatory Notification and Compliance

Security Brigade takes full ownership of CERT-In 6-hour incident notification requirements. We prepare and submit notifications with accurate technical detail, and concurrently handle RBI and SEBI notifications for regulated entities. Our team has deep experience with Indian regulatory reporting formats and timelines, ensuring your organization meets all statutory obligations without diverting your internal team from recovery efforts.

Delivery
06

Eradication and Recovery

Once the attack path is fully mapped, we systematically remove all attacker footholds including backdoors, persistence mechanisms, compromised accounts, and malicious code. For ransomware incidents, this includes decryption assessment, negotiation support where appropriate, and backup-based recovery planning. Systems are hardened before being brought back online.

07

Post-Incident Assessment

After containment and recovery, we deliver a comprehensive post-incident assessment — what we call the B-52 assessment. This includes a complete attack narrative, root cause analysis, gap analysis of security controls that failed, specific hardening recommendations, and a prioritized remediation roadmap. The assessment is delivered in both executive and technical formats to serve leadership, IT, and compliance teams.

Download methodology whitepaper →
"Security Brigade's structured approach through Lemon gave us complete visibility into the testing process. The three-layer review caught issues that our previous vendor missed entirely. Their reports were the first our developers could actually act on without a follow-up call."
CISO, Leading Indian BFSI Enterprise
Top 5 Private Sector Bank · Engaged since 2019

Read more client stories →

The Platform

Powered by Lemon

Most firms rely on individual tester skill. We built a platform that makes quality structural — informed by 6,700+ previous assessments.

lemon.securitybrigade.com/project/PRJ-2847
D
C
F
R
T
PROJECT PRJ-2847
Coverage Validation — acmecorp.com
94% covered
Endpoints
247 / 263
Parameters
1,847
Auth Flows
12 / 12
JS Routes
38 / 41
AI flagged 3 undiscovered endpoints
/api/v2/admin/export, /api/v2/billing/webhook, /internal/healthcheck
L1 Complete
L2 In Review
L3 Pending

Instant Attack Surface Visibility

Full external footprint mapped within minutes, not days, including forgotten subdomains, exposed services, and shadow IT.

Dark Web and Credential Monitoring

Immediate identification of stolen credentials, data dumps, and threat actor chatter related to the victim organization.

Threat Actor Infrastructure Detection

Identify phishing domains, lookalike sites, and command-and-control infrastructure linked to the attacker.

Compliance-Ready

Audit-ready reporting for every framework

As a CERT-In empanelled firm, our reports are accepted by all major Indian and global regulators.

CERT-In 6-Hour Notification
We prepare and submit CERT-In incident r
RBI Incident Reporting
For banks, NBFCs, payment aggregators, a
SEBI Cyber Incident Reporting
For stock brokers, mutual funds, deposit
IRDAI and Sectoral Reporting
Insurance companies and other sector-reg
DPDP Act Breach Notification
Data breach notification preparation ali
Evidence Packages for Legal Proceedings
Forensic evidence documented with chain-

Industries

700+ clients across verticals

Every type of application architecture and business logic pattern — tested.

BFSIICICI Bank, HDFC, Yes Bank, UTI MF, Edelweiss
Fintech & PaymentsPhonePe, Amazon Pay, Groww, BillDesk
ManufacturingMahindra, Asian Paints, L&T, Hindalco
Retail & ConsumerSwiggy, Sephora, Pernod Ricard, Jubilant
Aviation & LogisticsEtihad Airways, DHL Express, Shadowfax
HealthcareCloudNine, Pharmeasy, Wave Health

Deliverables

What you get

Reports for two audiences — executives who need the risk picture, and developers who need to fix the issues. With code-level guidance, not vague advice.

Request sample report →Read case studies →

Executive Incident Summary

Board-ready overview covering what happened, business impact, regulatory status, and immediate actions taken. Designed for CISOs, CTOs, and board presentations.

Technical Forensic Report

Complete attack timeline, forensic evidence, indicators of compromise, malware analysis results, and detailed attack path reconstruction with supporting evidence.

Post-Incident B-52 Assessment

Comprehensive root cause analysis, security control gap assessment, and prioritized hardening roadmap to prevent recurrence. Named for its thoroughness.

Regulatory Notification Packages

Pre-prepared CERT-In, RBI, SEBI, and other regulatory submissions with technical accuracy and compliance with reporting formats and timelines.

Indicators of Compromise Package

Structured IOC data including malicious IPs, domains, file hashes, registry keys, and YARA rules for your SOC team to operationalize.

Evidence Archive with Chain of Custody

Forensic images, log archives, and analysis artifacts with documented chain of custody suitable for legal proceedings and insurance claims.

FAQ

Common questions

Can't find what you're looking for? Talk to our team.

Contact us
How quickly can Security Brigade respond to an active cyber incident?+
Security Brigade maintains near 24/7 incident response capacity. We conduct an initial triage call within hours of engagement and begin remote containment actions immediately. Our team of 150+ security professionals includes dedicated IR practitioners who can mobilize rapidly, including outside standard business hours.
What is the CERT-In 6-hour incident reporting requirement?+
CERT-In mandates that organizations report cybersecurity incidents within 6 hours of detection. This applies to a wide range of incidents including data breaches, ransomware attacks, and unauthorized access. Security Brigade takes full ownership of preparing and submitting these notifications with accurate technical detail, so your team can focus on containment and recovery.
Do you handle ransomware negotiation and payment?+
Yes. Security Brigade provides end-to-end ransomware response including negotiation support, decryption feasibility assessment, and recovery planning. We assess whether known decryptors exist for the ransomware variant, evaluate the threat actor's credibility, and provide informed guidance on negotiation strategy. Payment decisions remain entirely with the client, supported by our technical assessment.
What is digital forensics and why is it important during incident response?+
Digital forensics is the scientific process of collecting, preserving, and analyzing electronic evidence from compromised systems. It is essential during incident response because it determines how the breach occurred, what data was affected, whether the attacker is still present, and what evidence is needed for regulatory reporting, insurance claims, or legal proceedings.
Can you help with RBI and SEBI cyber incident notifications?+
Yes. Security Brigade handles concurrent RBI and SEBI incident notifications alongside CERT-In reporting. Our team has deep experience with the reporting formats, technical requirements, and timelines mandated by Indian financial regulators. We also support IRDAI, NPCI, and other sectoral notification requirements for regulated entities.
What is the difference between incident response and a regular security audit?+
A security audit is a planned, proactive assessment of your security posture. Incident response is a reactive engagement triggered by an active breach or suspected compromise. IR focuses on immediate containment, evidence preservation, root cause determination, and recovery. Security Brigade offers both services, and many IR clients subsequently engage us for proactive audits to prevent recurrence.
What is a post-incident assessment and what does it include?+
Security Brigade delivers a comprehensive post-incident assessment called the B-52 assessment after every engagement. It includes a complete attack narrative, root cause analysis, evaluation of which security controls failed and why, specific hardening recommendations, and a prioritized remediation roadmap. The assessment is delivered in both executive and technical formats.
How does ShadowMap accelerate incident investigation?+
ShadowMap is Security Brigade's proprietary External Attack Surface Management platform. During an incident, it is deployed immediately to map the organization's external footprint, identify leaked credentials on the dark web, detect phishing domains, and surface indicators of compromise. This eliminates hours of manual reconnaissance and gives the DFIR team actionable intelligence from minute one.
Do you provide evidence suitable for legal proceedings and insurance claims?+
Yes. All forensic evidence collected during Security Brigade incident response engagements follows chain-of-custody protocols. Evidence packages include forensic images, log archives, analysis artifacts, and detailed documentation suitable for regulatory submissions, legal proceedings, and cyber insurance claims.
How much does incident response cost?+
Incident response engagements are priced based on the scope and complexity of the incident, the number of affected systems, and the duration of the engagement. Security Brigade provides an initial cost estimate after the triage call and works on a time-and-materials basis for complex incidents. Contact us to discuss your specific situation — we understand that budget conversations during an active incident need to be fast and transparent.

Stay protected between assessments with ShadowMap

Continuous attack surface monitoring — discovers new assets, detects credential leaks, and alerts on new exposures the day they appear.

Learn about ShadowMap →

Already Recovered? Prevent the Next Incident.

The best incident response engagement is the one you never need again

Request a Free Scoping Call

Typically responds within 1 business day · No commitment required

Get a Quote