Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
Crisis happens

Ready for the worst — with a plan

Incidents happen. We help you survive: from first alert through forensics, to lessons learned. NIST, SANS, chain of custody — professional and fast.

🔍

Post-Breach Analysis

Post-breach analysis — recovery, root cause, report for board and regulators.

Analysis service
🧬

Digital Forensics

Digital forensics — acquisition, preservation and analysis of evidence from systems. ENCASE, FTK, Linux forensics — full stack.

Forensics service
📋

Incident Response Planning

Incident Response Plan — readiness before the incident. Procedures, roles, SOC/SOAR, playbooks, tabletop exercises.

Planning service
What you gain

Outcomes that work under pressure

Evidence preservation that holds up

Evidence that survives court scrutiny — chain of custody, hashing, accredited tools. You do not do this in a rush.

Root cause, not hypothesis

We do not guess. Event reconstruction line by line — timelines, artefacts, logic access — actual causes of the incident.

A report that defends itself

Technical documentation for judge and auditor. NIST IR, SANS IR, ISO 27035 methodology. Transparency at every step.

Support through the entire response cycle

From first call (contain/eradicate) through forensics, to lessons learned — we are with you when things fall apart.

Integration with CSIRT/CERT

We know the Polish CSIRT ecosystem, CERT.pl, ABW. We know what to report and when, to protect you.

Report for business leaders

Two versions: technical (for IT) and business (for board) — always without panic, but with realistic risk summary.

How we respond

Response cycle — from alert to lessons learned

  1. 01

    First response (0–4h)

    Crisis contact, threat triage, decision: isolation, forensics or live monitoring. Evidence integrity preserved.

  2. 02

    Evidence acquisition (4–72h)

    Memory snapshot (RAM), disk images, network logs, application logs, event timelines. Chain of custody from A to Z.

  3. 03

    Analysis & reconstruction (week)

    Artifact analysis (prefetch, registry, USN journal), network event analysis, event timeline, IoC preservation.

  4. 04

    Report and conclusions

    Technical report + executive summary. Cause, role of each system, exploited gaps, lessons learned recommendations.

FAQ

Frequently asked questions

Can we do forensics ourselves instead of trusting consultants?
You can, but evidence will be worthless in court — untrained people can blur trails, forget chain of custody. Certified experts (GCIH, GIAC) know what to do.
How long does a full digital forensics investigation take?
Triage: 1–2h. Acquisition: 4–24h. Analysis: 5–10 days, depends on infrastructure size. Report: 2–3 days.
What tools do you use?
Encase, FTK, Volatility, yara, osquery, Splunk, SIFT workstation. We base ourselves on NIST/SANS best practices. Every tool has audit trail.
Do we need to shut down systems for forensics?
Depends. Hot snapshot (system on) to memory, then slow down/shut down and cold forensics. Always preserve maximum data without interrupting business.
What if we find nothing?
That is also a report — documented analysis, no evidence of breach. Sometimes a positive result is a false alarm, which you also need to know.

Start with a response plan

30 minutes, we prepare you before the incident — procedures, roles, playbooks, crisis contacts.

Book a consultation Back to services