When Every Hour Costs Money

Senior responders engaged within 1 hour. On-keyboard within 4.

The Cost of a Slow Response

IBM's most recent breach report puts the average cost of a data breach at $4.88M — and the single biggest cost factor is dwell time. Containing a breach in under 200 days cuts the average cost by nearly $1M. Nomad's incident response practice exists for one reason: get senior, technically credible responders on your environment before the attacker finishes their objectives.

1-hour engagement SLA for retainer clients; 4-hour for new clients
Senior responders only — no offshore tier-1 triage
Containment-first methodology: stop the bleeding, then investigate
Court-defensible evidence handling and chain of custody
Direct experience with cyber-insurance panels and breach counsel
Post-incident hardening and detection engineering included
Incident response operations center

Incident Types We Handle

Deep specialization across the incident categories that matter

Ransomware

Containment, eradication, and recovery from human-operated ransomware. Negotiation support through licensed counsel, ransom-payment due-diligence (OFAC screening), and rebuild planning. We've handled LockBit, BlackCat, Royal, Akira, and 0-day variants.

Business Email Compromise

BEC, wire-transfer fraud, and Microsoft 365 account takeover. Rapid mailbox forensics, OAuth-app abuse detection, and partnership with FBI IC3 / Secret Service for wire-recall where applicable.

Insider Threat

Departing-employee data theft, sabotage, and privileged-account abuse. Discreet, HR-coordinated investigation; preservation of forensic evidence suitable for civil and criminal proceedings.

Cloud Compromise

AWS, Azure, and GCP intrusions: stolen IAM credentials, OAuth-token theft, cryptomining, S3 exfiltration, and identity-federation abuse. CloudTrail / Azure Activity Log forensics and rapid IAM revocation.

Web Application Breach

SQL injection, deserialization, and supply-chain (npm / PyPI) compromises. Log forensics, payload reconstruction, and remediation-validation testing before you bring the application back online.

Nation-State / APT

Long-dwell, low-and-slow intrusions involving custom malware and living-off-the-land tradecraft. Senior responders with prior government and DIB experience; intelligence partnerships for attribution context.

The Nomad IR Lifecycle

NIST 800-61 aligned, containment-first, evidence-preserving

1

Engage & Triage

Hotline call answered by a senior responder. Within the first hour we have a working theory of the incident, deploy our forensics tooling, and stand up a secure war room with you, breach counsel, and (if applicable) your cyber-insurance carrier.

2

Contain

Stop the bleeding without destroying evidence: isolate affected hosts, revoke compromised credentials, block C2 infrastructure, and apply emergency segmentation. Containment-first means you stop losing money while we investigate.

3

Investigate & Eradicate

Forensic acquisition of endpoints, mailbox metadata, cloud audit logs, and network telemetry. We trace patient-zero, map the full intrusion timeline, and identify every persistence mechanism before declaring eradication complete.

4

Recover

Coordinated rebuild and restore. We validate backups for re-infection risk, supervise golden-image rebuilds, and stand up monitoring for the specific TTPs the adversary used. Production comes back up only when we're confident the adversary is out.

5

Report & Notify

Court-defensible incident report covering scope, timeline, indicators of compromise, and root cause. Regulatory-notification language coordinated with breach counsel for GDPR, HIPAA, GLBA, SEC, and US state breach laws.

6

Lessons Learned & Hardening

30-day hardening sprint: patch the vulnerabilities the attacker used, deploy detection rules for their TTPs, run a tabletop exercise with your leadership, and update your IR playbook. Nobody should suffer the same breach twice.

The Nomad IR Retainer

Pre-negotiated rates, guaranteed response, zero scramble during a crisis

Guaranteed 1-Hour SLA

A senior responder on a call with you within 60 minutes of activation, 24/7/365. On-keyboard with forensics tooling deployed within 4 hours.

Pre-Negotiated Rates

Crisis is not when you want to negotiate hourly rates. Retainer clients have contracted rates locked in and unused hours roll into proactive readiness work.

Readiness Included

Annual tabletop exercise, IR-playbook review, and quarterly threat briefing. The hours you don't spend on incidents go into making sure you don't have one.

Senior incident responders at work

Senior Responders Only

GCFA, GCFE, GREM, and GNFA-certified responders with prior experience at top-tier IR firms and government cyber units. Average tenure 12+ years. No tier-1 triage queue.

Insurance Panel-Approved

We work directly with major cyber-insurance carriers and pre-approved breach counsel. Faster coverage approval and direct billing where supported.

Court-Defensible Forensics

Documented chain of custody, write-blocked acquisitions, and reports authored to withstand litigation, regulator review, and class-action discovery.

Closed-Loop With Offensive

Our IR team works alongside our red team and pentest practices. The TTPs we see in real breaches feed straight back into how we test our other clients.

Response When It Counts

Measurable outcomes from our IR practice

1hr

Engagement SLA for retainer clients, 24/7/365

4hrs

Average time to containment on ransomware engagements

0

Repeat breaches across clients who completed our hardening sprint

100%

Of engagements staffed by senior responders — no offshore tier-1

Incident Response FAQ

Call +1 216.592.8553 or email ir@nomadsec.io. A senior responder will be on the line within an hour. Do not wipe affected machines, reset all passwords, or pay any ransom until we've spoken — those actions can destroy evidence and worsen the recovery.

Yes. We are on the panels of multiple major cyber-insurance carriers including Beazley, Chubb, AIG, Coalition, At-Bay, and Travelers. If your carrier requires you to use a panel firm, we likely qualify. We can also coordinate directly with your breach counsel.

That's a decision for your leadership and counsel — but it requires due diligence first. We help you assess (1) whether your backups are viable, (2) the threat actor's track record of providing working decryptors, (3) OFAC-sanctions screening of the wallet/group, and (4) whether decryption would even be faster than rebuild. Many clients ultimately rebuild without paying.

Our IR retainer starts at $25,000/year for a guaranteed 1-hour SLA and a pool of pre-purchased response hours. Unused hours roll into proactive readiness work (tabletops, playbook reviews, threat briefings) so the spend is never wasted. Schedule a scoping call for a quote.

We coordinate with specialist negotiators and licensed counsel when a client elects to engage with a threat actor. Negotiation reduces ransom demands by 30–70% on average and provides operational intelligence (e.g., decryptor proof, sample-file recovery) before any payment decision is finalized.

A court-defensible incident report (executive summary + technical detail + IOCs + timeline), regulatory-notification language coordinated with your counsel, a 30-day hardening plan, and detection rules covering every TTP the adversary used. Standard engagements include a 90-day check-in to validate hardening held.

Don't Wait for a Breach to Build Your Response Plan

Pre-negotiated retainers, quarterly readiness work, and a guaranteed 1-hour SLA when it matters. Talk to a senior responder about your environment.

Discuss an IR Retainer