Skip to content

Cyber Incident Response & Digital Forensics (DFIR)

When a cyber attack is underway, every minute matters. Threat actors move quickly to escalate privileges, establish persistence, move laterally, exfiltrate data, and disrupt systems.

ThreatDefence provides 24×7 Digital Forensics and Incident Response services, helping our clients to contain threats, establish visibility fast, and drive recovery with confidence. Our team has responded to major incidents across Australia and internationally, bringing practical experience to high-pressure situations where clear decisions matter most.
Our approach is evidence-led, technology-driven, and grounded in real-world incident response. From the earliest stages of an engagement, we deploy our SecOps toolset to deliver forensic-grade visibility across endpoints, identity, network, and cloud. This allows us to understand attacker activity before containment actions begin, preserve critical evidence, and support response decisions with facts drawn directly from your environment. We do not rely on assumptions. We show you what happened, how far it went, and what needs to happen next.

Experiencing a breach
Contact our team now and get immediate assistance.

Contact Us

Security Incidents Managed by ThreatDefence:

No matter how an attack started or how far it has progressed, ThreatDefence has the capability, tooling, and experience to respond effectively.

Ransomware & Data Extortion

Targeted ransomware attacks from organised threat groups — including double-extortion scenarios where data has been exfiltrated prior to encryption. ThreatDefence contains the infection, identifies all affected systems, eradicates attacker access, supports decryption and recovery, and — where required — manages threat actor negotiation to reduce ransom demands.

Insider Threat & Employee Misconduct

Investigations into malicious insider activity, employee misconduct, unauthorised data access, intellectual property theft, and sabotage. ThreatDefence provides forensic evidence collection using procedures suitable for HR proceedings, employment termination, civil litigation, and regulatory complaints — maintaining strict chain of custody throughout.

Business Email Compromise (BEC)

Targeted spear phishing, CEO fraud, invoice manipulation, and financial wire fraud. BEC attacks frequently involve months of silent inbox access before financial fraud occurs. ThreatDefence identifies the initial compromise point, scopes the full period of attacker access, determines what was read or exfiltrated, and supports recovery of affected accounts, transactions, and business processes.

Data Breach & Unauthorised Exfiltration

Investigating data breaches, exfiltration events, and unauthorised data disclosures — including scoping exactly what was taken, when, by whom, and via what channel. ThreatDefence maintains forensic chain of custody throughout to support regulatory notification obligations under the NDB scheme, APRA CPS 234, and sector-specific requirements.

Active Threat Actor in Environment

When an attacker is still present and actively moving through a network — including compromised domain controllers, persistent access established via multiple backdoors, and live lateral movement — rapid, methodical containment is critical. ThreatDefence identifies all attacker footholds across the environment before initiating containment, ensuring no persistence mechanism is left open for re-entry.

Zero-Day & Novel Exploits

Breaches caused by newly discovered vulnerabilities or exploits where no signature or patch is yet available. Behavioural investigation determines scope and impact without reliance on signature-based detection. ThreatDefence identifies indicators of compromise specific to the attack and implements behavioural controls while vendors develop patches.

Cloud & Identity Compromise

Account takeover, OAuth application abuse, identity provider compromise, and cloud infrastructure attacks across Microsoft 365, Entra ID, AWS, Azure, and GCP. Cloud incidents require specialist investigation techniques distinct from on-premises forensics; ThreatDefence has dedicated cloud IR capability across all major platforms.

Supply Chain Attack

Compromise originating from a trusted third-party vendor, MSP, or software supply chain. These incidents require understanding how the attacker moved from the vendor environment into the target, scoping what was accessible via trusted third-party credentials, and managing the response while maintaining the ongoing vendor relationship.

Malware & Unknown Root Cause

Malicious activity where the root cause is unclear — unusual process behaviour, unexplained network connections, alerts without context. ThreatDefence deploys full forensic investigation capability to identify root cause, determine whether an active attacker is present, and establish the full scope of compromise.

Why Choose ThreatDefence As Your Incident Response Partner:

At ThreatDefence, we’ve encountered numerous significant cybersecurity incidents both in Australia and across the globe. On more than one occasion, we found ourselves in situations where multiple teams were involved in the response effort, yet progress remained elusive. The growing disconnect between the technical teams and the business added to the frustration, as critical answers remained elusive amidst a sea of uncertainties.

Our IR approach is grounded in technology, experience and common sense. We firmly believe that Incident Response should never happen in isolation. Instead, we supplement it with our SecOps platform, providing deep visibility and scalable evidence records from the onset of our Incident Response engagement.

We believe in practical leadership and common sense. We stand by the principle of deep visibility, enabling us to substantiate our findings with clear and compelling evidence. We advocate for ongoing monitoring, allowing us to support our efforts with ongoing assurance.

Practical Approach

We are cybersecurity practitioners with a well-proven methodology for responding to complex incidents. With all the necessary resources at our disposal, we can begin making progress immediately.

Deep Visibility

From the first minutes of our response process, we employ our SecOps toolset to enhance cyber assurance across your entire business, and to get visibility at scale.

Response At Scale

We never look at isolated systems, but cover your entire network and systems, and search for indicators of compromise everywhere. We are only satisfied when we know that your entire network is clean.

24×7 Security Monitoring

We understand that incident response cannot be isolated, as hackers may return through alternative means. Our dedicated team will monitor your environment around the clock while you recover.

Full-Suite DFIR Services

Every service needed to respond, recover, and emerge stronger is delivered by one team under one engagement — without needing to source and onboard additional providers mid-incident. The following services are available as part of every ThreatDefence IR engagement.

1

Digital Forensics

  • Memory forensics and volatile data capture from live systems
  • Disk forensics and file system analysis across Windows, Linux, and macOS
  • Log forensics across endpoints, servers, cloud platforms, and identity providers
  • Malware analysis — static and dynamic — including reverse engineering where required
  • Network forensics and full packet capture analysis
  • Email forensics — header analysis, attachment investigation, account access history
  • Mobile device forensics where relevant
  • Court-admissible evidence collection procedures with chain of custody maintained throughout
  • Expert witness reporting capability for legal proceedings
2

Incident Containment & Eradication

  • Endpoint isolation at scale — automated through the ThreatDefence platform, not manual system-by-system action
  • Compromised account suspension, password reset, and MFA token revocation
  • Malicious IP, domain, and file hash blocking at firewall, DNS, and endpoint layers simultaneously
  • Identification and removal of all attacker persistence mechanisms — backdoors, scheduled tasks, registry modifications, WMI subscriptions, startup items, webshells
  • Active Directory attack path identification and remediation — including Kerberoastable accounts, DCSync rights, and excessive delegation
  • Complete environment validation: ThreatDefence does not declare an environment clean until every corner of it has been searched
3

Business Restoration

  • Critical system triage — business impact assessment to prioritise recovery order
  • Workstation and server reimaging to known-good state
  • Active Directory and identity infrastructure rebuild and hardening
  • Backup integrity verification prior to restoration — including ransomware pre-staging check
  • Network hardening applied before systems return to production
  • Side-by-side support for your internal IT team throughout recovery
  • Application and service validation after restoration
4

Threat Actor Negotiation

  • Direct negotiation with threat actors on the organisation’s behalf
  • Verification of decryption capability before any payment is considered
  • Intelligence-driven negotiation strategy using findings from the forensic investigation
  • Knowledge of major threat groups’ behaviour patterns, payment preferences, and track records
  • Coordination with legal counsel and cyber insurer throughout the negotiation
  • Full documentation of all negotiation activity for insurance claims and regulatory purposes
5

Cloud & Identity Incident Respons

  • Microsoft 365 Unified Audit Log forensics — mail access, file access, admin actions
  • Entra ID / Azure Active Directory compromise investigation and remediation
  • OAuth application abuse detection — identifying and revoking malicious app grants
  • AWS CloudTrail and IAM forensics — determining what was accessed and by whom
  • Azure and GCP infrastructure investigation and hardening
  • SaaS platform data exposure scoping — what could the attacker access via compromised accounts?
  • Cloud identity rebuild and conditional access hardening post-incident
6

Regulatory & Legal Support

  • Notifiable Data Breaches (NDB) scheme notification support — determining whether the threshold is met and preparing the notification
  • Evidence packages prepared for legal proceedings — civil litigation, criminal referral, employment action
  • Cyber insurance claim documentation — incident timeline, root cause, financial impact quantification
  • Expert reports for regulatory investigations and inquiries.

Incident Response Retainer Options

ThreatDefence Incident Response Retainer gives organisations priority access to experienced DFIR specialists who can rapidly contain attacker activity, determine the root cause and full scope of the incident, and support recovery across affected systems, users, and business operations. Rather than engaging a provider for the first time during a live breach, customers have an established response path, faster mobilisation, and expert support already in place when it matters most.

The retainer also includes proactive readiness activities designed to strengthen incident preparedness before an attack occurs. This can include incident response planning, environment familiarisation, and tabletop exercises to help your team respond with greater speed, clarity, and confidence. By combining priority response access with preparation in advance, ThreatDefence helps organisations reduce disruption, make better decisions under pressure, and recover faster from serious cyber incidents.

Feature IR Retainer IR Retainer + SOC
Response Time SLA 2 hours 30 minutes
Pre-agreed IR coverage Yes Yes
Priority access to ThreatDefence DFIR team Yes Yes
Incident Response Plan review Yes Yes
Incident-specific runbooks Yes Yes
Cyber resilience assessment Yes Yes
Secure IR documentation portal Yes Yes
Tabletop exercise Yes Yes
Named incident coordinator Yes Yes
Post-incident report Yes Yes
24×7 SOC monitoring (ongoing) Yes Yes
Proactive threat hunting Yes Yes
Dedicated Security Advisor Yes Yes

Incident Management Lifecycle

ThreatDefence follows a structured, evidence-based incident response methodology. Where possible, phases run in parallel — forensics, containment, and restoration do not wait for each other — because minimising downtime and minimising data loss are simultaneous goals, not sequential ones.

Preparation

ThreatDefence works with your organization to establish visibility, define responsibilities, and agree any pre-authorized response actions needed for containment.

Detection and Analysis

Our platform and SOC continuously monitor your environment for suspicious activity across endpoint, identity, network, cloud, and other telemetry sources.

Incident Declaration and Escalation

Where activity is assessed as a credible threat, ThreatDefence declares an incident and escalates immediately in line with the agreed contact and response process.

Threat Containment

Our team works to contain the threat and limit impact. This may include isolating endpoints, disabling accounts, blocking malicious indicators, or coordinating further actions.

Eradication and Recovery

Once contained, the focus shifts to identifying root cause, removing malicious artefacts, resetting compromised access, and safely restoring affected systems and services.

Post-Incident Review

After resolution, ThreatDefence provides a post-incident review covering what happened, how the response was handled, and what improvements should be made.

Sample Incident Response Scenario

The following table illustrates a typical sequence of activities for threats detected and managed by the ThreatDefence SOC team. Actual timelines may vary depending on severity and complexity, but SLA commitments are noted where applicable.

Step Action Timeframe
Preparation
  • Escalation contacts documented
  • Isolation actions approved
  • Customer has reviewed and accepted the Operations Manual.

Prior to incident
Signal Analysis
  • Security events recorded in our platform
  • An alert is detected and correlated.

T (Time the detection was raised)
Detection & Analysis
  • SOC team triages the alert
  • Initial analyst conducted.

T + Response Time:

Within first 15 minutes for high-severity incidents (SLA commitment), typically within minutes.
Incident Declaration & Initial Escalation
  • The detected activity is classified as an incident.
  • Initial email escalation sent to nominated Customer contacts.

Within next 5 minutes
Containment

If authorised and where possible, a containment action is executed according to our playbooks (e.g. a compromised Microsoft 365 account is disabled).

As applicable
Phone Escalation

Direct phone escalation to Customer according to Escalation Contact Order (Customer Contacts).

Within 5 minutes
Response Coordination
  • Incident Coordinator is appointed
  • A live conference bridge is established.

Within 5 minutes
Response Plan

A situational response plan developed,

Within first 4 hours for high-severity incidents (SLA commitment);  typically within 30-60 minutes.
Eradication & Recovery

Investigation continues, situational updates provided, eradication and recovery actions carried out.

Ongoing until resolution
Post-Incident Activity

Delivery of post-incident report and scheduling of post-incident review meeting.

After recovery

Why ThreatDefence

ThreatDefence has responded to major cyber incidents across Australia and internationally. In more than one engagement, we joined efforts that had been underway for days — where multiple parties were involved, significant resources had been spent, and yet the business still did not know where the attacker was, what they had taken, or whether recovery was achievable. The reason is almost always the same: insufficient visibility.

Our IR approach is grounded in deep visibility from the first minutes of engagement. We do not work from assumptions; we deploy tooling that shows us exactly what is in the environment. The following principles define how we work:

Evidence-First, Not Opinion-First

Every finding we present is substantiated by forensic evidence from your environment. We do not speculate about what might have happened, present theories without supporting data, or recommend containment actions based on assumptions. We show you what happened, with the evidence to back it.

Full Network Coverage — Not Just Affected Systems

We never examine isolated systems in isolation. From the moment we deploy, we search your entire environment for indicators of compromise — because sophisticated attackers always establish multiple footholds, and declaring an environment clean before finding all of them means the attacker returns. ThreatDefence is only satisfied when we can confirm the entire network is clean.

Practical Leadership at Critical Decision Points

At the moments when a business needs clear direction most — whether to pay a ransom, when to notify regulators, which systems to prioritise, whether to bring a compromised application back online — ThreatDefence provides definitive, evidence-based guidance. Not ambiguity. Not a list of options with no recommendation. Leadership when it matters most.

Containment and Restoration in Parallel

We do not wait for forensics to finish before beginning restoration. Critical systems are queued for recovery from the moment they are validated as clean — which means business recovery begins hours into the engagement, not days. This is only possible because our platform provides the visibility to make confident, evidence-based decisions about what is safe to restore.

No Gaps — Day or Night

Attackers do not respect business hours. ThreatDefence maintains 24×7 active monitoring and analyst coverage throughout every engagement — including weekends and Australian public holidays. When we say 24×7, we mean it.

No Vendor Lock-In or Hidden Costs

Because ThreatDefence deploys its own platform, there are no third-party tool costs added to your engagement bill. You pay for analyst time and the work being done — that is all. Post-incident, there is no obligation to purchase ongoing services, though most organisations choose to transition to continuous SOC monitoring to prevent recurrence.

We Support Your Regulatory & Legal Obligations

A significant cyber incident in Australia is rarely just a technical problem — it is also a legal and regulatory event. Understanding your obligations and acting on them promptly is a critical part of the response. ThreatDefence supports organisations through each of the following:

Notifiable Data Breaches (NDB) Scheme

Administered by the Office of the Australian Information Commissioner (OAIC), the NDB scheme requires organisations covered by the Privacy Act 1988 to notify affected individuals and the OAIC when an eligible data breach occurs — one that is likely to result in serious harm to any individual whose data was involved. ThreatDefence assists in determining whether the NDB threshold has been met, preparing the notification, and documenting the response for OAIC purposes.

APRA CPS 234 — Financial Institutions

APRA-regulated entities (banks, insurers, superannuation funds) must notify APRA as soon as possible — and in any case within 72 hours — of becoming aware of a material information security incident. ThreatDefence provides the incident documentation, timeline, and technical evidence required to satisfy APRA notification requirements and supports the preparation of formal APRA reports.

ASD Voluntary Reporting

The Australian Signals Directorate (ASD) encourages voluntary reporting of significant cyber incidents to the Australian Cyber Security Centre (ACSC). For organisations subject to Critical Infrastructure obligations under the Security of Critical Infrastructure Act (SOCI Act), mandatory reporting requirements may apply. ThreatDefence assists in determining reporting obligations and preparing ASD notifications.

Cyber Insurance Claims

Most cyber insurance policies require prompt notification of a claim and cooperation with the insurer’s appointed loss adjuster. ThreatDefence provides the incident timeline, root cause analysis, scope of compromise, and financial impact documentation required to support a claim. We work alongside your insurer and legal counsel from the start of the engagement to ensure no documentation requirements are missed.

Legal Proceedings & Evidence

Incidents involving IP theft, insider misconduct, fraud, or criminal activity may proceed to civil litigation, employment action, or criminal referral. ThreatDefence collects and preserves forensic evidence in accordance with court-admissible procedures and can provide expert witness reports and testimony where required.

Frequently Asked Questions

Contact specialist company before taking action. One of the most common mistakes organisations make is attempting containment too early — shutting down systems, wiping devices, or running remediation tools before forensic evidence is preserved. Early actions can destroy the evidence needed to understand what happened, how far the attacker progressed, and what data may have been affected.

Retainer customers receive a 30-minutes response time SLA. For emergency engagements without a retainer, we aim to have an analyst engaged within two hours of initial contact. In most cases, platform deployment and active investigation begin within two to four hours of the initial call.

Yes. ThreatDefence works alongside cyber insurers, legal counsel, and loss adjusters during incident response engagements. We provide the documentation, evidence, and reporting needed to support claims and assist with insurer coordination where required.

Notification requirements depend on the nature of the incident, the data involved, and your regulatory context. Australian organisations may have obligations under the NDB scheme, APRA CPS 234, or the SOCI Act. ThreatDefence helps determine which obligations apply and supports the preparation of required notifications.

A retainer provides faster response, pre-agreed commercial terms, and a provider that is already onboarded and ready to act. Emergency engagements are still available, but they typically involve slower mobilisation, higher rates, and valuable time lost during the onboarding process.

ThreatDefence provides a detailed post-incident report covering the attack timeline, root cause, evidence, and remediation priorities. We also support recovery monitoring and post-incident uplift activities to reduce the risk of recurrence.

Yes. Third-party and supply chain incidents can be complex and often require careful investigation to determine how access occurred, what was affected, and what evidence is needed to support accountability and response decisions. ThreatDefence has experience in these scenarios and can support both investigation and recovery.

Enterprise-Grade Security, Delivered 24/7

Book a Demo Talk to a SOC Expert