When an attack is underway, every minute matters. Paragon's incident response team deploys rapidly — containing the breach, preserving evidence, and getting you back to business with minimum damage.
We handle every phase of an incident — detection, containment, eradication, recovery, and hardening — so your team can focus on running the business.
Pre-agreed response capability on standby — guaranteed SLA, priority mobilisation, and a named responder who already knows your environment.
24/7 CoverageRapid containment to stop spread, assessment of encryption scope, decryption options review, negotiation support where required, and full recovery planning.
Most Common EngagementScope the breach, identify what data was accessed, preserve evidence for regulatory purposes, and support ICO / supervisory authority notification within the 72-hour window.
Regulatory SupportForensically sound evidence collection and analysis — disk imaging, memory forensics, log analysis, and timeline reconstruction for legal proceedings or internal investigation.
Court-Admissible EvidenceInvestigation and containment of BEC attacks — account takeover analysis, fraudulent transaction tracing, email rule auditing, and credential reset procedures.
Financial FraudRoot cause analysis, attack path reconstruction, lessons learned, and a hardening roadmap to prevent recurrence — delivered within 10 days of incident closure.
Prevent RecurrenceOur responders have handled every major threat type across every sector. Whatever you're facing, we've faced it before.
LockBit, BlackCat, Conti, Cl0p, and novel variants — full containment and recovery
Account takeover, payment fraud, and executive impersonation attacks
Stealth data theft, double extortion, and cloud storage exfil incidents
Third-party compromise, malicious software updates, and vendor network intrusions
Malicious and accidental insider incidents — data theft, sabotage, and credential misuse
Nation-state and sophisticated actor intrusions — long-dwell compromise investigations
Every engagement follows the NIST SP 800-61 incident response lifecycle — adapted for speed in live-attack scenarios.
Callback within the hour. Senior responder takes first-pass details, assesses severity, and provides immediate guidance — including whether to isolate systems now.
Secure remote access established. First containment actions taken — network segmentation, account disabling, C2 blocking — to stop the bleeding.
Full forensic investigation underway — attack vector identification, scope of compromise, data accessed, and attacker persistence mechanisms discovered.
All threat actors and persistence removed. Clean systems restored from verified backups. Regulatory notifications drafted if required. Business resuming.
Full written report — root cause, attack timeline, evidence, regulatory obligations met, and hardening roadmap to prevent recurrence.
LockBit 3.0 attack on production network. Detected Monday 06:42.
You can call us when something happens — or be first in the queue, with a team that already knows your environment before the incident starts.
Call us when you need us — no prior arrangement required
Pre-agreed capability — faster, cheaper, better informed
Yes — immediately. Uncertainty is normal, and calling early is always better than waiting for confirmation. An attacker can cause exponentially more damage in the hours you spend trying to diagnose the situation internally. Our initial triage is free, and we'll tell you within the first call whether you have an active incident or a false alarm. If it's the latter, you've lost nothing. If it's the former, you've gained critical hours.
This decision depends on multiple factors — your backup integrity, the threat actor involved, data sensitivity, and regulatory position. We never advise paying as a first resort, and in the majority of cases our clients recover without paying. If payment is being considered, it must go through legal counsel and potentially OFSI (UK sanctions) clearance. We provide all the information you need to make an informed decision, but we do not make it for you.
The most important things: don't turn systems off (you'll destroy volatile forensic evidence), don't communicate on potentially compromised email systems, don't reuse any credentials from affected machines, and document everything you've already done. Take photos of screens if needed. Then call us — we'll guide you through the rest in real time. Avoid the temptation to start investigating yourself unless you have trained staff; well-intentioned actions often destroy evidence.
Under UK GDPR, you must notify the ICO within 72 hours of becoming aware of a personal data breach — if it is likely to result in a risk to individuals' rights and freedoms. Not every breach requires notification, but getting this determination wrong carries significant regulatory risk. Paragon assists with the breach assessment and, where required, drafts and submits the ICO notification on your behalf within the mandatory window.
A managed security service (like our Managed Cyber Security offering) monitors your environment continuously and detects threats proactively. An IR retainer is the on-call capability that activates when an incident occurs — whether detected by your SOC, your managed service provider, or your own team. The two complement each other: managed security detects faster, and a retainer ensures expert hands are available the moment something is confirmed.
The best time to arrange incident response capability is before you need it. The second best time is right now.