As early as possible. Engaging us at the first sign of suspicious activity ensures evidence is preserved, investigation efforts are focused, and containment decisions are guided by facts rather than assumptions. Early triage support can also help avoid irreversible data loss or legal complications.

Yes. We work collaboratively with your technical staff, security analysts, legal team, executive leadership, or other third party service providers to ensure investigations are well-informed, appropriately scoped, and aligned with your business priorities. We also coordinate with your cyber insurer or breach coach where needed.

We handle forensics across Windows, Linux, and macOS endpoints, servers, virtualised environments, and cloud platforms like Microsoft 365, Google Workspace, and AWS. We also analyse logs, email, mobile devices (in scope-dependent cases), and external storage when available.

We support both. While many clients contact us during an active incident, others retain us ahead of time for guaranteed response timelines, or engage us for forensic readiness assessments and preparedness exercises. We can also assist post-incident with root cause analysis or evidence reviews.

Yes. We use industry-standard forensic tools and techniques, document our process rigorously, and ensure proper chain of custody during acquisition. Our reports are clear, defensible, and structured to support potential legal or regulatory requirements.

Pricing depends on many factors like the number of systems involved, data volume, and complexity, so it's challenging to provide an accurate estimate without a call to adequately scope your needs.

As a general guide, pricing for small-to-medium engagements (e.g., forensic acquisition and analysis of one compromised system), may start from AUD$7,500–$12,500. We have standard rates per type of device (workstation, server, mobile device, memory, etc.) for imaging-only engagements where analysis isn't required, and there are economies of scale where more devices are involved (i.e., 10 machines would not necessarily cost 10x as much).

Urgent incident response or multi-system investigations usually involve higher costs in line with the level of effort required to complete the investigation. We provide clear estimates upfront and communicate early and often during every engagement so there are no surprises.

We provide both. Most investigations can be performed remotely using secure evidence acquisition and communication methods. For sensitive environments or where physical access is necessary, on-site support is available across Australia and select international locations.

An incident response plan provides a high-level framework: your objectives, roles, escalation paths, legal/regulatory obligations, and overall response structure.

Playbooks are scenario-specific: step-by-step guides tailored to incidents like ransomware, email compromise, insider threats, or data breaches. Both are important. One sets your strategy, the other guides your tactical response.

Absolutely, in fact it's helpful. Many clients come to us with partial documentation, legacy plans, or outdated templates. We review what you have, identify gaps, and build from there. We recommend keeping what works and improving what doesn’t.

A typical engagement runs for three to four weeks depending on your teams' availability, the number of documents involved, and how much existing material we’re working from. We’ll provide a clear project timeline at the start and keep things on track throughout.

Deliverables are provided in editable formats (typically Word and PDF), ready for review, approval, and distribution. If you need integration into a particular platform (e.g. Confluence, SharePoint), we can support that too.

Yes. Everything we deliver is designed to be used in both simulated and real-world incidents. We avoid theory and boilerplate in favour of practical, testable guidance you can validate through regular exercises.

Pricing depends on the size and complexity of the engagement, e.g., how many scenarios are covered, whether you want to revise existing material or build from the ground up, and how many stakeholder groups are involved.

As a guide, a full IR plan and two to three tailored playbooks typically start from AUD$35,000–$45,000. This type of engagement includes significant time spent with your teams during discussion-based workshops to collaboratively tailor plans to your specific requirements.

We’ll provide a fixed quote after a short discovery call to understand your needs.

Organisations that want to move beyond compliance checklists and prepare their teams to respond with clarity and confidence. We've worked with critical infrastructure providers, government, education, finance, tech startups, and large enterprises across all regions.

Most sessions run between two and six hours, depending on complexity, scenario depth, and number of participants. Expect to spend some time with our team before the exercise to ensure it suits your needs. More bespoke exercises taking place across geographies or multiple days are also possible, just let us know what you need.

After the exercise, we'll deliver an after-action report with both executive-level and technical recommendations within one to two weeks.

It can be. We tailor the scenario to your team's maturity and level of preparedness. Some exercises focus on executive decision-making and business impact, others revolve around detailed technical injects.

We'll discuss the scope and specifics of the scenario during an initial kickoff call to ensure the exercise meets your exact requirements.

Yes. We provide an after-action report including key observations, recommendations, and actionable next steps to improve your incident response capability. A debrief meeting to go over the report in detail is also available upon request.

We develop exercises to suit a variety of industries, use-cases, and levels of maturity. Our prices are generally fixed-fee and based on our extensive experience responding to real-world and simulated incidents, as well as the level of effort required to create and execute an engaging, world-class scenario.

Smaller, less complicated TTXs based on common adversary tactics, techniques, and procedures generally start around AUD$20,000, including planning, execution, and reporting. More complex, tailored exercises involving multiple teams, sites, geographies, or elements of gamification typically start around AUD$35,000, depending on your particular needs.

A penetration test simulates an attacker to test your defences. A threat hunt looks for evidence that an attacker may already be inside. It’s forensic in nature; focused on detection, validation, and assurance rather than exploitation.

No. While telemetry helps, our approach is designed for organisations of any maturity. We work with what you have — logs, EDR, backups, or network captures — and can recommend improvements based on what we find.

Most small-to-mid-sized environments can be assessed within one to two weeks, depending on the number of endpoints, data availability, and scope. We provide a clear timeline before work begins.

We’ll immediately escalate our findings and, with your approval, move into containment and forensic investigation. Our goal is to help you respond swiftly and preserve evidence properly for legal, regulatory, and insurance purposes.

We recommend at least annually or after major infrastructure changes, mergers, or suspected incidents. Many clients include semi-annual or quarterly hunts as part of their readiness retainer.

Pricing depends on many factors like the number of systems involved, data volume, and complexity, so it's challenging to provide an accurate estimate without a call to adequately scope your needs.

As a general guide, pricing for small-to-medium engagements, may start from AUD$20,000–$30,000.

A readiness retainer is an annual agreement that keeps your IR capability sharp before, during, and after an incident. It bundles proactive activities like tabletop exercises, plan reviews, and threat hunts with guaranteed access to senior examiners when something happens.

Traditional IR retainers are reactive — they only activate once you're breached. A readiness retainer is proactive: it builds competence, tests processes, and reduces the likelihood and cost of incidents. If a breach does occur, you already have experts on standby.

Depending on your requirements, retainers can include tabletop exercises, IR plan and playbook reviews, threat hunts, hotline triage, and forensic readiness checks. Every engagement is senior examiner–led and tailored to your environment.

Yes. All retainers include defined triage access to our incident response team at a discounted hourly rate determined by your retainer. If you face a live incident, we move immediately from readiness to response under your agreed SLA.

Pricing depends on scope. On-demand packages start at a nominal annual fee that fits most budgets, with higher tiers adding more frequent engagements and faster guaranteed response windows. We'll scope the right fit during your initial readiness consultation.

Absolutely. We regularly partner with insurers, brokers, and legal counsel to ensure readiness activities and evidence handling align with policy conditions and legal standards.

Book a discovery call. We'll review your current posture and propose a retainer that fits your maturity, risk appetite, and resources.