Our team of certified forensic and incident response experts have the tools and capabilities to perform remote forensics across thousands of systems.

Building upon a proven track record in the Defense, Public and Financial sectors, Cybersafe’s experts have created a powerhouse program in incident management, forensics analysis, application, and enterprise network security assessments. Our primary investigative tools in incident response, forensic, and information security are Cybersafe’s proprietary advanced malware detection and incident response platform.



Cybersafe’s incident responders follow a 6 step process for the overall management of incidents which is Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned. As part of our fundamental approach to digital forensics and incident response, our team incorporates elements from prevailing security frameworks such as NIST SP 800-61 and FIPS 200 to ensure all IR activities are fully compliant.

1. Preparation
Our approach emphasizes maximum system availability by concentrating on preparation and prevention. It’s important to ensure all endpoints, networks and applications are secure while leveraging our expertise to help develop incident response and resolution policies and procedures. This provides our incident handlers with a precise roadmap that covers the lifecycle of an incident from identification to recovery.

2. Identification
The proper identification of systems compromised is one of the most critical steps in the incident response lifecycle. Our highly-trained staff utilizes proprietary advanced malware detection tools and multiple threat intelligence feeds which enhances our first level of response. Through the monitoring of network devices and endpoints, including full packet capture are some of the critical components that build upon the foundation of Cybersafe’s detection and identification methodology.

3. Containment
The key to containment is timeliness and effectiveness. Our incident response team relies on isolation and containment efforts. During this phase our team will perform network and endpoint analysis to determine how the intruders breached the network, if there was lateral movement throughout the network, and if malware was used as the initial attack vector. Once determined, incident handlers can isolate impacted endpoints and perform more granular analysis.

4. Eradication
Eradication requires the removal of all malicious code or the mitigation of an IT security incident. Our incident response team works within the constraints of the operational environment to provide a properly vetted solution. We will ensure short-term countermeasures that may include blocking malicious IP addresses or domains, reimaging infected systems and the changing of passwords across the entire organization.

5. Recovery
Recovery is more than restoration of full business operations; it also includes processes to ensure that the incident will not recur and that a permanent and appropriate solution has been applied to address the vulnerability. Long term solutions should be implemented to prevent and detect similar incidents and to improve an organization’s overall security posture.

6. Lessons Learned
Follow up is necessary to ensure that the incident has been mitigated, the attacker has been removed and proper countermeasures have been put in place. Implementing a continuous monitoring solution that incorporates ongoing asset inventory, vulnerability assessments, network and host based intrusion detection, behavioral monitoring and log management will ensure that the new security measures are working properly to rapidly detect and respond to future attacks.

Cybersafe’s team of cyber experts have developed and implemented hundreds of Written Information Security Programs
(WISP’s) in both the public and private sectors. One of the key components of an Information Security Program is
establishing an Information Security Policy that reflects the organization’s objectives as it pertains to security.

Prior to establishing an Information Security Policy, it’s critical we find out how management views security. While many security policies share common themes, we understand that each organization is unique and must develop its own set of policies customized to its distinct way of conducting business. It is important that an organization’s security policies always reflect actual practice to which everyone agrees and complies. Our team takes a holistic approach to implementing an Information Security Program that includes policies and procedures to protect the confidentiality, integrity and availability of an organizations’ sensitive data. The failure to protect all three of these aspects could result in legal liability, regulatory fines, loss of business and customer trust.