Incident Response

If your organization has been the victim of ransomware, cyber attack, or other compromise; call Layer0 now. Our team of experts are ready 24/7 to help your organization back to normal operation.

Need an IR Plan?

Looking to setup an Incident Response Plan, download our Incident Response Plan Template and get a running start.

The Layer0 Difference?

Unlike some of the other big firms, Layer0 doesn’t just hire directly out of school and throw them into a position. Our team has tried and true experience, you won’t need to worry that in your organization’s darkest hour that you aren’t in the best hands.
We offer 2 approaches to incident response:
The Incident Retainer Plan
Your organization has a previous agreement with Layer0 in which our team gets to know your organization and works with you to develop strategies. In case of an incident, you are in the best position possible. Our team already familiar with your organization can engage and contain the incident, getting your organization back to normal operation as soon as possible.
Incident Response Standard
Our team will deploy to assist your organization in the event of an incident, no previous contract required. Our main goal is to get your organization back to normal operation as soon as possible.  IR services will be billed on an hourly or daily basis depending on the length of the engagement.

The Incident

Our incident response team has years of experience in systems administration, information security and incident response. We are prepared for all sorts of cyber security incidents ranging from ransomware attacks that have brought your organization to its knees to full network compromise in which data has been stolen. Our main goal is to work with you to contain the incident, figure out what happened, get you back to normal operation, and work with you to make sure it doesn’t happen again.
Layer0’s CIRT will identify the current threat to your organization and will gather evidence in order to develop a proper containment/eviction plan. We take the approach that litigation may be possible so we handle all evidence with care. In the event that law enforcement is required, we will liaise with the appropriate authorities.
Working with your team, we contain the threat and prevent further damage to your organization’s infrastructure.
Once we have identified and contained the threat. In coordination with your team we activate our threat eradication/eviction plan to remove the threat from your environment without causing further damage.
Once the threat was eradicated, we now shift our focus to getting you back to normal operation. We work with your team to restore services across your organization.
Lessons Learned
After the event, in addition to our reports, we go through a complete debriefing. During the debriefing, we provide a walk-through of the incident, what was affected, how we restored, and recommendations for the future.


At the end of an engagement, we give you insight into:

  • Affected applications, networks, systems and user accounts.
  • Malicious software and exploited vulnerabilities.
  • Information accessed or exfiltrated.

All critical information will be detailed and documented in three actionable reports:

  • Executive summary: A summary of the investigation, major findings and containment/eradication activities.
  • Investigative report: Details of the attack timeline and critical path with a list of affected computers, locations, user accounts and pertinent information.
  • Remediation report: Details of how we helped your business get back to normal operation as well as strategic recommendations to enhance your organization’s security posture.