Triage Assessment
Initial scope, severity, and immediate containment recommendations delivered within 24 hours of engagement start.
Triage documentSERVICES · DEFENSIVE← BACK TO SERVICES
Incident Response
When your AI system is actively leaking data, executing unauthorized commands, or under live exploitation — start here.
Incident Response is our emergency engagement. When an AI deployment is in active compromise — data exfiltration in progress, agents executing unauthorized actions, prompts being extracted at scale, costs spiraling from a runaway loop — this is the engagement for triage and remediation. Fast intake, fast response, structured remediation. Engagements last as long as the incident does.
// THE PROBLEM
What we're solving when you hire us for thisAI breaches don't follow conventional incident-response playbooks. A jailbroken customer-support agent leaking PII is technically a data breach, but the response requires understanding the model, the prompt, the deployment topology, and the attack path — knowledge most incident-response firms don't have. The result is that AI breaches often take days longer than they should, with damage compounding while traditional IR teams catch up to the AI specifics.
Incident Response is built for that gap. We have practitioners who do nothing else — adversarial AI security — and our IR engagement is reserved for situations where time-to-engaged-practitioners matters. Two-hour acknowledgement, twenty-four-hour scoping, forty-eight-hour on-engagement, with practitioners who already know the AI-specific failure modes.
// HOW WE RUN IT
The five phases of an Incident Response engagement01
Intake & Triage
On contact via Secure Dispatch, we acknowledge within 2 hours and conduct a 30–60 minute triage call to understand the incident. Output is a written triage assessment: scope, severity, immediate containment recommendations.
Duration first 2–24 hours · Output: triage assessment02
Containment
Once engaged, we work with your team to stop the active damage: rate-limiting the affected agent, isolating the compromised component, rotating exposed credentials, blocking the attack channel. Containment precedes investigation.
Duration 24–72 hours typical · Output: containment confirmation03
Investigation
We trace the incident: how the compromise occurred, what an attacker accomplished, what data or actions are affected, whether the attacker is still active. AI-specific forensics: prompt logs, agent traces, retrieval queries, model outputs.
Duration 3–10 days typical · Output: investigation findings04
Remediation
Based on investigation findings, we design and (if engaged in implementer mode) deploy the remediation: patching the vulnerability, hardening adjacent systems, updating monitoring. Remediation continues until the incident is closed.
Duration variable · Output: remediation completed05
Post-Incident Report
Written incident report covering timeline, attack analysis, business impact, remediation actions, and lessons. Suitable for board, regulator, or customer disclosure depending on engagement scope.
Duration 5–7 days after close · Output: incident report// WHAT YOU RECEIVE
Deliverables, named and specificContainment Confirmation
Written confirmation of containment actions taken and verification that active damage has stopped.
Containment reportInvestigation Findings
Detailed forensic findings: attack path, affected data, attacker capabilities, scope of compromise.
30–60 pages · Markdown + PDFRemediation Plan
Specific remediation actions taken or recommended, with priority and confidence levels.
Remediation documentPost-Incident Report
Final structured incident report suitable for board reporting, regulatory disclosure, or customer notification.
Per-incident reportPost-Incident Review
Working session with your security and engineering team to walk through findings and prevent recurrence.
90-minute session// ENGAGEMENT SHAPE
Response SLAs, not scheduled durations< 4 hours
24/7 via Secure Dispatch< 24 hours
Initial scope and severity< 48 hours
From confirmed scope2 practitioners
Minimum, both seniorContinuous
Daily summaries during incidentDay rate + retainer
Set out in SOW$4,800 / day
Per practitioner< 7 days after close
Structured deliverable// WHEN THIS IS RIGHT
Honest fit criteria// THE RIGHT FIT
—
You have an active AI security incident — data leakage in progress, agents executing unauthorized actions, prompts being extracted, costs spiraling, or other live exploitation.
—
Your existing incident response team is not equipped for AI-specific forensics and you need AI-specialist practitioners immediately.
—
You're under regulatory pressure (breach notification windows) and need defensible documentation of response.
—
An external party (researcher, customer, vendor) has disclosed a vulnerability and you need fast triage and remediation.
// THE WRONG FIT
—
You suspect a vulnerability but it's not actively being exploited — schedule Adversarial Probing or Injection Vector Mapping instead.
—
Your incident is conventional (network breach, ransomware, etc.) without AI-specific components — a generalist IR firm fits better.
—
You need long-term security advisory — IR engagements close when the incident closes; ongoing work transitions to a different engagement.
—
You want incident response on retainer without an active incident — talk to us about retainer terms separately.
// RELATED ENGAGEMENTS
Where this connects to the rest of our workAgentic Guardrails
After incident closure, this is the engagement that prevents recurrence by hardening agent runtime constraints.
DETAILS →
Neural Hardening
Companion post-incident engagement for hardening the underlying infrastructure.
DETAILS →
Evidence Collection
For incidents requiring regulatory disclosure or audit trails, this engagement establishes ongoing documentation.
DETAILS →
Incident Response engagements start from $4,800 / day. Reply within 24h. NDA before scope.
CONTACT SECURE DISPATCH →