/en/services/cyber-risk/incident-response-litigation-support/incident-response-management service

Kroll Cyber Risk experts respond to over 3,200 security events every year. We manage incidents of all types, complexity and severity for organizations across diverse industries. You can count on Kroll’s unique frontline experience not only in a crisis, but also for proactive planning and mitigation strategies. We are among the top service providers preferred by major cyber insurance companies and offer client-friendly incident response retainers for peace of mind.

Fast and Efficient Deployment via Onsite and Remote Incident Response Capabilities

Whether your incident is the result of a malicious hacker or accidental exposure by an employee, Kroll can help now. Our global network of certified security and digital forensic experts can deploy remote solutions quickly and/or be onsite within hours to help you contain the situation and determine next steps.

Our incident response investigations follow the Kroll Intrusion Lifecycle, a step-by-step guide to the attack patterns our experts have observed through thousands of investigations each year.

The Kroll Intrusion Lifecycle: Threat Actor Behavior from a Visual Perspective

Kroll is a leading provider of end-to-end cybersecurity, digital forensics and breach response services, and will help you make informed decisions at every stage, from proactive preparation to consumer notification and remediation. Our goal, working alongside your counsel and insurance carrier, is to smoothly guide you to recovery — one that leaves you standing in the best defensible position, reputation intact, and where business can proceed with minimal disruption.

Common Threats Addressed by Our Incident Response Team

Business Email Compromise and Wire Fraud

Insider Threats and Accidental Data Loss

Advanced Persistent Threats (APT)

Third Party and Vendor-Related Risks

Malware, Keyloggers, and Backdoors

Cryptocurrency Theft


Targeted Intellectual Property Theft

Payment Card Fraud (PCI/PFI)

Web Application Attacks and Password Theft

Kroll offers a continuum of services for the multifaceted nature of incident response

  • Incident Response Planning: Enhance your organization’s ability to respond to cyberattacks with Kroll’s wide range of assessments, tabletop exercises and intelligence.
  • Intelligent Endpoint Detection and Response: Employing a powerful combination of technology and people, this sophisticated solution enables you to detect and respond swiftly to credible threats.
  • CyberDetectER® DarkWeb Search and Monitoring: Using our proprietary technology and unprecedented data stores, Kroll continuously monitors the deep and dark web to help clients ascertain and respond to data exposures.
  • Data Collection and Preservation: In the event of an investigation or litigation, Kroll offers cost-effective solutions to identify, isolate and preserve electronic data using forensically sound methodologies.
  • Data Recovery and Forensic Analysis: Kroll’s investigators are among the most knowledgeable subject matter experts practicing today; whether data was intentionally deleted or manipulated, they are able to analyze the clues left behind to quickly and defensively uncover critical information.
  • Malware and Advanced Persistent Threat Analysis and Remediation: Kroll’s forensic experts analyze malware to determine how it works and identify the scope of impact on your systems.
  • PHI and PII Identification: By providing you with a master notification list that clearly identifies the types of PHI or PII involved, we can help you avoid costly over-notification while still delivering targeted messages and remediation services to those affected.
  • Data Breach Notification Services: Protect your brand and reestablish trust with the individuals impacted by a data loss by matching the response to the harm caused by a breach.
  • Incident Remediation and Recovery Services: Expedite system recovery and minimize business disruption, with services including device and server reimaging, active directory rebuilding, network segmentation, hardware upgrades or replacements, patch management and network hardening.
  • Strategic Communications: Deftly navigate a host of risk and reputational landmines caused by a cyber crisis with a full suite of strategic communications support for incident response, preparedness and training. 
  • Malware Analysis and Reverse Engineering: Further understand any code-related event through our in-depth technical analysis of benign and malicious code.

Benefit From Client-friendly Incident Response Retainers

  • Includes proactive and reactive services
  • No loss of money at end of term
  • No required use of Kroll tools or applications
  • No automatic renewals or price accelerations
  • Includes data response services that are core Kroll capabilities (e.g., Notification, Call Center, Monitoring and Consumer Restoration) 
  • Key cyber insurance relationships, including some of the biggest underwriters in the world


Kroll in Action

Containment and Remediation of Cyberattack That Compromised Personally Identifying Information (PII)

Client: Major Company in U.S. Transportation Industry

Client Problem

The client contacted Kroll late on a Friday afternoon that it had suffered a cyberattack. The organization, which served a large national and international clientele, needed to contain and remediate the incident. It also would need to notify persons whose PII had been compromised and report the incident to regulators. 

How Kroll Resolved The Problem

  • Kroll deployed a response within two hours and had personnel onsite at the client’s headquarters by the next morning. The team eventually scaled from two investigators to 12 within 48 hours over the weekend. 
  • Upon identifying specific indicators of compromise (IOCs), we were able to eradicate the actor and establish containment; we also provided ongoing monitoring of the containment strategy to help assure effectiveness.
  • We created a disposition matrix, whereby we cross-referenced compromised machines with compromised individuals’ data.


Our investigators were able to restore the client’s system with minimal disruption to its operations. Additionally, the findings of our disposition matrix enabled the client to refine its notification list with pinpoint accuracy. Consequently, instead of implementing costly blanket notification (which also often generates intense media coverage), the client was able to notify and address the concerns of a much smaller subset of affected persons. The client ultimately not only dramatically reduced its notification and remediation costs, but also was able to provide regulators with precise details of the incident’s scope and effects.

Fortify Your Response Capabilities

Threats are growing in volume and sophistication and come from multiple directions. Leverage the frontline experience of our incident response and digital forensics team for multifaceted and confident response anywhere, anytime.

Frequently Asked Questions

What is cyber incident response?

Cyber incident response is the process of responding to, managing and mitigating cyber security incidents. Its goal is to limit the damage and disruption caused by cyber-attacks and, where necessary, to restore operations as quickly as possible. When an organization is impacted by a cyber security breach, a clear perspective is required to take control of the situation and respond effectively to protect assets, operations and reputation. Timely incident response support helps companies to quickly contain the compromise and smoothly achieve recovery, leaving them in the strongest position possible, with minimal business disruption and their reputation intact.

What does an incident response team do?

An incident response team (IRT) or computer incident response team (CIRT) or is a group of experts responsible for responding to, managing and mitigating security incidents. An incident response team investigates, analyses and remediates incidents and manages internal and external communications in the event of an attack. Its role can also include developing and maintaining an incident response plan and assessing potential changes in technology, training and other aspects following a security incident. Another important role for incident response teams is running trials of an organization’s incident response approach based around real-world scenarios.

What is an incident response plan?

An incident response plan is a document which outlines an organization’s strategy for responding to security incidents, such as data breaches and ransomware. It sets out specific actions and procedures to facilitate timely and effective incident mitigation, clearly defining the steps that should be taken and the person responsible for them. An incident response plan covers each stage of an incident, to enable organizations to take timely and effective action in the event of disruption caused by a cyber-attack.

Why do you need an incident response plan?

Incident response planning plays a critical role in helping organizations to maintain a robust long-term security posture. Vital time can be lost in establishing a strategy after an incident occurs. An incident response plan helps organizations to reduce the potential damage of a cyber incident and move forward quickly and effectively following an attack. Your incident response plan is a strategic roadmap which outlines the exact steps your organization should follow after different types of incidents. It also communicates to stakeholders and regulators that your organization is fully committed to addressing new and emerging cyber threats.

What should an incident response plan include?

An Incident Response Plan is a document which sets out an organization’s strategy for responding to different types of security incidents, including ransomware attacks, IP theft and data breaches. It should include the specific procedures and responsibilities associated with addressing each stage of an incident, with defined roles for completing specific incident response actions. An incident response plan is your organization’s roadmap for taking timely and effective action in the event of disruption caused by a cyber-attack.

What is an incident response plan?

A key error which organizations make in relation to incident response is failing to implement an incident response plan to effectively manage and mitigate cyber incidents such as data breaches and ransomware. Another common mistake made by many organizations is failing to understand their on-premises and cloud environments, and the security tools and policies they have in place. Failing to invest enough in an effective strategy is also a common incident response error. With back-ups a vital part of defending an organization against the impact of a cyber incident, not reviewing them regularly is yet another common mistake. 

What are the key cyber incident response steps?

Effective incident response should include six key steps:

  1. preparing systems and procedures, including the development of an incident response plan
  2. the identification of incidents and the gathering of evidence
  3. the containment of attackers and incident activity to limit any additional damage from the incident, which includes short-term containment, system back-up to preserve evidence, and long-term containment
  4. the eradication of attackers and re-entry options
  5. recovery from incidents, including the restoration of systems
  6. lessons learned and the application of feedback to the next round of preparation.

How should organizations respond to a security incident?

It is important to take fast, decisive action when a security incident occurs. Effective incident response requires a clear plan which outlines the actions key stakeholders should take in a variety of scenarios. Organizations should then follow a clear and structured sequence of steps to ensure that every aspect of managing and mitigating the incident is covered. This will include actions such as containment, threat removal and mitigation and recovery, identification of improvements and further testing. The response should also include informing the relevant authorities, depending on the nature of the incident.

What is the key to effective incident response?

The key to effective incident response is good planning and preparation. Having a robust incident response plan in place with clear responsibilities for specific team members will allow your organization to respond quickly, and take immediate, decisive action to reduce the impact of different types of cyber incidents. A proactive approach which includes a structured plan set in place before a cyber incident occurs will ensure that your organization is more able to recover, even in the event of a serious cyber incident. Another important aspect of effective incident response is ensuring that you have a good security partner.

Increased Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Connect with us

Devon Ackerman
Devon Ackerman
Regional Managing Director, North America
Cyber Risk
New York
Andrew Beckett
Andrew Beckett
Managing Director
Cyber Risk
Paul Jackson
Paul Jackson
Regional Managing Director, Asia-Pacific
Cyber Risk
Hong Kong

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Q2 2022 Threat Landscape: Ransomware Returns, Healthcare Hit

Aug 10, 2022

by Laurie IaconoKeith Wojcieszek George Glass

The Monitor

The Rise of Vishing and Smishing Attacks – The Monitor, Issue 21

Aug 02, 2022

by Laurie Iacono Josh Hickman, Caitlin Muniz


New MFA Bypass Phishing Method Uses WebView2 Applications with Hidden Keylogger

Jul 28, 2022

by Scott Hanson Mikesh Nagar, George Glass


KAPE Quarterly Update – Q2 2022

Jul 19, 2022

by Eric Zimmerman Andrew Rathbun


SMB Guide to Cloud Security

Jun 24, 2022

by Louis Muniz, Brett Davido


The Kroll Intrusion Lifecycle: Threat Actor Behavior from a Visual Perspective

May 11, 2022

by Devon Ackerman


Identifying Indicators of Timestomping with .LNK Files

Jun 13, 2022

by Andrew Rathbun


Timestomping a File with NewFileTime

Jun 13, 2022

by Andrew Rathbun


Kroll Launches Strategic Communications Service

Jun 01, 2022


Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022


Kroll Named as a Winner at 2021 Computing Security Awards

Dec 09, 2021


Kroll Responder Recognized in 2021 Gartner Market Guide for Managed Detection and Response Services

Nov 19, 2021


The Australian Cyber Threat Landscape Today and How to Look Ahead

Aug 13, 2021


Kroll Named in the GIR 100

Oct 23, 2020


Kroll Named a Cyber Security Services Pacesetter by ALM Intelligence

Oct 28, 2020


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event