Get in Touch With Huntress
When a security incident hits, every minute of uncertainty makes recovery harder. Understanding what's happening across your endpoints and identities—and having the right technology already in place—is what separates a contained incident from a catastrophic one.
If you're in an active incident right now, stop reading and contact a professional IR firm immediately. CISA maintains a list of vetted IR providers at cisa.gov, or your cyber insurance carrier can typically connect you with a qualified firm on short notice.
Still here? Complete this form and someone from the Huntress team will get back to you as soon as possible.
Immediate steps to take after an incident
Every second counts during an attack. Here are some quick tips to control the fallout:
Isolate, don't erase. Disable access to shared drives, cloud storage, and email from infected endpoints to stop lateral movement. Do not wipe or shut down machines before investigators can assess them.
Preserve evidence. Note timestamps, take screenshots, and retain system logs. They'll be critical for your Incident Response firm's investigation, your insurance claim, and potentially law enforcement.
Contact an incident response firm. If your internal team doesn't have dedicated IR experience, now isn't the time to improvise. Reach out to a professional IR firm or contact your cyber insurance provider to activate your policy.
What to expect when engaging an incident response firm
Professional IR firms specialize in exactly this situation. Here's a general sense of what working with one looks like:
Initial scoping and triage
IR teams move fast. Expect them to immediately assess the scope of the incident — how attackers got in, what systems they touched, and whether they've established persistence. They'll want access to your endpoints, logs, and identity infrastructure.
Containment
Strong containment means cutting off attacker access at every layer — endpoints, identities, email — and hunting for signs of backdoors or secondary access after the initial compromise is addressed. Recovery timelines vary widely: a contained incident with clean backups may take days, while a widespread ransomware attack with significant attacker dwell time can stretch to weeks or months. Early detection is the single biggest factor in reducing that window.
Business email compromise and ransomware
By the time a ransom note appears, or an inbox is compromised, attackers have typically been present for some time — doing reconnaissance, moving laterally, escalating privileges, and exfiltrating data. IR firms are equipped to trace that activity and help you understand the full scope of what occurred.
Remediation and reporting
A good IR engagement ends with a clear incident report: what happened, how it happened, what was accessed, and what steps were taken. This documentation matters for regulatory obligations, insurance claims, and hardening your environment going forward.
The cost of an incident
Direct costs include IR firm fees, system recovery, and in ransomware cases, potential ransom payments. Indirect costs, including regulatory fines, legal fees, customer notification, lost business, and reputational damage, often exceed the direct costs. Cyber insurance can offset some of this, but only if your security controls meet your policy requirements.
Where Huntress fits in
Huntress is a managed security platform — not an incident response firm. We don't staff a 24/7 emergency line for organizations experiencing active incidents, and we can't serve as your IR provider.
What we can do is help make sure you're not in this position again.
Real protection that fits real budgets: Most businesses don’t have enterprise-level funds or a full security team. Huntress is an enterprise-grade agentic cybersecurity platform without the enterprise cost.
Our SOC is human-led, AI-Centric: People investigate threats, analyze tradecraft, and shut down attackers 24/7 so you don’t have to.
Engineered for how breaches actually unfold: Huntress combines Managed EDR, Identity Threat Detection and Response (ITDR), and Security Information and Event Management (SIEM) into a purpose-built platform that tracks and shuts down threats across endpoints and identities, reducing blind spots.
If you’re currently responding to an incident, Huntress can still provide critical value by deploying quickly to establish the visibility your IR firm needs to work effectively and prevent the threat actor from regaining access.
While Huntress can aid in the immediate aftermath of an attack, our primary strength is proactive defense. The current intrusion highlights the need for continuous monitoring. Moving forward, deploying Huntress will allow us to monitor for persistent footholds, catch the subtle signs of a recurring attack, and help ensure this never happens again.
If you're coming out of an incident, this is the right moment to close the gaps that made you vulnerable in the first place — before attackers return or a new threat emerges.
