How fast do you intervene?

Operational response within 30 minutes of the call, 24/7. Initial containment typically in the first 1-4 hours depending on the perimeter and the access level granted to the team. For Fortgale MDR customers, containment is already part of the active service.

Do I need to be a customer to call?

No. The Emergency line is open to anyone with an incident in progress, even non-Fortgale customers. We operate on NDA + emergency engagement letter, with a transparent retainer rate communicated before intervention.

Do you help with NIS2 CSIRT notification?

Yes. We support the customer in preparing the early warning to the national CSIRT within 24 hours and the full notification within 72 hours required by NIS2. We prepare the technical timeline, IoCs and impact analysis.

What do you do in the first 60 minutes?

Live triage: incident scoping, identification of compromised systems, network isolation where possible, volatile evidence collection, containment plan definition. All actions are documented for subsequent forensics and regulatory notifications.

Do you handle ransomware with ransom demand?

Yes. We handle technical containment and negotiation (variant analysis, decryption assessment, recovery from backup). We do not handle payment, which remains a customer decision with their legal team and any cyber insurance. Our standard recommendation is not to pay, except in specific cases.

IR · Operational hotline 24/7/365

Are you under attack?

Call now. Operational response within 30 minutes, initial containment within 4 hours. The first 60 minutes decide the difference between a contained incident and a crisis.

+39 02 3659 8955 available now · 24/7 IR email info@fortgale.com

30 minOperational response

1–4 hInitial containment

24 / 72 hNIS2 CSIRT notification

365 daysHolidays and nights too

Before calling · while we arrive

What you do in the first 60 minutes changes the outcome.

60 seconds to prepare the information useful for the call, then eight actions that preserve evidence and limit damage while the Fortgale IR team is already activating. Even one item executed correctly changes the outcome of the incident.

Before calling · 60 seconds Prepare this information

When you noticed the anomaly (approximate time)
What you saw (popup, EDR alert, suspicious email, inaccessible systems)
How many users / endpoints are involved
Whether you are NIS2 essential, important or out of scope
Whether you have an active cyber insurance policy
Who is the reachable decision-making contact

Don't have it all? Call anyway. We rebuild the picture together.

While we arrive · 60 minutes Eight actions to execute now

Don't power off

Don't shut down compromised systems: volatile memory (RAM) holds key evidence (encryption keys, active processes). Isolate them from the network if possible (cable unplugged or quarantine).

Call immediately

Phone in hand: speaking live with an analyst accelerates triage by hours. Every minute lost expands the compromised surface.

Document

Write detection time, observed indicators (ransom note popup, suspicious mail, EDR alert), people who noticed the anomaly. Even a sheet of paper is fine.

Don't communicate

Do not announce on compromised corporate channels (Teams, email): the attacker can read. Create an out-of-band channel (phone, CISO's WhatsApp, SMS).

Preserve logs

Disable log auto-deletion if possible. EDR, firewall, AD, mail gateway: everything matters. Don't reset passwords without saving them first.

Alert legal

Engage legal department and DPO immediately. If you are NIS2 essential or important, the early warning clock to the national CSIRT (24 hours) has already started.

Notify insurance

If you have a cyber policy, activate it immediately: some policies require notification within tight deadlines to cover IR costs.

Closed circle

Who knows what? Limit information to CISO, IT lead, Direction, Legal. No external communications until the picture is clear.

What we do · timeline

From call to recovery: 30 days.

The Fortgale operating model follows the NIST SP 800-61r2 standard, integrated with NIS2 notification requirements and our proprietary Cyber Threat Intelligence on actors targeting European organisations.

0–4 hours

Containment

Isolation of compromised systems, blocking of suspicious credentials, C2 cut-off, attacker kill chain interrupted. Goal: stop the bleeding.

4–24 hours

Forensic triage

Reconstruction of the initial vector, mapping of lateral movements, identification of exfiltrated data. Preparation of the CSIRT early warning (NIS2 · 24h).

1–7 days

Eradication

Backdoor removal, rebuild of compromised systems from clean sources, perimeter hardening. Full notification to the national CSIRT within 72 hours.

7–30 days

Recovery & lessons learned

Gradual restoration of operations, reinforced monitoring, final report for board and regulator, permanent hardening recommendations.

Emergency form · phone alternative

Can't call? Fill in here.

The phone is always the fastest channel. But if you can't call right now (crisis meeting, compromised infrastructure, time zone), fill in the form: an analyst will contact you within 15 minutes on the contact details you provide.

Do not include passwords, log dumps, or sensitive data in the form: we will use an encrypted channel after the first contact.

The form is connected to a 24/7 SOC alert: it reaches the on-call team's phones, it doesn't sit in a queue.

NIS2 · transposition

Notification obligations · 24h early warning · 72h full notification

If you are a NIS2 essential or important entity, you have strict notification obligations to the national CSIRT. Fortgale prepares the technical notification package (timeline, IoCs, impact analysis) and supports the company's NIS2 contact in their interaction with the national authority.

All services → Discover MDR → Discover CTI →

Outside emergency too · active outpost

Build the outpost before the incident.

Containment in 11 minutes is not luck: it's the result of an intel-driven MDR already active. Talk to our analysts about a threat briefing on your sector.