Practice area

Investigations & Incident Response

Investigations & Incident Response

In need of immediate assistance?

  • Have you detected anomalous or suspicious activity on your network?
  • Are you experiencing a ransomware attack?
  • Are you detecting indicators of compromise?
  • Do you suspect you have been breached or have you received a notification of breach?

Accredited for Cyber Security Incident Response by CREST and responding to incidents of ‘national significance’ by the NCSC, we deliver effective response to advanced attacks on complex and enterprise networks.

Our 24/7/365 Incident Response Hotline and immediate remote deployment capability mean we can support you with live response and begin mitigating damage to your business today.

To speak to a member of our specialist team simply email us or call the hotline.

Need immediate assistance?

Call our CIR/CSIR accredited incident response team or email

United Kingdom: +44 (0) 333 311 0014

South Africa: +27 (10) 500-1921

United States: +1 (917) 341-2116

Singapore: +65 3159 1795

To communicate securely with MWR, please use this PGP Public Key.

Prepare & Respond

Cyber security incidents are on the rise, with the average total cost of a data breach to organizations in 2016 amounting to £2.53 million*. When breaches occur, the business impact can range from merely a distraction through to devastation. It is the agility, experience and technology to rapidly identify and contain attacks that largely influence resulting business impact.

MWR’s dedicated and highly experienced global incident response team is equipped with industry-leading technology, world-leading approaches and current intelligence to handle any cyber security incident, large or small. Supported by our 24/7/365 Incident Response Hotline and rapid remote response technology, you need never be without expert support in an emergency.

“We help companies drive rapidly-moving cyber security investigations towards successful outcomes.

Our significant experience in forensic investigation and incident response enable us to substantially improve ground-zero situations and support effective decision making and containment. Taking the appropriate action at the time of an emergency is key in minimizing business impact.” 

Paul Pratley, Head of Investigations & Incident Response, MWR

When your business is under attack, it is critical you have the expert support needed to rapidly recover and minimize impact. Knowing that experienced investigators and responders are available when an incident occurs should be part of any organization’s incident response plan. Our core solutions ensure that your business is fully equipped to respond to an incident with the agility and efficiency attackers bring to bear.

Verizon DBIR Contributor

C394 Verizon ContributorLogo 170425 06 5.1jpgMWR is a regular contributor to the annual Verizon Data Breach Investigations Report (DBIR), comprised of real-world data breaches and security incidents. This year's report, available here, is based on the analysis of over 40,000 incidents, including 1,935 confirmed data breaches.

The CIR and CSIR schemes

MWR achieved Cyber Incident Response (CIR) and Cyber Security Incident Response (CSIR) accreditation in 2013 specifically because of its understanding of the threat posed by highly skilled threat actors and its experience of full incident response lifecycles. Its 24/7/365 Incident Response Hotline and rapid remote response technology ensures that appropriate action at the time of an emergency is taken to minimize business impact.

Originally launched by the Communications-Electronics Security Group (CESG), now part of the UK National Cyber Security Centre (NCSC), CIR-certified providers protect against and respond to sophisticated, targeted attacks against networks of national significance.

The CSIR scheme focuses on appropriate standards for incident response suited to industry, the wider public sector and academia. It is administered by The Council of Registered Ethical Secuity Testers (CREST) and endorsed by NCSC. 

MWR CSIR memberMWR CIR member 



Core Solutions

Comprehensive IR

Our CIR/CSIR team supports you from technical investigation, containment, and remediation through to crisis management and managing business risk.

IR Retainer

Our Incident Response Retainer ensures guaranteed on-site response and 24/365 hotline access to our Cyber Incident Response experts to provide rapid help in an emergency.

Compromise Assessment

Helps to thoroughly understand the effectiveness of existing security controls and whether attackers are currently on your network.

Incident Readiness Programs

We'll assist to identify gaps in your incident readiness, and provide training to help improve resilience and the ability to respond to attacks.

Technical and Executive Cyber Simulations

We facilitate mock incident scenarios to test and exercise incident response processes, training, and management decisions through both technical and executive streams.

Our thinking on Investigations & Incident Response


What to do in the event of a cyber security incident


Examining Microsoft’s latest patch release


The top 10 “what not to do’s” in an incident


Fatboy: Ransomware-as-a-Service becoming weapon of choice

A new variant of ransomware was discovered last week, further highlighting the proliferation and advancement of ransomware technology.


Shadow Brokers: Observations on the EastNets Operation Notes


Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.