What Is EIR?

The key point of an Emergency Incident Response is the reaction time between detection and response. Our focus is on minimizing downtime, containing the incident, and restoring normal operations. To achieve this, we are always prepared to intervene in any type of incident, at anytime and anywhere in the world, quickly and efficiently.

Rapid isolation of threats limits the impact of a security breach. We identify, contain, and eradicate threats to have your business restored and running as quickly as possible. We include on-site response to help manage the situation.

Each incident raises a series of questions which need to be clarified:

  1. What is occurring? What risk does it pose? What is its impact and extent?
  2. How can the attack be stopped and normal operations be recovered? What techniques is our adversary using?
  3. Who is behind this? Is the malicious actor still inside the company’s IT infrastructure?
  4. When did it start happening?
  5. Why is this incident occurring to my business?

Keep calm and call ONE. Our EIR projects get priority over any other company operation

In case an incident occurs, it is very important to stay calm and take immediate and effective action. We recognize that it is difficult to be untroubled when your systems are down, when business pressure is high or when you don't know how to proceed. Right from your first call, One eSecurity's Emergency Incident Response Team will advise you on the first steps and recommendations, and will work towards getting a clear picture of the problem in order to build a response. Within no more than two hours, we will form a team, schedule a plan, calibrate the effort, and call you back with our advice.

Why Should You Use EIR?

When there is a cyber incident, there is a high level of pressure to return to normal operation. Our expert team of analysts can help by covering the following aspects:

  • Providing the necessary infrastructure and an experienced technical team to react quickly and safely.
  • Integrating with, assisting, and coordinating clients' incident response teams and critical systems' administrators.
  • Taking complete control of the incident and leading the response, if necessary.
  • Analyzing and identifying the incident causes and containing the threat.
  • Minimizing tangible and intangible losses to the organization or to an individual.
  • Supporting prosecution of the perpetrator of an incident.
  • Protecting the organization from similar incidents that may occur in the future.

What Steps Do We Follow? - The EIR Process

The service is made up of six phases, which our investigators follow as a repeatable and well documented set of steps, based on the SANS Institute Incident Response Plan:


Our team can help you prepare for an incident and build joined response capabilities.


Events and incidents can be detected internally or by third parties. Either way, the incident response team must act quickly, analyzing information and determining next steps:

  • Identify, gather, and preserve evidence.
  • Estimate the potential impact of a malicious activity on the victim and assess the perpetrator’s intention.


Events not confined to a single user or end point require containment, eradication, and recovery procedures. The containment phase requires agents and tools for data loss prevention, end point detection and response, and packet capture. Log aggregation and correlation are used to search for the adversary’s Indicators of Compromise (IOCs).

  • Minimize disruption of business and network operations.
  • Minimize damage to the compromised organization.
  • Manage public perception of the incident.


Identified IOCs will be isolated in all affected devices, understanding the techniques and methods used by attackers to avoid prosecution. Malicious artifacts are entirely removed from the client’s networks and systems.


Recover deleted files, hidden files, and temporary data that could be used as evidence, while restoring normal operations. Often, the unexpected occurs. This phase also identifies what other actions should be performed, (eg. any forensics examination of additional data sources or securing identified vulnerabilities).

Lessons Learned

The final phase covers the reporting of the analysis results. A forensics report not only includes the findings of the investigation, but describes the actions used and explains why specific tools and procedures were selected. It provides recommendations to improve policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.

At the same time, our team enhances the security stance of a compromised entity against upcoming incidents, improving incident response capabilities in order to prevent future loss of intellectual property, finances, and reputation.

What One eSecurity Offers Over Our Competitors

A Team of leaders in the field of EIR

The Emergency Incident Response service is formed by experts from the Digital Forensics, Cyber Threat Intelligence and Threat Hunting departments that will analyze and investigate any threat detected.

It is important to have experienced responders who are comfortable and confident in dealing with what are often high-pressure situations. The One eSecurity Emergency Incident Response Team has worked with some of the largest enterprises in the world and responded to some of the most devastating and high-profile cyber attacks of recent times.


Our team can be activated when and for whatever you need. Our different service offerings allow our clients to get the coverage needed, from first response to legal support or forensics tools. Our team will be available to work in any part of the world.


Emergency Incident Response is not an isolated activity that is added to your organization. One eSecurity will make sure processes are integrated with the client's existing processes and infrastructure.

Software and Hardware

One eSecurity works with carefully selected industry-leading strategic security vendors in order to provide the best-of-breed digital forensic solutions. Each case is different and needs a different approach, while tools also differ depending on the platform, operating system, and the type of the target device. One eSecurity uses hardware and software tools, both commercial and open source, chosen according to design, specific purpose or broader functionality.


During the more than 10 years delivering EIR services, both as Incident Responders and Forensic Analysts in many environments, reviewing thousands of systems, we have been progressively developing our own DFIR analysis system, known as SKY.

The SKY platform has been designed not only to automate most of the usual orchestration work needed to manage DF/IR cases, but also to be an automated investigation and analysis system that is able to process evidence (live or already acquired systems) with the specific tools needed, and to integrate the results in a centralized analysis environment.

SKY’s modular design has been created to make it possible to handle different kinds of cases and process multiple types of evidence found in the victim's systems, such as media, memory or network traffic. See SKY in depth

Digital Forensics Threat Hunting Cyber Threat Intelligence
One eSecurity Digital Forensics service is focused on system in-depth analysis, aiming at obtaining a traceable record of previous activity in order to answer any investigative questions. Our Threat Hunting service combines the analytic capacity of our most experienced experts with the power and automation of our Hunting Framework, offering a continuous and proactive threat search process in both networks and systems. The Cyber Threat Intelligence service by One eSecurity provides (both internally and for clients) knowledge and information on key threats for decision-making and forecasts of risk situations on IT systems and networks.
Learn more Learn more Learn more

This website www.one-esecurity.com uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.