Digital Forensics and Incident Response
Turn uncertainty into clarity with expertise. Our incident response team are here to help you through this.
Detected malware? Received a ransom note? Or is some suspicious activity just not sitting right with you?
Our Digital Forensics and Incident Response team is equipped with the expertise, tooling, and processes to act decisively when incidents occur.
How we can assist:
Our Approach to Incident Response
How we can assist
Our Digital Forensics and Incident Response team is equipped with the expertise, tooling, and processes to act decisively when incidents occur.
Let us handle the technical investigations, incident coordination, and reporting to help alleviate the stress and chaos of an incident, and get your organisation back to what you do best.
Interested in improving your incident resilience?
Our DFIR team also distil the experiences and intelligence from the front-line of cyber defence into relevant and practical advisory, to make sure when an incident hits, your organisation is best prepared to handle it.
Secure your organisation with comprehensive incident response support
What is Incident Response?
- Incident Response in its general sense refers to all the activities that occur once a cybersecurity incident has been detected, to when it has been resolved and the victim organisation back to business as usual.
- However, the value of Incident Response expertise is perhaps best utilised proactively – before an incident hits. Our DFIR team brings insights into real incidents and real threats on real organisations, that can be leveraged to improve your overall incident resilience. So that, when a threat occurs, your teams are best equipped to handle it.
Why is Incident Response Coordination Critical for Organisations?
- In an Incident Response scenario, technical expertise is only part of the equation. Incidents can be chaotic and stressful times, and the best technical analysis can still lead to poor organisational outcomes if the overall incident coordination is not handled correctly.
- More than simply managing the tasks, timelines, and deliverables of the technical teams, good incident coordination seeks to understand the needs of the organisation, and help guide decision makers and operators through the knowns and unknowns to minimise stress and maximise efficacy.
What is Incident Response Management?
Incidents are inherently stressful and chaotic times.
Cyber incidents are rarely simple. Beyond the technical disruption, it’s the orchestration of response, across teams, systems, and stakeholders that defines the true complexity of a crisis. When an organisation is under pressure, the ability to coordinate effectively becomes as critical as the digital forensic investigation itself.
The Challenge
During an incident, organisations face a convergence of unknowns. Staff are diverted from core responsibilities, visibility is obscured, and internal and external stakeholders demand clarity and control. The pressure to deliver answers fast and accurately can overwhelm even mature teams.
Cyber incidents introduce uncertainty, urgency, and disruption. While technical investigation is essential, the broader challenge often lies in managing the operational and strategic response across the organisation.
Organisations under pressure must navigate:
- Limited visibility into the scope and impact of the incident
- Disruption to business-as-usual activities
- Heightened expectations from internal and external stakeholders
In these moments, the ability to coordinate effectively becomes critical. Without alignment between technical teams and executive leadership, even high-quality forensic work may not translate into effective outcomes. Delays in communication or misinterpretation of findings can lead to decisions that increase risk or prolong recovery.
Regulatory Compliance
In 2025, organisations operating in Australia and New Zealand face increasing regulatory scrutiny around cyber incident response:
Cyber Security Act 2024 (Australia): Introduced mandatory ransomware reporting for businesses with annual turnover above AUD $3 million. Minimum security standards for smart devices are also being phased in.
Cyber Incident Review Board (CIRB): Established under the Cyber Security Act 2024, Commenced on May 30 2025, significant incidents may be subject to independent post-incident reviews, requiring organisations to maintain detailed forensic records and response documentation.
Our Approach to Incident Response
People, Processes and Technology
- Our incident response team consists of experts with deep technical expertise in a variety of fields. Uniquely situated within Thales, we also have access to a vast pool of knowledge and specialisation in engineering and technology services globally.
- However, technical expertise is only part of the equation. Incidents can be chaotic and stressful times, and the best technical analysis can still lead to poor organisational outcomes if the overall incident coordination is not handled correctly.
- Our incident response team and our process wraps incident coordination around everything we do, to interface with your organisation to understand what matters most. Our mission is not only to do excellent technical work, but to ensure all the pieces fall into place to allow your organisation to get back to what it does best in the most effective way possible.
How an Incident Response Retainer Works
Our Incident Response Retainer ensures your organisation has access to specialist incident response support governed by a defined Service Level Agreement (SLA), enabling alignment with insurance and regulatory expectations. Minimising response delays by completing onboarding and environment familiarisation in advance, allowing for immediate escalation and streamlined resolution when incidents occur.
AdHoc
Have a suspected incident but don’t know where to turn?
Our DFIR team is experienced in dropping into the middle of incidents, rapidly assessing the situation, and helping to take control of the matter. _For our ad-hoc customers, there is no SLA for response time nor will we have had the chance to understand your incident response processes or operational needs. However, our team are still adept at rapidly coming up to speed and will work to a high degree of excellence to get you back where you need to be.
Retainer
A retainer allows us to understand how your organisation operates in an incident, and help uplift your overall cyber incident resilience.
On top of having an SLA for response times, our retainer partnership model focuses on collaborative efforts to build your resilience through work such as Incident Response Plans, Operational Playbooks, Compromise Assessments, and Incident Response Scenario exercises._
Rather than be simply a phone number to call, we strive to be an augment to your team, not only as incident operators but as trusted advisors to help shape your incident response and resilience strategy. To this end, our commercial model is based on rewarding our partners who invest more into their resilience uplift with better rates.
Our DFIR Service Offerings
Forensic Services
- Employee Investigations
- Secure Evidence Handling (Acquisition > Destruction)
- Data Discovery
Pre-Incident Resilience
- Compromise Assessments
- Incident Tabletop and Simulations
- Cyber Security Incident Response Plans & Playbooks
- Crisis Advisory and Education
Incident Response
- Business Email Compromise
- Ransomware & Data Extortion
- Advanced Persistent Threat (APT) Intrusions
- Malware
- Data Breach Advisory
- Crisis Communications Advisory
- Incident Coordination
- Remediation and Recovery Support
How can Thales Cyber Services Team help?
Be Proactive About Your Cyber Resilience.
Organisations must move beyond static plans and embrace dynamic, scenario-based preparation to ensure readiness across executive and technical teams.
Incident Response Plan Review
Align Your Response Strategy with Real-World Threats and Industry Standards
An effective incident response plan is more than a document—it’s a living framework that must reflect your organisation’s threat landscape, internal capabilities, and regulatory obligations. Thales Cyber Services offers a structured review process to ensure your IR plan is fit for purpose.
What’s included:
- Stakeholder interviews to understand roles, responsibilities, and operational context
- Documentation review against industry baselines such as NIST SP 800-61R2 or ISO/IEC 270035
- Assessment of escalation protocols, communication workflows, and technology dependencies
- Identification of gaps in coverage, awareness, and operationalisation
Following the review, we provide actionable recommendations and, if required, support the creation or update of your IR plan to align with best practices and compliance requirements.
This service helps organisations ensure their response strategy is not only comprehensive but also executable under pressure.
Tabletop Exercises
Validate Plans, Strengthen Coordination, and Identify Gaps Before a Real Incident
Thales Cyber Services facilitates immersive tabletop exercises that simulate realistic cyber-attack scenarios tailored to your organisation’s environment. These sessions engage key stakeholders—including IT, legal, communications, and executive leadership—in role-based decision-making and strategic response.
Key benefits include:
- Identification of gaps in incident response plans and escalation protocols
- Improved cross-functional communication and coordination
- Enhanced decision-making under pressure
- Increased awareness and preparedness across stakeholder groups
- Safe environment to learn from missteps and refine procedures
Exercises are designed for both executive and technical audiences, with tailored scripts and scenarios such as ransomware, phishing, data breaches, and malware attacks. Dual-group formats ensure consistency in evaluating readiness across the organisation.
Operational Incident Simulation Workshops (Technical Workshop)
Test Real World Threat Scenarios and Strengthen Response Capabilities
Simulation workshops go beyond theory, challenging teams with live, scenario driven exercises that reflect current threat patterns and attack vectors. Thales incorporates “curve balls” to test assumptions and uncover hidden vulnerabilities. This can take different formats:
Key benefits include:
- Real-time evaluation of response strategies
- Documentation of observations and recommendations
- Post-simulation debriefing to align on improvements and training needs
- Compliance alignment with regulatory and third-party requirements
These simulations help organisations benchmark their maturity, refine playbooks, and build confidence in their ability to respond swiftly and effectively.
See our different types of exercises available below:
Operational Decision Making Exercise:
Methodology - Discussion based exercise walking through a scenario to discern operational decisions and procedures, to ensure familiarity with playbooks.
Effort/Cost - Minimal
Operational Live Test-Drive Exercise:
Methodology - Using production tooling and assets with no simulated events, but stepping through the actions required in operational playbooks within each platform to ensure familiarity.
Effort/Cost - Low
Operational Offline Technical Exercise:
Methodology -No production tooling and assets, using extracts and artefacts relevant to the environment to assess operational familiarity.
Effort/Cost - Medium
Operational Production Technical Exercise:
Methodology - Using live production tooling, simulate an incident. Typically on a single endpoint or server with minimal technical impact on the rest of the environment. Good for testing SOPs for small scale incidents.
Effort/Cost - High
Operational Replica Production Technical Exercise:
Methodology - Using a replicated production environment, simulate a critical incident that results in outages and significant impact on the rest of the environment.
Effort/Cost - Very High
Compliance & Reporting
A good incident investigation is informed by the key questions they seek to answer. However, these questions aren’t always up to the organisation to define. With the regulatory landscape changing (particularly in recent times with changes to mandatory data breach reporting, and ransomware reporting), knowing how to respond to and engage with these stakeholders is critical to an effective response.
Even for investigations which can be handled with in-house security or IT teams, depending on the circumstances it is often prudent to consider engaging a third party to conduct an independent investigation and report.
Similarly, in a legal context should you suspect any legal disputes from the result of an incident (for example, if you are unable to satisfy a contractual obligation due to an outage as a result of the incident), it’s important to engage a third party firm. We regularly work with law firms and in-house legal teams to ensure investigations and reporting is handled to the high standard required in these circumstances.
Aside from regulators and lawyers, dealing with insurers is another important consideration. Even if you do not hold a specific cyber insurance policy, if you suspect a claim may be made on some other policy (for example, business interruption), having an external firm attesting to the report is important.
Why Choose Thales
At Thales, we integrate global expertise with local insight to deliver cybersecurity services that go beyond conventional models. Our approach is built on operational depth, strategic collaboration, and vertical specialisation designed to support resilience before, during and after incidents.
Incident Response and More
We unlock the full of our DFIR team to support your organisation in not just technical analysis and investigations, but through deep experienced Incident Coordination/Management capability tying everything together. Outside of an incident, our DFIR team is also available to help make your organisation Incident Response ready and resilient as possible.
Creating Partnerships
Rather than taking a "one size fits all" productised approach, we build enduring partnerships. We're here to support your end to end cybersecurity maturity, tailored to each organisation’s journey.
Deep Technical Expertise
Thales brings deep specialisation in critical infrastructure, defence, high tech/engineering, and other similar high-stakes environments. We are able to draw on niche technical skillsets and experience, allowing us to purpose-build solutions for the unique technology demands of your organisation.
Industry Threat Intelligence Collaboration
We actively collaborate across public and private sectors to strengthen Australia’s cyber posture. Our reciprocal threat intelligence and technical capability sharing reinforces our commitment to national resilience and industry wide uplift.
Critical Infrastructure Resilience
SOCI Act Compliance: Do you have an IR when your critical assets are at risk?
CISO’s, CIOs and third-party SOC providers are required to perform notifications to the regulator about incidents. This would involve determining whether the incident affects a critical infrastructure asset, providing details and description of the cyber security incident within 12 hours and then a written assessment within 72 hours for provision to the regulator.
Providing your organisation with end-to-end cyber solutions
Frequently asked questions about Incident Response
What is an Incident Response Retainer?
A pre-arranged agreement by which specialist Digital Forensics and Incident Response team support is available to assist you within defined service level agreements. With the overall goal of reducing lead time between escalations of incidents, to their being resolved. We achieve this through proactively working with our retainer partners to uplift their cyber incident resilience, sharing our experience and lessons learned from dealing with threats in the front line, to ensure that we understand their unique organisational context and can be an integrated part of their incident response process.
What are the phases of an incident response plan?
- Incident Response Triage - Validate the detection. Estimate the initial scope of potentially affected systems and data.
- Containment and eradication – Assess the effectiveness and impact of recommended containment actions within the context of the relevant systems. Implement containment actions and validate success.
- Investigation and Hunting – Identify, Preserve and Acquire relevant evidence sources to assist with a forensic investigation. Analyse available artifacts to determine scope of actions undertaken by the threat actor, and assess the impact this may have to systems and data apply findings from investigation to hunt more broadly across environment and provide assurance as to the scope of the threat.
- Remediation and Recovery – Strategise to remediate any identified(s), and to securely restore and recover operations based on business requirements. Eradicate threat from environment, and validate success. Restore systems to a trusted state.
- Post Incident Review - Report on findings and outcomes to appropriate stakeholders. May include email updates, summary reports, and full forensic reports as required.
How quickly can you respond?
Thales Digital Forensics and Incident Reponse Team have several SLA options available as part of our DFIR retainer offerings – with a contracted response time as low as 2 hours. However, we strive to respond as quickly as possible and depending on timing of the initial enquiry, often respond within the hour.
What types of organisations do you help?
Our expertise spans across government, critical infrastructure, not for profit, multinationals, and small-to-medium enterprises.
Can you help with personal enquiries?
Our pricing is tailored for business-to-business (B2B) engagements, ensuring value and scalability for organisations of all sizes. However, we may also be able to support individual clients depending on the scope and nature of the request. Get in touch to explore how we can help.
Related Articles
Contact us
Speak with a Thales Cyber Services ANZ
Security Specialist
Thales Cyber Services ANZ is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.