Skip to Content
24/7 EMERGENCY RESPONSE · CALL NOW: +91 911 336 6525 · AVG RESPONSE TIME: 15 MINUTES · RANSOMWARE · DATA BREACH · SYSTEM DOWN · 24/7 EMERGENCY RESPONSE · CALL NOW: +91 911 336 6525 · AVG RESPONSE TIME: 15 MINUTES · RANSOMWARE · DATA BREACH · SYSTEM DOWN
Incident Response Active

When everything
breaks at 3 AM.
We answer.

Ransomware. Data breach. Database wiped. System down and losing money by the minute. We have seen it all and we know exactly what to do.

Emergency line now What we cover
Emergency hotline
+91 911 336 6525
Live now
⚠ INCIDENT ACTIVE bithost-ir-console · 03:14:22 IST SEVERITY: CRITICAL INCIDENT-2024-0312 · RANSOMWARE DETECTED Affected: prod-db-01, prod-app-cluster (all 8 nodes) Estimated data at risk: 2.4TB · Business impact: ~$12,000/hour Responder: Bithost IR Team Time to response: 00:08:41 RESPONSE TIMELINE 03:05 ✓ Client call received. IR team activated. Briefing complete. 03:09 ✓ VPN access established. Incident scope assessed. Network segmented. 03:14 ✓ Encrypted volumes isolated. Clean backup snapshot identified (02:00 UTC). 03:14 ◎ Forensic image in progress. Restoration pipeline initialising... 22% 03:xx ○ Breach notification assessment (in progress with legal team) 03:xx ○ System restored and validated (pending) RESTORATION PIPELINE 22% · ETA ~47 minutes FORENSIC FINDINGS Initial vector: RDP brute force (port 3389) Lateral movement: 4 hours pre-execution Ransomware family: LockBit variant Data exfil: Investigating (likely partial) Clean backup confirmed: 02:00 UTC ✓ Max data loss window: ~2 hours COMMS AND LEGAL ✓ CEO and CTO briefed at 03:07 ✓ Board notification drafted ◎ Legal counsel looped in (03:18) ◎ Breach notification 72h window STARTED ○ Customer comms template pending ○ Regulator notification pending scope
Response time
<15 min
Average across all incidents
Active right now
IR team live Forensics running Backup confirmed
3:04 AM

"Our entire database was wiped. We have nothing."

Data recovery, backup restoration and forensic investigation to determine what happened and what was lost.

Data recovery
2:48 AM

"Ransomware encrypted everything. They want $80K."

Isolate, assess, recover from backups. Forensic investigation of entry vector. Breach notification guidance.

Ransomware response
11:22 PM

"Customer data leaked. What are we legally required to do?"

Scope the breach, contain the leak, coordinate with legal on GDPR and DPDP notification timelines and obligations.

Breach response
9:15 AM

"System is down. We are losing ₹8 lakh per hour."

Root cause identification, emergency failover or restoration, stakeholder communications and post-mortem planning.

Outage response
Why this matters

Companies pay anything
when systems are down.

Incident response is the one service that cannot be replaced by automation, AI or a checklist. It requires judgment, experience and the right people reachable at the right moment.

Companies pay anything when systems are down

A $10,000 per hour outage makes a $5,000 retainer look trivial. The cost of not having a response plan is always higher than the cost of having one.

Insurance requires an incident response plan

Cyber insurance policies increasingly require documented incident response procedures and verified retainer arrangements as a condition of coverage.

Regulations require breach notification

GDPR gives you 72 hours. DPDP Act has its own obligations. Getting the notification wrong creates a second legal problem on top of the breach itself.

One breach can destroy a company

It is not the breach that kills most companies. It is the mismanaged response: wrong communications, missed notifications and avoidable regulatory penalties.

AI cannot do this

Time-critical decisions under pressure, human coordination with stakeholders and legal teams, and post-mortem judgment on root cause require experienced humans available right now.

The first hour is the most important

Evidence is destroyed, damage compounds and options disappear rapidly in the first 60 minutes. Having a retainer means a response begins in minutes rather than hours.

What we cover

Every dimension
of a crisis.

From the moment the phone rings to the final post-mortem report, we own the response alongside you and coordinate every workstream.

01

Emergency Response

Live incident commander on the phone within 15 minutes. We take control of the response immediately while you focus on your business.

24/715 min SLADedicated IR lead
02

Forensic Investigation

We determine what happened, how they got in, what they accessed and what was taken. Evidence collected and preserved for legal and insurance purposes.

Chain of custodyRoot causeEvidence report
03

System Restoration

Recovery from backups, clean rebuilds and validation that restored systems are free of attacker persistence before bringing anything back online.

Backup recoveryClean rebuildValidation
04

Crisis Communications

Briefing templates for your board, customers and regulators. We help you say the right things to the right people at the right time to protect the relationship.

Board briefCustomer commsRegulator notice
05

Breach Notification

GDPR and DPDP Act notification timelines explained and managed. We work with your legal team to get the notification right within the mandatory window.

GDPR 72hDPDP ActLegal coordination
06

Post-Incident Hardening

Once the crisis is over, we close the gaps that allowed it to happen. Full post-mortem report with prioritised remediation and a hardened baseline.

Post-mortemGap closureHardened baseline
Emergency services

Transparent pricing
for every scenario.

Retainer clients get immediate priority response. Non-retainer emergency calls are accepted subject to team availability.

Most popular
Annual retainer
24/7 IR Retainer
On request
per year · priority access
Guaranteed 15-min response SLA
Dedicated IR lead assigned
4 preparedness sessions per year
Incident response plan documented
Priority over ad-hoc clients
Retainer hours applied to incidents
Get a quote
Ad-hoc emergency
Emergency Response
On request
per incident · subject to availability
Same expert IR team
Scoped to active incident
Incident report delivered
Crisis communications support
No guaranteed SLA
Subject to team availability
Call emergency line
Standalone
Forensic Investigation
On request
per engagement
Full root cause analysis
Evidence chain of custody
Scope of data accessed / exfil
Insurance-ready report
Legal and regulatory support
Attacker TTP documentation
Request scope
After the incident
Post-Incident Hardening
On request
per engagement
Full post-mortem report
Entry vector closed and verified
Persistence mechanisms removed
Hardened configuration baseline
Board presentation delivered
Incident response plan updated
Request scope
All pricing on request · Contact sales@bithost.in or call +91 911 336 6525
How we respond

Minutes matter.
Here is what happens.

01
You call. We answer.

A senior IR engineer picks up within 15 minutes. We assess the situation on the call and begin mobilising the right people immediately.

Target: 0–15 minutes
02
Contain and assess

We get access, isolate affected systems, identify the scope and stop the bleeding before anything else. Damage does not compound while we are in control.

Target: 15–60 minutes
03
Investigate and recover

Forensic investigation runs in parallel with restoration from backups. We determine root cause while getting your systems back online simultaneously.

Hours 1–8
04
Communicate and comply

We coordinate with your legal team on breach notification obligations and help you communicate with stakeholders, customers and regulators correctly.

Within 24 hours
05
Close the gaps

Post-mortem delivered, entry vector closed, hardened baseline applied. You end up in a more secure position than you were before the incident.

Week 1–2
Phase 1 — You call. We answer. Live example
Call log — first 15 minutes
03:04
Inbound emergency call receivedClient: "Our servers are down and we think we were hacked."
03:05
IR lead engaged and briefedInitial assessment: ransomware suspected based on file extensions reported.
03:07
CEO and CTO briefed by Bithost IR leadAdvised to not pay ransom, not restart systems. Forensic preservation protocol started.
03:09
VPN access granted to IR teamForensic image initiated on prod-db-01. Network segmentation applied.
03:12
Clean backup identified at 02:00 UTCMaximum data loss window: 2 hours. Restoration pipeline prepared.

Retainer clients get this response in minutes. Without a retainer, our first available engineer responds when capacity allows. In a ransomware event, every minute of delay compounds the damage.

Containment — stopping the spread
03:14
Affected VMs isolated at network layer8 nodes segmented from the rest of the environment. Spread halted.
03:18
External connections blockedAll outbound traffic from the affected VLAN dropped. Exfil channel closed.
03:22
Attacker persistence mechanisms identified2 scheduled tasks and 1 modified service binary. All documented and preserved.
03:31
Clean environment confirmed for restoration targetStaging environment verified clean. Restoration to isolated target begins.

Containment stops the clock on damage. The faster we isolate, the smaller the blast radius. Retainer clients get containment running within the first hour.

Investigation and recovery — running in parallel
04:00
Forensic image complete on all affected volumesChain of custody documented. Evidence packaged for legal team.
04:15
Initial vector identified: RDP brute forceEntry: port 3389 exposed. 4-hour dwell time before encryption began.
04:40
Restoration from 02:00 UTC backup — 60% completeApplication layer validating against production schema. ETA 25 minutes.
05:12
Systems restored and validatedAll services operational. Monitoring alert thresholds tightened. Business resumes.

Total downtime: 2 hours 8 minutes. Estimated cost at ₹8 lakh per hour: ₹17 lakh. The incident could have lasted days without a practiced response team.

Communications and legal — within 24 hours
05:30
Board briefing document deliveredPlain-language summary of what happened, what was affected and what was done.
08:00
Legal team briefed on breach notification scopeDPDP Act obligations assessed. Affected record count determined: 0 PII exfiltrated confirmed.
09:30
Customer communication template approvedTransparent, legally reviewed message sent to affected users with appropriate context.
14:00
Insurance claim documentation submittedFull forensic report, timeline and evidence package delivered to insurer.
Post-incident hardening — week 1
Day 2
RDP access removed. SSM Session Manager deployedNo more direct port access. All admin via SSM with full audit trail.
Day 3
MFA enforced across all accounts. Privileged access reviewed14 accounts with excessive privileges reduced to least privilege.
Day 5
Backup strategy improved. Off-site and immutable backups configuredAttacker can no longer delete backups from within the compromised environment.
Day 7
Full post-mortem delivered. Retainer signed for ongoing coverageClient now has guaranteed 15-minute response for any future incident.

Client ended the week more secure than before the incident. The post-mortem closed 11 gaps. The retainer means the next incident gets the same response in minutes.

FAQ

Before an incident
becomes one.

A senior incident response engineer answers within 15 minutes for retainer clients. You are never routed to a junior or a chatbot. We ask you four questions, assess the situation and begin mobilising the right people on the call. Retainer clients have a designated IR lead who has context on their environment from the preparedness sessions we run throughout the year.
Pricing is on request and scoped to the size and complexity of your environment. The way to evaluate it is to calculate your hourly cost of downtime or breach and compare it to the annual retainer cost. For most businesses processing meaningful transaction volumes, a single avoided incident pays for several years of retainer. Beyond the financial case, your insurance policy may require it and your peace of mind has real value.
Yes. Call the emergency line and we will do our best to respond as quickly as team availability allows. Ad-hoc emergency responses are accepted subject to current capacity. The honest caveat is that retainer clients are prioritised and response time cannot be guaranteed for ad-hoc calls. If you are in an active incident right now, call immediately rather than reading this and deciding later.
Do not restart systems. Do not run antivirus scans. Do not try to delete malware manually. Do not pay any ransom without speaking to us first. Preserve everything exactly as it is. Take photographs of any error messages or ransom notes on screen. Disconnect affected machines from the network if you can do so without shutting them down. Then call us and we will take it from there.
We determine the scope of the breach, assess which data was affected and advise on the notification obligation. We work alongside your legal team to produce the notification in the required format within the mandatory window. We do not provide legal advice but we give your legal team the technical facts they need to make the right call quickly. Getting the notification wrong after a breach creates a second regulatory problem and we help you avoid that.
Yes. The retainer includes documented incident response planning, preparedness sessions and tabletop exercises that satisfy the requirements of most cyber insurance policies. We produce documentation in the format most insurers ask for. If you need a standalone incident response plan without a full retainer, we can scope that as a separate engagement.

If it happens tonight.
We are
already ready.

Set up the retainer before you need it. 30-minute call to scope, price and assign your dedicated IR lead.

+91 911 336 6525 sales@bithost.in
Emergency line answered 24 hours · 7 days · 365 days