Makkari Security 24/7 IR Hotline
Capabilities

Incident response and digital forensics. That is what we do.

A specialist firm. We do this work, and we do not bluff anything else. The pen testing, the SOC, the CTEM, the identity programmes, are routed to vetted partners.

The Eviction Pledge

Evicted, and gone for good. Or it is on us.

The first guarantee of its kind in incident response. Three commitments, in writing.

1. Initial foothold, named.

The entry vector, the timeline, the artefact that proves it.

2. Threat actor, evicted.

Access paths measurably closed. Persistence enumerated. Eviction validated.

3. 60 days, no re-breach. Or no fee.

If the actor comes back inside 60 days, the IR work is not charged.

Why we can stand behind it

Across two decades on the front line of incident response, no Makkari engagement has resulted in a re-breach. The Pledge is not a marketing line. It is the standard the work has already met.

01 / Incident Response

Contain. Evict. Prove it is over.

Three things in order. Stop the bleeding, take back the estate, prove the adversary is gone. On the record.

Senior practitioners on the keyboard from minute one. Imaging and timeline build in one thread, scoping and eviction in another. Nothing waits on the other.

Engage for an incident
  • First-hour containment
    Isolation, credential rotation, blast-radius scoping.
  • Initial foothold proven
    The entry vector, with artefacts, timelines and logs.
  • Lateral movement & persistence
    Credential dumps, scheduled tasks, WMI subscriptions, cloud identity abuse.
  • Eviction & validated recovery
    Access paths measurably closed. Eviction confirmed, not assumed.
  • Post-incident hardening
    Recommendations written for your environment, not a template.
  • Host forensics
    Windows, macOS, Linux. Triage, full disk imaging, super timeline analysis, registry and artefact correlation.
  • Memory forensics
    Volatility 3, custom YARA over raw memory, in-memory C2 detection.
  • Cloud forensics
    M365, Google Workspace, AWS, Azure, GCP. Identity trail, OAuth abuse, token theft analysis.
  • Network & perimeter
    Full-packet analysis, NetFlow reconstruction, beacon hunting.
  • Mobile & container
    iOS, Android, Docker, Kubernetes runtime forensics.
02 / Digital Forensics

Reproducible. Cross-verified. Court-admissible.

Multi-source, hands-on. Every critical finding is reproduced through an independent method. If EDR puts the actor at 02:14, prefetch, MFT, Amcache, SRUM and registry have to say the same thing.

Chain-of-custody on every artefact by default. Whether a case ever reaches court or not, the engagement is written as if it will.

The Makkari Forensics Engine

Built on the front line. Not AI.

Five years in development on live engagements. The engine sequences our forensic tooling, cross-verifies findings across telemetry sources, and produces evidence a second examiner can reproduce.

It is automation, not language modelling. Every claim links back to a preserved artefact and a documented run. Engagements run through the engine have a zero re-entry record.

  • Reproducible by design
    Every claim links to a preserved artefact, a hashed input, and a documented run.
  • Cross-verified, multi-source
    EDR, host, memory, network, identity, cloud. One story across all of them.
  • Live memory captured. Always.
    Every host, every engagement, where the operating system permits.
  • Hallucination-proof
    If a claim cannot be reproduced from raw data, it does not enter the report.
A point of pride

We do not skip the memory capture.

Memory is the single source of truth about what happened on each host since the last reboot. The industry standard quietly omits it on most engagements. We do not.

In-memory C2, process injection, credential theft, decrypted artefacts, runtime configuration that has never touched the disk. None of it is in the EDR dashboard. All of it is in RAM.

Every host. Every engagement. Where the OS permits.

03 / IR Retainer

Known team. Known playbook. Known SLA.

The worst time to pick an IR partner is 2am on a Sunday. The retainer turns the hours between "something feels wrong" and "we are containing" into minutes.

Response-ready

Contracted 1-hour callback. Pre-authorised scope. Pre-provisioned forensic tooling inside your estate.

Tabletop & readiness

Annual tabletop exercises tailored to your threat model. Playbook review. Board-level walkthroughs.

Unused hours convert

Hours you do not spend on incidents convert to threat hunting and compromise assessments.

Ready to talk?

Senior practitioner on the phone. Not a triage queue.

Active incident, retainer, or scoping a conversation. We will take the call.

Engage Makkari info@makkarisecurity.com