Cyber Defence Operations


+44 (0)161 209 5148 or

Our 24-hour incident response experts will provide on-the-spot advice on how best to deal with a breach at the point of discovery.


Failure to appropriately address cyber risk can lead to disruption of business activity, loss of sensitive data, financial impact and reputational damage.


  • Does your organisation have an adequate understanding of cyber risk?
  • How effectively could you respond when an incident occurs? 
  • Are your current security controls working as they should?

The world of technology moves quickly and the cyber threat landscape has changed almost completely in the last decade. Where once the biggest threats were opportunistic attackers and preventable accidents, attacks are increasingly targeted at specific organisations by dedicated, skilled adversaries.

Our risk management consultants and cyber defence experts can help prepare your organisation from board level to the IT team, assess current security controls and procedures or provide a professional response capability when an incident occurs.


Key Cyber ServicesCyber Defence Operations Mapping

  • Executive awareness training for senior individuals.
  • Incident management.
  • Incident response & analysis.
  • Digital forensics.
  • Assessment of your critical controls.
  • Network threat monitoring.
  • Network and host compromise assessments.
  • Incident Response Training.


We can apply knowledge gained across multiple industry sectors to help you plan for the unique challenges faced by your organisation.  Using internal research and threat intelligence our incident response and network monitoring services allow you to detect and defend against threats from sophisticated attackers, organised criminals and malicious insiders.


Contact Us   Download PDF



Cyber Incident Response


+44 (0)161 209 5148 or

Our 24-hour incident response experts will provide on-the-spot advice on how best to deal with a breach at the point of discovery.

Do you have in house skills to fully triage and understand the implications and extent of an incident?

Who will support your internal teams during an incident?


When an incident occurs it is essential to get the right support as soon as possible.  From explaining the business impact of an incident to conducting detailed technical analysis, our team can assist during the critical phases of an investigation.

Key Features

  • Incident management conducted by experienced individuals.
  • Complete technical analysis capability including host based analysis, network investigation and malware reverse engineering.
  • Extensive knowledge of Threat Actors from low sophistication non-targeted attack through to APT.  
  • Supported by the largest security consulting team worldwide.

How does it work?

During an engagement one of our experienced consultants will be assigned to provide incident management, bringing together your internal staff, relevant third-parties and dedicated technical assistance from NCC Group.

We work with you to conduct specialist analysis, identify the impact to your business and provide regular remediation advice.  Through a combination of evidence protection and forensically sound investigation, our consultants can:

  • Determine how the incident or breach occurred, by understanding the initial vector of attack and compromise.
  • Determine the capabilities and activity of a threat actor, and the extent of infiltration.

We provide you with knowledge and support in the eradication of a threat actor from your environment and in the subsequent effort to bolster your defences.

Where required our consultants can work under legal privilege on behalf of your legal counsel.  Preferential rates are available with an incident response retainer, providing peace of mind that your IT security staff can call on external assistance.

Contact Us   Download PDF



Digital Forensics

Following a breach can your team forensically acquire and analyse data?


Digital forensics provides important answers about how an individual has used a computer or other electronic device.  If an individual has misused corporate assets or engaged in fraudulent activity it is essential to secure evidence and conduct analysis in a forensically sound manner.

Key Features

  • Consultants hold qualifications from recognised bodies including EnCE and X-PERT.
  • Full chain-of-custody can be maintained where required.

How does it work?

A digital forensics consultant will securely obtain data from the device(s) in question in accordance with ACPO guidelines.  We work with you to understand all relevant history and compile a list of questions to be answered during analysis, then our consultant conduct analysis using industry standard tools.

Where appropriate our consultants will recommend other incident response or technical activities to satisfy the objectives of an investigation.

What do you get?

The output of all forensics engagements is a report tailored to the questions agreed during the investigation.  Where necessary we will provide extra data such as recovered files or create supporting material including activity timelines.

We have experience in a wide range of investigations including:

  • Investigation of computer misuse or breaches of Acceptable Use Policies.
  • Network forensics, including covert monitoring.
  • Live forensics and volatile memory analysis.
  • Bespoke technical analysis, for example embedded devices.
  • Portable electronic devices and small form factor forensics.


Contact Us   Download PDF



Retained Incident Response

As the security landscape changes and threats become more commonplace, it is no longer sufficient to consider “if my organisation is attacked”.

Organisations must now plan for “when an attack happens” with an Incident Response plan in order to keep their business online.

In the highly-charged environment of a live attack, it is comforting to have at your disposal an expert that can respond instantly to the event with a calm, methodical approach. With one of the largest incident response teams in the world we are equipped to reduce the likelihood of a breach becoming a greater problem than it ought to be.

NCC Group’s Incident Response service provides you with all the components you need to effectively handle and respond to a breach. Our team has the experience and capability to deal with any cyber emergency incident, from state sponsored attacks through to less sophisticated attacks that still bypass traditional network defences.

Key Features

  • Incident response investigators on call 24x7x365.
  • Initial telephone response triage within one hour.
  • An investigator on site by the next business day.
  • Ability to work either in conjunction with your teams or take over the whole incident investigation, liaising with suppliers and partners where necessary.
  • All work carried out under ACPO guidelines ensuring that evidence is admissible in court should this be your chosen route.
  • Expert witnesses available for court proceedings.
  • Assistance with public relations, crisis communication and law enforcement.

Contact Us



Network Threat Assessments and Monitoring

Is my network already compromised by a sophisticated attacker, malware, or internal attack?

What risks do malware, ransomware, unauthorised software, or cloud services pose to your organisation?

Is your critical data being stolen by malware or hackers?


Using technology developed for complex incident response our network threat monitoring provides insight into what malicious activity is occurring across your IT estate. The NCC Group Threat Sensor is deployed at key points within a client network infrastructure for a predefined time period. Network traffic is examined for indicators of malicious activity by skilled analysts, using NCC Group’s threat intelligence to determine whether a breach is occurring.

Our services are designed for organisations who wish to identify if they have been subject to a compromise or who have a strong indication they may be the subject of a targeted attack.

Key Features

With NCC Group Network Threat Assessments we have a solution that looks for successful compromises that could otherwise have gone undetected.

  • Intrusion detection using best-in-class rulesets, IoCs, and NCC Group threat intelligence.
  • Sensor appliance which performs full packet capture, enabling detailed analysis of events.
  • Dedicated support from expert investigators.
  • Host-based compromise service to highlight custom targeted payloads or compromises which are not currently network active (NTAx).
  • NCC Group engineering, combining industry-leading technology with internal research and development.


How does it work?

Using our bespoke network sensor appliance we will monitor your infrastructure for any signs of targeted attacks, active malware or policy violations.  All alerts are triaged by trained analysts to provide valuable context and ensure your staff only deal with verified incidents.



Network Threat Assessments – a short term programme of work based around your network and host assets to establish if your network is already compromised.   

Download PDF

Network Threat Monitoring – Longer Term managed service operated 24/7 to monitor your network for signs of compromise.

Download PDF



Cyber Security and Strategy Assessment

How do your critical controls and internal procedures compare to industry best practice?

Our Cyber Security Assessment uses the industry-leading CIS Controls for Effective Cyber Defence to assess your current security posture, enabling you to make decisions about future planning and investment.

Key Features

  • High level maturity comparison of your critical controls against industry best practice.
  • Includes both technical defences and internal policies / procedures.
  • High level cyber threat profile
  • Blended delivery by risk management and technical consultants.
  • Provides a security improvement roadmap

This service can be enhanced by our Threat Intelligence offering and the Security Testing red team, who can conduct simulated attacks against your organisation to test that key security controls function correctly.

How does it work?

We will undertake a review of your cyber security controls and procedures to enable you to understand your risk posture and ability to defend against internal and external threats. The review takes a rounded view of people, processes and technology to understand areas of vulnerability and prioritise areas for remediation.

Our consultants work with you to ensure that the assessment is relevant to the current position of your organisation and tailored toward any future business plans.

What do you get?

The output of our cyber security assessments is a bespoke report containing information on your current security position, any identified gaps, prioritised recommendations including quick wins and strategic initiatives and a security improvement roadmap for the short and medium term.


Contact Us




Threat Intelligence

Transforming expert knowledge of the threat landscape into valuable actionable information

Our expert threat intelligence services provide information on which threat actors are out there, what their intent is and which tactics, techniques and procedures they use to execute attacks.

Through both human and technical information gathering we take raw data and information from a variety of sources and turn it into strategically, tactically or operationally valuable information for your organisation.

Read NCC Group Threat Intelligence Benefits for the enterprise whitepaper here.

NCC group can help you build confidence and develop an understanding of your current capabilities, along with the threats and vulnerabilities you face with the goal of developing a cyber-resilient organisation.



  • Open Source Intelligence collection and analysis on personnel, threat actors or organization related data / information.
  • Darkweb Intelligence collection and analysis to support organization defensive operations.
  • Cyber Intelligence collection and analysis on emerging indicators of compromise or threat actor behaviour.



The ability to consume threat intelligence can bring many benefits, namely:

  • Insight into of threats and associated risk faced by the enterprise
  • General threat landscape and horizon understanding
  • Internet exposure understanding
  • Breach identification
  • Breach prevention
  • Fraud and theft minimisation
  • Personnel/asset protection and risk minimisation


Contact Us   Download PDF





InTELL tracks global criminal activity and base our intelligence on actor attribution and context.

Banks, retailers and corporates over four continents use InTELL’s real-time contextual cyber intelligence. InTELL provides them with three dimensions: global visibility on actor trends, threats and technology. Threat tracking provides an understanding of risks and threats to online brands. And contextual threat feeds fuel threat platforms, giving the ability to mitigate in real-time.

Contact us Read more




Domain Intelligence

NCC Group’s Domain Intelligence platform monitors the web for any abuse around your domain name.

Your domain name is just as important in today’s digital world as your logo. Everyone who types your URL into their browser should come to your website, but what happens if a criminal has registered a very similar version of your domain in order to lure your customers to a fake website?

The Domain Intelligence platform monitors for the registration of domain names that are similar to your own. This can include misspellings of your domain name or one of the many new gTLDs being released. The platforms will provide you with daily reports of any similar domain names being registered including detailed information about the registration. If a domain is registered by a third party for the purpose of abusing the domain you will be notified so the appropriate action can be taken.


What is Domain Abuse?

Abuse of a domain name can take a number of various forms, the most common forms are:

Domain Squatting or Typo Squatting

This is where a domain is registered similar to your own.  The domain will often include variations of the spelling or make use of one of the 1000+ new gTLDs.

Often used to generate advertising revenue for the register they can also be used maliciously to obtain details from customers who have misspelled or have been lead to a misspelled version of your URL.


This is where a cleverly crafted email claiming to be from your organisation will try to lead people to fake websites or to distribute malicious code. They can make their emails more convincing by using slightly misspelled domains to send their emails from.



  • Provides rapid detection of any new registrations.
  • Stops similar domains being used as part of phishing attacks against your business.
  • Helps you to act quickly to deploy countermeasures against domain and typo squatting being used against your organisation or customers.
  • Easily accessible portal to manage and investigate your domains.
  • Optional access to further domain services expertise from NCC Group to help you to respond upon detecting domain misuse.


What the portal provides

The portal provides you with achievable, effective and timely outputs helping to minimise damage to your organisation’s cyber security, revenue, reputation and customer relationships. The portal includes:

  • Easy registrations of new domains to be monitored.
  • Options to allow customisation of the algorithms performance.
  • Daily email alerts flagging up any new registrations detected.
  • Incident tracking and immediate viewable alerts.




Complementary Services

Get a complete overview of your domain risk by combining our Domain Intelligence service with our Domain Threat Assessment. This will provide you with a detailed view of potentially harmful domains and any associated activity. 


Contact Us  Download PDF


Managed Detection and Response Services

Managed Detection and Response Services (MDR) is becoming an industry standard term for a range of complementary services and technologies that move beyond traditional protective monitoring and security device management by a Managed Security Service Provider (MSSP).

Our MDR Services focus on 24/7 monitoring, threat detection and a rapid cyber incident response.

Read More