Home Services Incident Response
Active Incident? If you are under attack right now — do not shut down systems. Call our emergency IR hotline immediately. +254 797 907 510 24/7 Live
Service

Incident
Response &
Crisis Management

When a breach happens, every minute counts. Citadel Africa's certified IR team deploys immediately — containing threats, preserving evidence, and restoring operations with military precision and minimum disruption to your business.

Emergency Hotline Discuss a Retainer Our Process ↓
24/7 Emergency Response
50+ Incidents Handled
GCIH Certified Responders
IR Operations Centre — Active Case #0047 Responding
Critical
Ransomware — Lateral Movement Detected
3 hosts compromised · Active encryption in progress
High
Domain Controller — Privilege Escalation
Admin credentials potentially exfiltrated · Isolating
Contained
Initial Access Vector — Phishing Email
Email gateway blocked · Affected mailboxes isolated
Response Timeline
Detection
Triage
Contain
Eradicate
Recover
Time to First Responder on Call < 15 minutes
What It Is

Rapid, Decisive Action When It Matters Most

Incident response is the controlled, structured process of detecting, containing, and recovering from a cyber attack. The difference between a contained breach and a catastrophic one often comes down to the first 24 hours — and specifically, to whether your response team knows what they're doing.

Citadel Africa's IR team brings certified experience across ransomware, business email compromise, insider threats, nation-state intrusions, and AI-assisted attacks. We've handled incidents across Kenya's financial services, telecoms, and government sectors — and we understand the operational, legal, and reputational stakes involved.

We operate on-demand or via a pre-arranged retainer — giving you a guaranteed response time backed by a service level agreement when every minute counts.

Ransomware Attacks
Contain encryption spread, identify ransom negotiation options, and coordinate data recovery from backups.
Business Email Compromise
Identify compromised accounts, trace fraudulent transactions, and prevent further financial loss.
Insider Threat & Data Theft
Detect malicious insiders, contain data exfiltration, and preserve forensic evidence for HR or legal action.
Advanced Persistent Threats
Hunt for long-dwell attackers, map their full access footprint, and eliminate every persistence mechanism.
AI-Assisted Attacks
Respond to novel AI-generated phishing, deepfake fraud, and automated attack campaigns targeting your organisation.
Our Methodology

The Citadel Africa IR Playbook

Six phases. Structured execution. From the first alert to full recovery — every step documented and communicated to your leadership team in real time.

01
Detection & Escalation

Incident confirmed, IR team activated, client notified, emergency call established.

0–15 min
02
Triage & Scoping

Map affected systems, identify attack type and vector, assess blast radius.

15–60 min
03
Containment

Isolate affected systems, block attacker infrastructure, prevent lateral spread.

1–4 hrs
04
Eradication

Remove malware, close attack vectors, reset compromised credentials, patch exploited vulnerabilities.

4–24 hrs
05
Recovery

Restore systems from clean backups, validate integrity, return to monitored operations.

24–72 hrs
06
Post-Incident Review

Root cause analysis, lessons learned report, security improvement roadmap.

3–7 days
Phase 03
Containment — What We Actually Do

Containment is not just "pull the plug." Indiscriminate shutdown destroys forensic evidence. We contain surgically — isolating affected systems while preserving your ability to operate.

Network segmentation & VLAN isolation
Firewall rule deployment to block C2
Active Directory account suspension
Forensic memory capture before shutdown
Phase 04
Eradication — Removing Every Trace

Eradication fails when teams miss secondary persistence mechanisms — scheduled tasks, registry keys, compromised service accounts, and backdoored software. We check everything.

Full malware removal & IOC sweeping
Persistence mechanism hunting
Credential rotation & MFA enforcement
Vulnerability patching & hardening
Phase 06
Post-Incident Review — Learning from It

Most firms skip this. We don't. A proper post-incident review identifies the root cause, the security control gaps that allowed it, and the specific improvements needed to prevent recurrence.

Root cause analysis report
Security gap identification
Prioritised remediation roadmap
Board-ready incident summary
IR Retainer Plans

Be Ready Before the Breach

A retainer gives you a guaranteed response time, pre-agreed scope, and a team that already knows your environment — so when an incident occurs, we move in minutes, not days.

Tier 1
Essentials

For SMEs and startups needing guaranteed incident response coverage without the cost of a full-time security team.

Initial Response SLA4 Hours
On-site Response24 Hours
Hotline AccessBusiness Hours
IR hotline access (business hours)
Remote incident triage & guidance
Annual IR tabletop exercise
Post-incident report
Get a Quote
Tier 2
Professional

For mid-market enterprises requiring rapid 24/7 response, proactive threat hunting, and dedicated analyst support.

Initial Response SLA1 Hour
On-site Response4 Hours
Hotline Access24/7/365
24/7 emergency hotline access
Remote + on-site IR deployment
Dedicated IR analyst pre-assigned
Quarterly threat hunt exercise
Monthly threat intelligence briefing
Forensic evidence preservation
Get a Quote
Tier 3
Enterprise

For large enterprises and critical infrastructure requiring the fastest response times and embedded security partnership.

Initial Response SLA15 Minutes
On-site Response2 Hours
Hotline Access24/7/365
All Professional features
Named dedicated IR team
Pre-deployment environment assessment
Custom IR playbooks for your environment
Executive communication during incidents
Regulatory notification support
Get a Quote
Incident Types

Incidents We Respond To

🔐
Ransomware

Contain spread, negotiate options, recover from backups, eradicate root access.

📧
Business Email Compromise

Trace fraudulent wire transfers, contain account access, and prevent further financial damage.

💾
Data Breach

Identify exfiltrated data, assess breach scope, meet regulatory notification obligations.

🕵️
Insider Threat

Detect malicious insiders, contain data theft, preserve evidence for legal proceedings.

☁️
Cloud Account Compromise

Recover hijacked cloud accounts, audit access logs, and remediate misconfigured permissions.

🌐
DDoS & Service Disruption

Coordinate mitigation, identify attack source, restore service availability rapidly.

🤖
AI-Assisted Attacks

Respond to deepfake fraud, AI-generated phishing campaigns, and automated intrusion attempts.

🏭
Critical Infrastructure

Specialist response for attacks on financial systems, telecoms, energy, and government services.

Why Citadel Africa

Why Choose Us for Incident Response

01
Speed That Saves You Money

The cost of a breach scales directly with dwell time. Our retainer clients get a first responder on a call within 15 minutes — not hours. Every minute of faster response translates directly to less damage, less downtime, and lower recovery cost.

02
Forensics-First Response

Many IR teams focus purely on restoration — destroying the evidence you need for insurance claims, legal action, or regulatory compliance. We contain and restore while simultaneously preserving a court-admissible forensic record.

03
Kenya-Specific Context

We understand Kenyan regulatory requirements, the local threat landscape, and the operational context of Kenyan enterprises. When it comes to notifying regulators, communicating with stakeholders, or interfacing with law enforcement — we've done it before.

Act Now

Don't Wait for a Breach to Get Ready

Organisations with an IR retainer in place respond 3x faster and recover at a fraction of the cost. Talk to Citadel Africa today about the right retainer plan for your organisation.

Discuss a Retainer Active Incident — Call Now
Emergency line: +254 797 907 510 — answered 24 hours a day, 365 days a year.