For confidentiality reasons, the identifying details of the organisations have been anonymised. Operational data, timelines and outcomes are real.
Incident Response
DFIR
Ransomware
Manufacturing — Northern Italy — 450 employees
Ransomware on production line: recovery in 72 hours
Manufacturing company hit by LockBit 3.0 ransomware on a Friday evening. ERP systems, file servers and workstations encrypted. Production line halted. Backups partially compromised. Management discovered the attack at 23:30 and called our 24/7 emergency line.
Results
- Containment completed within 3 hours of the call
- Entry vector identified (VPN with stolen credentials)
- Critical systems restored within 72 hours
- Production resumed after 4 working days
- No ransom paid — recovery from selective backups
- CSIRT-IT notification submitted within 24 hours (NIS2 obligation)
NIS2
Compliance
Gap Assessment
Utilities — Central Italy — 1,200 employees
Full NIS2 compliance achieved in 6 months for an essential entity
Energy sector company classified as an essential NIS2 entity. Initial assessment: 68 gaps across 219 measures. No formalised incident reporting procedures. CSIRT contact point not appointed. Compliance deadline imminent.
Results
- Gap assessment completed in 3 weeks
- 68 gaps reduced to 7 (residual risks formally accepted)
- CSIRT contact point appointed and operational within 30 days
- Full documentation package delivered: policies, procedures, IRP
- Formal compliance achieved before the deadline
- Awareness training delivered to 250 employees
Digital Forensics
Data Breach
Insider Threat
Professional Services — Milan — 80 employees
Confidential data exfiltration by a former employee
Professional firm that suspected exfiltration of client data by a departing employee. No documented evidence. Legal counsel required forensic evidence to support legal proceedings.
Results
- Forensic acquisition of the company laptop with chain of custody
- Complete exfiltration timeline reconstructed (USB + cloud)
- 3,400 confidential documents identified as copied
- Technical expert report delivered to lawyers within 5 days
- Evidence admitted in civil proceedings
- GDPR notification to the Data Protection Authority supported
Penetration Test
SOCaaS
Cloud
Fintech — Rome — 60 employees
Pentest on financial SaaS platform and managed SOC activation
Scale-up fintech startup with a SaaS platform handling financial data for thousands of clients. An enterprise customer required pentest evidence as a contractual condition. The IT team had no visibility into production access.
Results
- Web application pentest completed in 10 days
- 2 critical vulnerabilities identified (IDOR + JWT misconfiguration)
- Remediation completed and positive retest in 3 weeks
- Report provided to enterprise client — contract signed
- SOCaaS Spectre Essential activated post-pentest
- First threat detected (credential stuffing) in week 2