When generalist IR has stopped, when a CVE is already in the wild, when a vendor report leaves the load-bearing questions open — we read what attackers and patches left behind, and produce evidence, not opinion. Court-, regulator-, insurer-, counsel-grade.
Forensic rebuild of an incident 30–365 days after the fact, when responders have demobilised and the original timeline no longer holds up under regulatory or litigation scrutiny.
Bytes-on-wire reconstruction of what actually left the network — replacing hand-waved estimates with defensible volumetric and content findings for notification and indemnity.
Structured technical review of a prior IR vendor's report, assessing whether its findings, methodology, and evidentiary chain will survive deposition or DPA review.
Hash-verified, exhibit-grade presentation of incident findings engineered for adversarial scrutiny by regulators, DPAs, reinsurers, and opposing counsel.
Written expert reports and live testimony for cross-border breach litigation, arbitration, and regulatory proceedings — scoped from day one for the deposition transcript.
Targeted forensic work product supporting insurer recovery against vendors, MSPs, and software suppliers whose failures contributed to the loss.
A Hexmortem dossier separates observed evidence, technical inference, and speculation. Each finding carries an explicit confidence level and maps to a recommended action — patch, mitigate, isolate, escalate, or no action required. Reports are calibrated for engineering, breach counsel, insurers, and regulators in the same pass.
Browse the evidence library → · Request a redacted full dossier under NDA →
Subrogation forensics for cyber insurers is not always the right engagement. An honest threshold for when recovery work product is — and isn't — warranted.
What carriers, breach coaches, and panel counsel should ask before commissioning an independent IR second opinion — independence, methodology,...
How to prove data was exfiltrated to a standard that survives DPA review and deposition — artifacts, confidence intervals, and bytes-on-wire...
What an exfiltration scoping audit includes — bytes-on-wire reconstruction, artifact attribution, and confidence intervals on egress scope.
Cold-case reconstruction and live IR solve different problems. A comparison of when post-incident forensic reconstruction is the right engagement.
Submissions are read by an analyst, not a bot. Authorisation and scope are confirmed in writing before any analysis begins. Sensitive artefacts must travel via the PGP envelope or a single-use secure-portal link issued on confirmed scoping.
incident@hexmortem.com
Subject prefix HM-EMERGENCY. Priority response reserved for retained clients and active incidents.
scope@hexmortem.com
Include artefact identifiers and the decision deadline.