CyberRisk Services

Incident response · Digital forensics · Security consulting

Most security firms observe and report. We detect, verify, and fix.

CyberRisk Services is a working incident-response practice — not a report factory, not a bench-time reseller. Engagements ship with chain-of-custody evidence your insurer and counsel can use without reconstruction, produced by AI-augmented tooling we build and hold the patents on.

Woman-owned · Small Business WOSB / EDWOSB · certification in progress SAM.gov · registered · All Awards NAICS · 541512 / 541519 / 541990 / 561621 Patent-backed · 10+ US provisionals Operator-led · one principal, zero hand-offs

Mid-incident? Put ACTIVE INCIDENT in the subject line — it jumps the queue.

The stack behind every engagement
  • WatchTower cross-vendor SOC console, every tenant on one pane
  • Trace chain-of-custody forensics, hash-sealed evidence
  • Detonation Chamber sandboxed malware detonation, SSL-decrypted capture
  • Speak-Splunk voice-driven Splunk console patent-pending
  • Beast RAG local AI archive, source-cited, data stays on your VM
  • Prospect Intel pre-engagement OSINT across 11 intel sources

What we do

Incident responseActive & post-incident

Business email compromise, adversary-in-the-middle session theft, persistence hunting, and containment across Microsoft 365 and hybrid estates. We don't stop at the alert — we run the investigation to the end and fix what let it happen.

Digital forensics & evidenceInsurer- and counsel-ready

Audit-log reconstruction, mailbox eDiscovery, and second-opinion reviews of incidents someone else already closed. Every case folder ships cryptographically sealed with an independent verification script — evidence that holds up when the deliverable matters.

Security consultingPrevent the next engagement

Conditional Access and identity hardening, email authentication (DKIM/DMARC), privileged-access review, and SIEM coverage-gap assessment — the configuration work that decides whether the next attack is an incident or a log entry.

From the case files

Anonymized, real engagements. Each one started the same way: a managed security provider said the alerts were handled.

BEC · persistence · M365

706 attacks. Five months. Two mailboxes.

A business-email-compromise campaign ran 706 coordinated attacks against two finance mailboxes for five months. One inbox rule exposed it — and a SIEM blind spot had hidden the rest. The full campaign timeline — every send, every rule change — shipped as a hash-sealed evidence bundle.

Read the writeup →

AiTM · conditional access

Eighteen seconds between two continents.

A "perfect" Conditional Access geo block that never fired — because the attacker brought their own session cookie. The sign-in logs showed two continents eighteen seconds apart, and nothing paged. We shipped the policy change that actually closes the gap.

Read the writeup →

SIEM gap · dwell time

One year of dwell. 91 alerts. Nobody looked.

A default SIEM connector hid an adversary-in-the-middle compromise for twelve months while 91 alerts fired into a queue nobody read. One configuration change surfaced every victim in the tenant — after the case had already been marked closed by the incumbent provider.

Read the writeup →

New case files publish as engagements close and anonymization clears.

Browse all case files →

How we deliver — the Envyously platform

This is our production stack, not a marketing lineup. We built it, we run every engagement on it, and our parent company holds the provisional patents on the parts that matter. Hiring CRS means getting tooling that would cost well into six figures to build in-house — on day one of the engagement.

Envyously WatchTowerMulti-tenant SOC console

Cross-vendor alert normalization — Defender, CrowdStrike Falcon, Duo, Okta, SentinelOne, Splunk, and more — on a single pane. Every tenant we watch gets a morning brief, every alert lands in one queue instead of six portals.

Envyously TraceForensic chain-of-custody

Digital-forensics stack for browser artifact reconstruction and session-chain analysis. Every case ships a hash-sealed evidence bundle built for insurance claims and legal proceedings — not a PDF of screenshots.

Detonation ChamberSandboxed analysis

Suspicious attachments and URLs detonate inside an isolated VM with SSL-decrypted network capture, per-case snapshots, and REMnux integration. You see what the payload actually does, not what a reputation score guesses.

Speak-SplunkVoice-controlled SIEM · patent 64/078,567

A voice-driven Splunk console for ops-speed queries mid-incident. Customers with their own Splunk can operate it by voice — no SPL required to ask what happened.

Beast RAGLocal AI archive

Source-cited answers over your historical PDFs, invoices, and incident writeups — running locally. No data leaves your VM, and every answer links back to the document it came from.

Envyously Prospect IntelPre-engagement OSINT

External-surface enrichment across Shodan, GreyNoise, crt.sh, AbuseIPDB, HIBP, DNS Twist, URLScan, Wayback, OTX, Wappalyzer, and Apollo — we know your exposure before the first call.

The platform is commercialized separately at envyously.com. CRS consulting customers use it as part of every engagement — no separate license, no extra line item.

Cloud & vendor procurement

CyberRisk Services is a Sherweb cloud-solution partner. That means the firm that hardens your tenant can also be the channel that licenses it — Microsoft 365 seats, security add-ons, cloud infrastructure, and the vendor tools we recommend during an engagement.

The alternative is the usual arrangement: a consultant who recommends products, a separate reseller who marks them up, and nobody accountable for whether the deployed thing matches the recommendation. We collapse that. One relationship, one invoice, no double-brokerage — and the person configuring the product is the person who chose it.

We don't push shelfware. If an engagement finding calls for a product, we quote it; if it doesn't, we don't.

Through the Sherweb channel

  • Microsoft 365 licensing — CSP channel, commercial NCE
  • Sherweb Performance Cloud — private VDC / vCloud infrastructure
  • 300+ vendor marketplace — security, backup, email protection
Bitdefender Acronis N-able Barracuda Vade WithSecure + more

Why CRS

How we work

"Operator-led" gets used as marketing copy. Here it's literal. The principal who answers your first email is the person on the incident bridge, the person pulling sign-in logs at 2 a.m., the person who detonates the sample and writes the report your counsel will actually use. No intake tier, no junior rotation, no "your case has been escalated."

Most of the managed-security industry runs an observation model: watch the dashboards, open a ticket, tell you something happened. That's a mall cop — observe and report, then walk the next lap. CRS was built as the opposite. We find the entry point, map the spread, close the gap that let it happen, and prove every step of it with evidence.

Why small

Our capacity is a design choice, not a limitation. We take few enough engagements that the operator is personally available for all of them — because that availability is the thing you're actually buying. A firm of one that answers beats a firm of two hundred that queues.

Half our work is second opinions — engagements opened after a managed provider said nothing happened. The pattern repeats: templated RCAs with empty evidence sections, alerts that fired and were never read, dwell time measured in months. Our standard is simpler: if the evidence section is empty, the investigation isn't done.

What we ship

Chain-of-custody isn't a bolt-on service tier. Every engagement — consulting, forensics, or IR — closes with a cryptographically hash-sealed case folder and an independent verification script, so an insurer, auditor, or attorney can rely on the evidence without reconstruction. That's the deliverable; the report is just the summary of it.

The tooling behind that deliverable is ours — built in-house, commercialized separately as Envyously, and backed by 10+ US provisional patents held by our parent company, EnvyGroup, LLC. The patents aren't wall decoration; they're why we can voice-drive a SIEM mid-incident, detonate a payload with decrypted capture, and seal evidence in ways bench-time firms literally cannot. You get the tools the day they're built, not the day they're licensed.

Start a conversation

Mid-incident? Put ACTIVE INCIDENT in the subject line — it jumps the queue.

Where we work

Plains, PA ON-SITE · NEPA DRIVE-TIME · MID-ATLANTIC REMOTE · US NATIONWIDE
Based in Plains, Pennsylvania. On-site across Northeast PA and the tri-state region; drive-time response through the mid-Atlantic; remote engagement nationwide.