Incident response · Digital forensics · Security consulting
CyberRisk Services is a working incident-response practice — not a report factory, not a bench-time reseller. Engagements ship with chain-of-custody evidence your insurer and counsel can use without reconstruction, produced by AI-augmented tooling we build and hold the patents on.
Mid-incident? Put ACTIVE INCIDENT in the subject line — it jumps the queue.
Business email compromise, adversary-in-the-middle session theft, persistence hunting, and containment across Microsoft 365 and hybrid estates. We don't stop at the alert — we run the investigation to the end and fix what let it happen.
Audit-log reconstruction, mailbox eDiscovery, and second-opinion reviews of incidents someone else already closed. Every case folder ships cryptographically sealed with an independent verification script — evidence that holds up when the deliverable matters.
Conditional Access and identity hardening, email authentication (DKIM/DMARC), privileged-access review, and SIEM coverage-gap assessment — the configuration work that decides whether the next attack is an incident or a log entry.
Anonymized, real engagements. Each one started the same way: a managed security provider said the alerts were handled.
A business-email-compromise campaign ran 706 coordinated attacks against two finance mailboxes for five months. One inbox rule exposed it — and a SIEM blind spot had hidden the rest. The full campaign timeline — every send, every rule change — shipped as a hash-sealed evidence bundle.
A "perfect" Conditional Access geo block that never fired — because the attacker brought their own session cookie. The sign-in logs showed two continents eighteen seconds apart, and nothing paged. We shipped the policy change that actually closes the gap.
A default SIEM connector hid an adversary-in-the-middle compromise for twelve months while 91 alerts fired into a queue nobody read. One configuration change surfaced every victim in the tenant — after the case had already been marked closed by the incumbent provider.
New case files publish as engagements close and anonymization clears.
Browse all case files →This is our production stack, not a marketing lineup. We built it, we run every engagement on it, and our parent company holds the provisional patents on the parts that matter. Hiring CRS means getting tooling that would cost well into six figures to build in-house — on day one of the engagement.
Cross-vendor alert normalization — Defender, CrowdStrike Falcon, Duo, Okta, SentinelOne, Splunk, and more — on a single pane. Every tenant we watch gets a morning brief, every alert lands in one queue instead of six portals.
Digital-forensics stack for browser artifact reconstruction and session-chain analysis. Every case ships a hash-sealed evidence bundle built for insurance claims and legal proceedings — not a PDF of screenshots.
Suspicious attachments and URLs detonate inside an isolated VM with SSL-decrypted network capture, per-case snapshots, and REMnux integration. You see what the payload actually does, not what a reputation score guesses.
A voice-driven Splunk console for ops-speed queries mid-incident. Customers with their own Splunk can operate it by voice — no SPL required to ask what happened.
Source-cited answers over your historical PDFs, invoices, and incident writeups — running locally. No data leaves your VM, and every answer links back to the document it came from.
External-surface enrichment across Shodan, GreyNoise, crt.sh, AbuseIPDB, HIBP, DNS Twist, URLScan, Wayback, OTX, Wappalyzer, and Apollo — we know your exposure before the first call.
The platform is commercialized separately at envyously.com. CRS consulting customers use it as part of every engagement — no separate license, no extra line item.
CyberRisk Services is a Sherweb cloud-solution partner. That means the firm that hardens your tenant can also be the channel that licenses it — Microsoft 365 seats, security add-ons, cloud infrastructure, and the vendor tools we recommend during an engagement.
The alternative is the usual arrangement: a consultant who recommends products, a separate reseller who marks them up, and nobody accountable for whether the deployed thing matches the recommendation. We collapse that. One relationship, one invoice, no double-brokerage — and the person configuring the product is the person who chose it.
We don't push shelfware. If an engagement finding calls for a product, we quote it; if it doesn't, we don't.
"Operator-led" gets used as marketing copy. Here it's literal. The principal who answers your first email is the person on the incident bridge, the person pulling sign-in logs at 2 a.m., the person who detonates the sample and writes the report your counsel will actually use. No intake tier, no junior rotation, no "your case has been escalated."
Most of the managed-security industry runs an observation model: watch the dashboards, open a ticket, tell you something happened. That's a mall cop — observe and report, then walk the next lap. CRS was built as the opposite. We find the entry point, map the spread, close the gap that let it happen, and prove every step of it with evidence.
Our capacity is a design choice, not a limitation. We take few enough engagements that the operator is personally available for all of them — because that availability is the thing you're actually buying. A firm of one that answers beats a firm of two hundred that queues.
Half our work is second opinions — engagements opened after a managed provider said nothing happened. The pattern repeats: templated RCAs with empty evidence sections, alerts that fired and were never read, dwell time measured in months. Our standard is simpler: if the evidence section is empty, the investigation isn't done.
Chain-of-custody isn't a bolt-on service tier. Every engagement — consulting, forensics, or IR — closes with a cryptographically hash-sealed case folder and an independent verification script, so an insurer, auditor, or attorney can rely on the evidence without reconstruction. That's the deliverable; the report is just the summary of it.
The tooling behind that deliverable is ours — built in-house, commercialized separately as Envyously, and backed by 10+ US provisional patents held by our parent company, EnvyGroup, LLC. The patents aren't wall decoration; they're why we can voice-drive a SIEM mid-incident, detonate a payload with decrypted capture, and seal evidence in ways bench-time firms literally cannot. You get the tools the day they're built, not the day they're licensed.
Mid-incident? Put ACTIVE INCIDENT in the subject line — it jumps the queue.