Concept

Incident Response

IR: the structured process of detecting, containing and recovering from a security breach; compromised by the Goldberg-Martin ALPHV insider case.

Last refreshed: 17 April 2026

Key Question

How can an incident-response firm ensure its own staff aren't the threat?

Timeline for Incident Response

#117 Apr

Mentioned in: IR staff pleaded guilty to using ALPHV

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is incident response in cybersecurity?: Incident Response (IR) is the structured process of detecting, containing and recovering from cybersecurity breaches. It involves forensic investigation, malware removal, credential rotation, and system restoration, typically performed by specialist firms or in-house security teams.
How long does it take to detect hackers inside a company network?: Mandiant's M-Trends 2026 report documented a 393-day average dwell time for UNC5221 BRICKSTORM intrusions, meaning Chinese state-linked attackers remained inside enterprise networks for over a year on average before detection.Source: Mandiant M-Trends 2026

Background

Incident Response (IR) is the structured process of detecting, containing and recovering from cybersecurity breaches. The discipline is directly implicated in this update through Mandiant's M-Trends 2026 report documenting 393-day average dwell time for UNC5221 BRICKSTORM intrusions and through the DOJ prosecution of Ryan Goldberg (an IR professional at Sygnia) and Kevin Martin (a ransomware negotiator at DigitalMint) for using ALPHV/BlackCat against US victims they were engaged to help.

The IR industry provides the primary detective and remediation capability against advanced persistent threats and ransomware. Mandiant's M-Trends 2026 sets the 393-day BRICKSTORM dwell benchmark as the baseline performance challenge for IR programmes: any detection and response capability that does not surface persistent access within that window is operating below the observed median attacker advantage. Recovery Denial tactics, in which attackers target backup and disaster-recovery infrastructure to extend the IR window, are flagged as a growing ransomware TTP.

The Goldberg-Martin case introduces a new IR risk category: insider abuse by personnel with privileged pre-existing access to victim environments. For organisations procuring IR and ransomware negotiation services, the case shifts due diligence from technical competence assessment to personnel-control verification. The question is no longer only whether a vendor has the skills to respond, but whether it has the controls to prevent its staff from exploiting the access.

How the World Sees Them

DOJ

Prosecuting IR and negotiation professionals for insider abuse sends a deliberate market signal that the IR community is not exempt from criminal accountability.

IR industry

The case is a professional-integrity crisis for the sector; established IR firms are reviewing access controls, NDA structures and personnel screening programmes in response.

Enterprise security buyers

The Goldberg-Martin case adds a personnel-control due-diligence question to IR vendor selection: does the vendor have mechanisms to prevent staff from leveraging privileged access against clients?