to top button

Seasoned
Incident Response for Long Island & NYC Businesses

Emergency Cybersecurity Services

Active ransomware, data breach, or business-stopping outage? PTG's certified incident response team contains the threat and gets you operational — 24/7/365 from our Long Island and NYC base. A responder will be notified within 15 minutes.

INCIDENT RESPONSE LINERequest a callback

Under attack right now? Here's what to do

If you're reading this during an active incident, follow these steps before calling. Every minute matters, but the wrong move makes things worse.

Every minute matters, but the wrong move makes things worse. Follow these steps before calling.

Disconnect, don't power off

Pull the network cable or disable Wi-Fi on affected systems. Powering off destroys forensic evidence in memory that helps identify the threat actor and sometimes recover encryption keys.

Don't talk to the attacker

No replies to ransom notes, no visits to the payment portal, no acknowledgments. Anything you say can be used to raise the ransom or accelerate data leaks.

Don't pay yet

Payment may violate OFAC sanctions and rarely returns clean data. Wait for a responder to evaluate decryptors and backups first.

Preserve what you see

Screenshot ransom notes, suspicious files, file extensions (.lockbit, .akira, .blackcat, etc.), and any unusual processes. Don't delete anything.

Notify a small circle only

Owner, IT lead, and your insurance broker. Wider notification can trigger panic — or alert an insider involved in the breach.

Call PTG

Our 24/7 line connects you to a responder, not a queue.

INCIDENT RESPONSE LINERequest a callback

Incidents we respond to

PTG's incident response team is built for the threats actually hitting Long Island and NYC small and mid-sized businesses.

Ransomware & extortion

LockBit, Akira, BlackCat, Play, Medusa. Encryption containment, decryption evaluation, ransom coordination.

LockBit 2.0 ransomware message stating important files are stolen and encrypted with instructions for recovery.

Data breach & exfiltration

Identify what was taken, support NY SHIELD notification, produce forensic report for insurer.

Catastrophic system failure

When a crash could plausibly be a breach, or standard backups can't restore.

BEC & wire fraud

Compromised M365/Workspace, fraudulent wires, vendor invoice substitution, exec impersonation.

Glowing envelope icon hanging on a fishing hook above a laptop keyboard representing phishing email.

Insider & account compromise

Departed-employee theft, privileged abuse, stolen creds on dark web markets.

Microsoft sign-in screen prompting to approve the sign-in request using Microsoft Authenticator app.

Supply chain & 3rd party

When your vendor or MSP is breached and your data is exposed downstream.

How PTG's incident response works

PTG's incident response process is designed to swiftly address and mitigate threats. Our team acts quickly to contain incidents, ensuring minimal disruption to your business operations.

Hour 1

Triage & Containment

A responder will be notified within 15 minutes. We collect facts, confirm scope, and immediately work to contain the spread — isolating endpoints, killing malicious processes, and blocking command-and-control traffic. By the end of hour one, the bleeding stops.

Hours 2–24

Eradication & Threat Actor Eviction

We identify the entry vector (phishing, exposed RDP, vulnerable VPN, compromised credentials), map every system the actor touched, and remove their access — including persistence mechanisms, backdoors, and scheduled tasks designed to bring them back. Forensic preservation runs in parallel.

Days 2–7

Recovery & Hardening

We restore from clean backups or rebuild affected systems. Before anything reconnects, we close the entry vector and the misconfigurations that allowed lateral movement. You return to operations on a more defensible footprint than before the incident.

Week 2+

Post-Incident Review & Reporting

You receive a documented forensic report fit for your cyber insurance carrier, legal counsel, and regulators. We hold a closeout review with your leadership covering what happened, what changed, and what remains. If you don't already have one, we'll help build the incident response plan that turns the next event into a rehearsal, not a crisis.

Why Local Incident Response Matters

National DFIR firms are capable — until they need hands on your hardware at 9 PM on a Friday. PTG responds from Long Island. That means:

  • On-site within hours, not days. Some incidents demand physical access, especially when networks are deliberately offline and remote tools can't reach.
  • Regional regulatory familiarity. NY SHIELD Act, NY DFS Part 500 (if you touch financial services), and city-level breach notification obligations are home turf.
  • Established local relationships. FBI Cyber Division (NYC field office), New York State Attorney General's office, and Long Island-based breach counsel and PR firms. We know who to call when escalation is needed.
  • Continuity after the crisis. Most national IR firms hand you off the day the report ships. PTG's MSP team can take over hardened operations directly — so you're not rebuilding both your environment and your IT provider relationship at the same time.

FAQs

What should I do in the first hour of a ransomware attack?
plus Icon

Disconnect affected systems from the network without powering them off — that preserves forensic evidence in memory. Don't communicate with the threat actor. Don't pay the ransom yet. Screenshot ransom notes and file extensions. Notify only your immediate leadership and insurance broker. Then call an incident response team. The first hour determines whether the attack stays contained or spreads to backups.

Should I pay the ransom?
plus Icon

Not before consulting an incident responder, your cyber insurance carrier, and legal counsel. Paying may violate OFAC sanctions depending on the threat actor's affiliation, doesn't guarantee a working decryptor, and signals to other groups that you'll pay again. A qualified IR team will evaluate whether backups, public decryptors, or partial recovery make payment unnecessary, and will manage the negotiation if payment is the right call.

Will turning off the affected computer help?
plus Icon

No — disconnect it from the network instead. Powering off wipes the memory-resident evidence (running processes, encryption keys in RAM, decrypted file fragments) that forensic responders use to identify the attacker and sometimes recover data without paying. Unplug the network cable or disable Wi-Fi, then leave the system running.

How fast can PTG respond to an active incident?
plus Icon

Our 24/7 hotline routes directly to an on-call responder, not a ticketing queue. A Senior Engineer will be notified within 15 minutes. Active containment typically starts within 1 hour. On-site response across Long Island and NYC is available the same day.

Do you work with my cyber insurance carrier?
plus Icon

Yes. PTG coordinates with breach coaches, panel counsel, and approved forensic firms on insurer rate sheets. We provide the documentation carriers require for claims and align our response with policy terms so coverage isn't jeopardized. If you're unsure of your carrier or policy details, we'll help locate them.

Do I need an IR retainer if I already have an MSP?
plus Icon

An MSP keeps you running day to day; an incident response team is specialized for the worst day. The two are complementary. A retainer guarantees faster response, locks in rates, and gives you a team that has already mapped your environment — meaning hour one is faster when it counts. PTG's MSP and IR teams are integrated, so retainer clients get a unified handoff between routine support and active response.

What's the difference between incident response and disaster recovery?
plus Icon

Disaster recovery restores systems and data — it answers "how do we get back online?" Incident response investigates the cause, contains the threat actor, and prevents the same breach from recurring — it answers "what happened, who did it, and is it really over?" After a cyber incident, doing DR without IR is how organizations get re-encrypted three weeks later by the same threat actor still inside the network.

Am I required to report a breach in New York?
plus Icon

Often yes. The NY SHIELD Act requires notification to affected New York residents and the NY Attorney General when private information is exposed. Financial services firms under NY DFS Part 500 have a 72-hour reporting requirement to the regulator. Healthcare, education, and government contracts add their own obligations. PTG's incident report includes the facts your counsel needs to make notification decisions on time.

How do you preserve evidence for law enforcement?
plus Icon

We follow chain-of-custody procedures consistent with FBI and federal court standards: forensic imaging of affected systems before remediation, hash verification, time-stamped logs, and documented handling. If your case goes to law enforcement or civil litigation, our work product holds up.

Can you negotiate with the threat actor?
plus Icon

Yes, when negotiation is the right call — but always coordinated with your insurer, counsel, and OFAC compliance review. Direct negotiation by the victim almost always raises the ransom and never helps. If a decision is made to engage, we manage all communication through dedicated channels built for this work.

What happens after the incident is contained?
plus Icon

You receive a written incident report covering scope, root cause, actions taken, and recommendations. We hold a leadership closeout meeting. If you want PTG ongoing, we transition to managed cybersecurity and IT services. If not, you leave the engagement with a hardened environment, a documented playbook, and a relationship to call on if anything resurfaces.