Incident readiness & response

The first 48 hours shape everything that follows.

A retained response partner for protocol and product teams. Prepared before the incident. Beside you during it. Calm throughout.

What we do

Three phases. One steady hand through all of them.

A fully integrated response partner. We embed with your engineering response, execute communications directly, and work alongside your in-house counsel and comms team. Where specialists are needed, from forensics to external counsel, we bring vetted options and fold them into a single coherent response.

01

Prepare

Readiness is built in calm months, not crisis hours. We embed with your team so the plan exists before it's needed.

  • Stakeholder map: who to reach, in what order
  • Communications playbook and holding statements
  • Activation criteria and approval paths
  • Quarterly tabletop rehearsal
02

Respond

When something breaks, you activate a partner who already knows the business. We hold the rhythm while your team works the problem.

  • Priority channel, direct to a senior operator
  • Every communication drafted, on cadence
  • A factual decision log from minute one
  • Leadership and engineers protected from noise
03

Recover

The incident ends. The story doesn't. We turn the response into a record that rebuilds trust rather than eroding it.

  • Structured debrief: what was known, when
  • Postmortem and remediation narrative
  • Trust repair across users, investors, partners
  • Playbook updated with what was learned
How it runs

An incident, hour by hour, with us in the room.

Every incident is different. The rhythm is not. This is what the first 48 hours look like when the plan already exists and the person running it already knows your business.

T+0:00

Something breaks

An exploit, an outage, a disclosure. Your team activates us on the pre-agreed channel. No introductions needed: we already know your product, your stakeholders, and who approves what.

T+0:20

One source of truth

We open the situation log: what is confirmed, what is suspected, what is unknown. Every decision gets recorded from this point on. Speculation stays out of writing.

T+0:45

First statement out

Built from the holding language we drafted months ago, approved through the path we agreed then. Accurate, factual, and early enough to hold the narrative.

"Decisions made in the golden hour are the difference between holding the narrative and chasing one written by others."

On the "golden hour" of crisis response, after Lukaszewski
T+3:00

Stakeholders hear it from you

Investor note prepared and sent. Partners and exchanges briefed in the right order. Community channels get a committed next-update time, and we hold to it.

T+6:00

Engineers stay on the problem

Every ad hoc request for information routes through us, not the people doing containment. Leadership works a decision rhythm instead of a hundred pings.

T+24:00

Controlled updates, on schedule

Audience-specific updates land when we said they would. A held cadence is what kills speculation: people stop refreshing feeds for news about you when they know when you'll speak next.

T+48:00

Recovery, on your terms

Known facts aligned, remaining unknowns named, remediation narrative drafted, debrief scheduled. The postmortem people cite will be the one you wrote.

The record

Preparation is the difference. The public record proves it.

6 days
Ronin Network, 2022

$625 million gone, and nobody noticed. The theft was discovered by a user who couldn't withdraw, not by monitoring. Six days without facts, cadence, or a story of their own.

30 min
Bybit, 2025

$1.5 billion stolen, the largest theft in crypto history. The CEO was speaking publicly within 30 minutes and withdrawals were restored in twelve hours. Industry commentary called it textbook. The exchange survived.

Day one
Norsk Hydro, 2019

Ransomware across 40 countries. Hydro admitted the breach the same day and ran daily public briefings, an approach it called "extreme transparency". It is now taught as the gold standard.

"Norsk Hydro set the example for the industry."
Eric Doerr, Microsoft

Responses like that aren't improvised courage. They are decisions made calmly, in advance, by people who thought about the first 48 hours before they arrived.

Working together

A deliberately simple relationship.

To do this job well we have to be genuinely integrated: an extended set of resources for your team, not a vendor you call cold. The commercial model is designed to make that easy.

Who we work with

Teams where trust is inseparable from the product, and where an incident becomes public fast:

Protocol foundations & core infrastructure Bridges & cross-chain systems Wallets & custody products DeFi applications Staking & validator businesses Exchanges & ecosystem entities Investor-backed Web3 teams Funds covering portfolio companies High-trust digital products beyond Web3

Simple terms, locked in

The retainer covers both sides of the work: active readiness every month, and reactive priority response through the first 48 hours, locked in without exception. Work beyond that window, sustained recovery, postmortems, trust repair, is separate by design: scoped as a fixed block and agreed with you before it begins. The terms never change mid-incident.

Clear SLAs, and an incident hotline that's always answered

A defined activation channel, who can trigger it, and what the first response window covers, written down at onboarding. At the center of it: a dedicated incident hotline, answered at any hour, on any day, in any timezone. Incidents don't keep office hours, so neither does activation.

Embedded before anything happens

Onboarding in the first 30 days: leadership context, technical orientation, channel review, stakeholder map. We integrate into your existing tooling and communication channels, so there's no new platform to adopt and no added admin. We work with our clients where they are, and a monthly rhythm keeps us current as your product and team change.

Capacity protected by design

We retain a small number of clients so that when you activate, you get full attention. A written triage protocol and a vetted specialist bench back that commitment.

About

Principal-led. No A team, no B team.

Every client relationship is led by the Principal Partner: the same senior operator through readiness, response, and recovery, on the other end of the incident hotline. No account managers, no juniors learning on your incident. Behind the Principal sits a small bench of trusted associates and specialist partners, engaged under the same confidentiality, so the service never rests on a single pair of hands during a live incident. And because we serve only a limited number of retained clients at a time, there is no client who gets the second-string version of this.

The practice draws on years running high-pressure product launches and operational environments at global scale, including telecoms at Vodafone, and deep working relationships across the Cardano and wider Web3 ecosystem: protocols, wallets, infrastructure teams, and the investors behind them.

That mix matters. Incident response in this space fails when the responder understands communications but not how protocol teams, governance, and communities actually work. We speak both languages.

Grounding

  • Operational scaleYears running high-pressure product launches and operations in global telecoms
  • Ecosystem depthWorking relationships across Cardano and wider Web3: protocols, wallets, infrastructure, investors
  • Professional developmentActive accreditation across business continuity, crisis communications, and cybersecurity bodies

Credentials support the work. Experience and preparation are the product.

The plan is written now, or improvised then.

Start with a confidential readiness debrief and a no-obligation discovery call. Capacity is deliberately limited to a small number of retained clients.

One integrated response: embedded with engineering, communications executed directly, working as one team with your counsel and specialists.