Incident Response Automation: Accelerating Detection and Response with SOAR

When a security incident strikes, every second counts. The difference between a contained breach and a catastrophic data loss often comes down to how quickly and effectively an organization can respond. Yet many security teams remain trapped in manual processes, wrestling with alert fatigue, fragmented tools, and time-consuming investigations that leave attackers free to operate within their networks.‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‍‌‌‌‌

Security Orchestration, Automation and Response (SOAR) platforms are transforming this reality, enabling organizations to automate routine tasks, accelerate response times, and maximize the impact of their security investments. This comprehensive guide explores how to build and optimize automated incident response capabilities.

The Incident Response Challenge

The Manual Response Problem

Alert Overload Reality:‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‌‍‌‌‌‌‍‌‌‌‍‌‌‌‌‍‌‌‌‌‌‍‌‌‌‌‌‌‍‌‌‌‍‌‌‌‌

Average enterprise security team receives 10,000+ alerts daily
50-70% of alerts are false positives
Average time to triage a single alert: 10-30 minutes
Many legitimate threats are lost in the noise

Response Time Statistics:

Average time to detect a breach: 287 days (M-Trends 2023)
Average time to contain a breach: 80 days
Organizations with automated IR contain breaches 70% faster

Cost of Delay:

Breaches contained within 200 days: $3.93M average cost
Breaches taking longer than 200 days: $4.95M average cost
Every hour of attacker dwell time increases damage exponentially

The Complexity Multiplier

Modern security environments compound response challenges:

Dozens of security tools generating isolated alerts
Cloud and hybrid infrastructure spanning multiple providers
Remote workforce expanding the attack surface
Sophisticated multi-stage attacks requiring coordinated response

Understanding SOAR Fundamentals

SOAR Core Components

SOAR Platform Architecture:

┌─────────────────────────────────────────────────────────┐
│                    Orchestration Layer                  │
│         (Workflows, Playbooks, Case Management)       │
├─────────────────────────────────────────────────────────┤
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐   │
│  │ Automation  │  │  Threat     │  │   Case      │   │
│  │  Engine     │  │ Intelligence│  │ Management  │   │
│  │             │  │             │  │             │   │
│  │ • Playbooks │  │ • IOC Mgmt  │  │ • Tracking  │   │
│  │ • Scripts   │  │ • Enrich    │  │ • Metrics   │   │
│  │ • API calls │  │ • Correl    │  │ • Reporting │   │
│  └─────────────┘  └─────────────┘  └─

  
    
    
      Free Resource
      Get the Free Cybersecurity Checklist
      A practical, no-jargon security checklist for businesses. Download free — no spam, unsubscribe anytime.
      Send Me the Checklist →
    
  

────────────┘   │
├─────────────────────────────────────────────────────────┤
│                    Integration Layer                      │
│    (SIEM, EDR, Firewall, Cloud, Email, Identity...)     │
└─────────────────────────────────────────────────────────┘

Key SOAR Capabilities

Security Orchestration: Connecting disparate security tools to work together seamlessly Automation: Executing repetitive tasks without human intervention Response: Taking action to contain, remediate, and recover from incidents

Building Automated Response Playbooks

Playbook Design Principles

Tiered Response Model:

Tier 1: Fully Automated (No human intervention)
├─ Known malware detection
├─ Policy violations (USB usage, etc.)
├─ Low-risk phishing (known signatures)
└─ Routine containment actions

Tier 2: Human-Validated Automation
├─ Suspicious lateral movement
├─ Potential data exfiltration
├─ Credential compromise indicators
└─ Automated containment pending approval

Tier 3: Human-Led with Automation Support
├─ APT/sophisticated attacks
├─ Insider threats
├─ Multi-system compromises
└─ Automated enrichment and documentation

Common Playbook Patterns

Phishing Response Playbook:

Playbook: Phishing_Incident_Response
Trigger: Email security alert (suspicious message)

Steps:
  1. Enrichment:
     - Extract sender, URLs, attachments
     - Query threat intelligence sources
     - Check URL reputation (VirusTotal, URLhaus)
     - Analyze attachments in sandbox
     
  2. Correlation:
     - Search for similar emails across organization
     - Identify recipients (1:1 vs. broadcast)
     - Check if any recipients clicked/executed
     
  3. Triage Decision:
     IF confirmed malicious AND clicked:
       → Escalate to Tier 2
     IF confirmed malicious AND not clicked:
       → Auto-remediate (remove emails, block sender)
     IF suspicious:
       → Create ticket for analyst review
     IF false positive:
       → Close with documentation
     
  4. Response Actions:
     - Remove similar emails from all mailboxes
     - Block sender domain/IP
     - Add IOCs to threat intelligence
     - Notify recipients (if appropriate)
     
  5. Documentation:
     - Create incident timeline
     - Update threat intelligence
     - Generate metrics for reporting

Malware Detection and Response:

Playbook: Malware_Containment
Trigger: EDR high-confidence malware detection

Immediate Actions (< 1 minute):
  1. Isolate affected endpoint from network
  2. Capture memory dump for forensics
  3. Block known-bad file hash across all endpoints
  4. Collect running processes and network connections

Investigation (Automated, 1-5 minutes):
  1. Check for lateral movement indicators
  2. Review user account activity (past 24 hours)
  3. Analyze DNS queries and network connections
  4. Check for persistence mechanisms

Containment (Automated with approval):
  1. IF lateral movement detected:
     - Isolate additional affected systems
     - Disable compromised user account
     - Force password reset
     
  2. IF data access suspected:
     - Revoke active sessions
     - Enable enhanced monitoring
     - Alert data owner

Notification:
  - Notify SOC manager (high severity)
  - Create ticket with automated findings
  - Update threat intelligence platform

Playbook Development Best Practices

1. Start Simple, Expand Gradually:

Phase 1: Enrichment Only
├─ Gather context automatically
├─ Present to analyst for decision
└─ No automated actions

Phase 2: Low-Risk Automation
├─ Add blocking for known-bad IOCs
├─ Automated ticketing and documentation
└─ Email notifications

Phase 3: Conditional Response
├─ Automated containment for high-confidence
├─ Human approval gates for critical actions
└─ Cross-platform response

Phase 4: Full Automation
├─ Handle complete incident lifecycle
├─ Automated recovery actions
└─ Self-optimizing based on outcomes

2. Include Human Decision Points:

# Example approval workflow
def isolate_system(hostname, severity):
    if severity == "critical":
        # Auto-approve for critical malware
        return execute_isolation(hostname)
    elif severity == "high":
        # Request approval for high severity
        approval = request_approval(
            approver="soc_manager",
            timeout_minutes=5,
            action=f"Isolate {hostname}"
        )
        if approval.granted:
            return execute_isolation(hostname)
    else:
        # Log for analyst review
        create_ticket(severity, hostname)

3. Build in Safety Mechanisms:

Rate limiting on automated actions
Exclusion lists for critical systems
Automatic escalation on failures
Rollback capabilities for containment actions

Integration Architecture

Essential Integrations

Detection Sources:

Alert Sources:
├─ SIEM (Splunk, QRadar, Sentinel)
├─ EDR/EPP (CrowdStrike, SentinelOne, Microsoft Defender)
├─ Network Security (IDS/IPS, NDR)
├─ Email Security (Proofpoint, Mimecast)
├─ Cloud Security (CSPM, CWPP)
└─ Identity Security (ITDR, IAM)

Response Targets:

Action Targets:
├─ Firewall/Proxy (block IPs, URLs)
├─ EDR (isolate hosts, kill processes)
├─ Active Directory (disable accounts, force resets)
├─ Email Gateway (delete messages, block senders)
├─ Cloud Platforms (revoke sessions, modify policies)
└─ Ticketing Systems (create, update, close tickets)

Enrichment Sources:

Threat Intelligence:
├─ Internal TI platform (MISP, OpenCTI)
├─ Commercial feeds (Recorded Future, Mandiant)
├─ OSINT sources (VirusTotal, Abuse.ch)
└─ Industry ISACs

Context Data:
├─ Asset management (CMDB)
├─ Identity and access (IAM)
├─ Vulnerability management
└─ Configuration management

Integration Patterns

Webhook-Driven Automation:

# Example: Webhook handler for SIEM alerts
@app.route('/webhook/siem', methods=['POST'])
def handle_siem_alert():
    alert = request.json
    
    # Parse alert data
    severity = alert['severity']
    alert_type = alert['type']
    source_ip = alert['source_ip']
    
    # Route to appropriate playbook
    if alert_type == 'malware':
        playbook = MalwareResponsePlaybook(alert)
    elif alert_type == 'phishing':
        playbook = PhishingResponsePlaybook(alert)
    elif alert_type == 'lateral_movement':
        playbook = LateralMovementPlaybook(alert)
    
    # Execute playbook
    result = playbook.execute()
    return jsonify({"status": "executed", "incident_id": result.id})

API Polling Pattern:

# Example: Polling EDR for new detections
def poll_edr_alerts():
    last_poll = get_last_poll_time()
    
    # Query EDR API for new alerts
    alerts = edr_client.get_alerts(
        since=last_poll,
        severity=['high', 'critical']
    )
    
    for alert in alerts:
        # Create incident in SOAR
        incident = create_incident(alert)
        
        # Execute enrichment playbook
        run_playbook('enrich_and_triage', incident)
    
    update_last_poll_time(datetime.now())

Measuring Automation Success

Key Performance Indicators

Efficiency Metrics:

Mean Time to Detect (MTTD):
Before: 12 hours
After: 15 minutes
Improvement: 98%

Mean Time to Respond (MTTR):
Before: 4 hours
After: 8 minutes
Improvement: 97%

Mean Time to Contain (MTTC):
Before: 8 hours
After: 25 minutes
Improvement: 95%

Alert-to-Ticket Ratio:
Before: 1:1 (every alert creates work)
After: 20:1 (automation handles 19/20)
Efficiency gain: 1,900%

Quality Metrics:

False Positive Rate:
Before: 65% of alerts were false positives
After: 15% after automated enrichment

Escalation Accuracy:
Before: 30% of escalations were unnecessary
After: 8% after automated triage

Investigation Completeness:
Before: 45% of investigations missed key context
After: 95% with automated enrichment

Business Impact Metrics:

Analyst Productivity:
Before: 20 alerts investigated per day per analyst
After: 200+ with automation support

After-Hours Coverage:
Before: 8/5 coverage only
After: 24/7 automated response

Breach Impact Reduction:
Before: Avg dwell time 287 days
After: Avg dwell time 24 days

Building the Automation Dashboard

┌─────────────────────────────────────────────────────────┐
│           SECURITY AUTOMATION DASHBOARD                 │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Incidents Today: 247    Automated: 89%    Manual: 11%  │
│  Avg Response Time: 6 minutes (SLA: 15 min)           │
│  Playbooks Executed: 1,247   Success Rate: 99.2%       │
│                                                         │
├─────────────────────────────────────────────────────────┤
│  MTTR Trend (30 days)                                   │
│  ████████████████████████████████████████  6 min (avg)  │
│  15 min ───────────────────────────────────────  SLA    │
│                                                         │
├─────────────────────────────────────────────────────────┤
│  Top Automated Playbooks:                                 │
│  1. Phishing Response (342 executions)                   │
│  2. Malware Containment (198 executions)               │
│  3. Account Compromise (156 executions)                │
│  4. Suspicious Login (127 executions)                  │
│                                                         │
├─────────────────────────────────────────────────────────┤
│  Cost Avoidance: $2.3M (YTD)                            │
│  Analyst Hours Saved: 4,200 hours                       │
│  Automation ROI: 412%                                   │
└─────────────────────────────────────────────────────────┘

Advanced Automation Capabilities

Threat Intelligence Integration

Automated IOC Enrichment:

# Automatic threat intelligence lookup
def enrich_ioc(indicator, indicator_type):
    enrichment = {}
    
    # Multi-source lookup
    sources = [
        virustotal_lookup,
        misp_lookup,
        recorded_future_lookup,
        internal_ti_lookup
    ]
    
    for source in sources:
        try:
            result = source(indicator)
            enrichment[source.name] = result
        except Exception as e:
            logger.warning(f"Enrichment failed for {source.name}: {e}")
    
    # Calculate aggregate reputation score
    reputation_score = calculate_reputation(enrichment)
    
    # Auto-action based on confidence
    if reputation_score > 90:
        auto_block(indicator)
    elif reputation_score > 70:
        add_to_watchlist(indicator)
    
    return enrichment

IOC Lifecycle Management:

Automatic expiration of stale IOCs
Reputation score updates
False positive feedback loop
Historical effectiveness tracking

Machine Learning Integration

Alert Prioritization:

# ML-based alert scoring
priority_score = ml_model.predict({
    'alert_type': alert.type,
    'source_ip_reputation': ti_lookup(alert.src_ip),
    'user_risk_score': user_risk[alert.user],
    'asset_criticality': asset_criticality[alert.host],
    'time_of_day': alert.timestamp.hour,
    'historical_false_positive_rate': fp_rate[alert.signature]
})

if priority_score > 0.9:
    auto_respond(alert)
elif priority_score > 0.7:
    fast_track_analyst(alert)
else:
    queue_for_batch_review(alert)

Anomaly Detection:

Baseline user and system behavior
Detect deviations automatically
Create incidents for significant anomalies
Reduce false positives through learning

Automated Threat Hunting

Proactive Playbooks:

Playbook: Threat_Hunt_Lateral_Movement
Schedule: Daily at 02:00

Hunt Steps:
  1. Query SIEM for lateral movement indicators:
     - SMB connections between workstations
     - PSExec usage
     - WMI execution
     - Remote PowerShell sessions
     
  2. Correlation:
     - Cross-reference with known admin activity
     - Check against change management tickets
     - Validate against expected patterns
     
  3. Analysis:
     - Score findings by risk
     - Enrich with asset and user context
     
  4. Response:
     IF high_confidence_malicious:
       → Create incident
       → Isolate affected systems
       → Alert threat hunting team
     IF suspicious:
       → Create investigation ticket
       → Add to watchlist
     IF benign:
       → Update baseline
       → Tune detection rules

Implementing SOAR: A Roadmap

Phase 1: Foundation (Months 1-3)

Weeks 1-4: Platform Selection and Setup

Evaluate SOAR platforms (Splunk SOAR, Palo Alto XSOAR, Swimlane, Tines)
Deploy selected platform
Establish initial integrations (SIEM, EDR)

Weeks 5-8: Basic Automation

Implement enrichment playbooks
Automate ticket creation and updates
Build investigation context gathering

Weeks 9-12: First Response Playbooks

Phishing response automation
Known-malware containment
IOC blocking workflows

Phase 2: Expansion (Months 4-6)

Add remaining security tool integrations
Build conditional response playbooks
Implement approval workflows
Create custom dashboards and reporting

Phase 3: Optimization (Months 7-9)

Tune false positive rates
Optimize playbook performance
Implement machine learning scoring
Expand automated threat hunting

Phase 4: Maturation (Months 10-12)

Full lifecycle automation
Self-healing capabilities
Automated reporting and metrics
Cross-organizational playbooks

Challenges and Mitigations

Common Implementation Challenges

Challenge: Integration Complexity

Mitigation:
├─ Start with API-friendly tools
├─ Use pre-built connectors where available
├─ Implement proper error handling
└─ Maintain fallback procedures

Challenge: Organizational Trust

Mitigation:
├─ Implement approval gates initially
├─ Comprehensive logging and auditing
├─ Gradual expansion of automation scope
└─ Regular review of automated decisions

Challenge: Maintaining Playbooks

Mitigation:
├─ Version control for all playbooks
├─ Automated testing pipelines
├─ Regular review and update cycles
└─ Documentation as code practices

Conclusion

Incident response automation through SOAR platforms represents one of the highest-ROI investments security teams can make. By eliminating repetitive manual tasks, accelerating response times, and enabling 24/7 coverage, automation transforms security operations from reactive firefighting to proactive threat management.

Success requires a methodical approach: start with enrichment, gradually expand to low-risk automation, build organizational confidence, and continuously optimize based on outcomes. The organizations that embrace this transformation will operate with decisive speed when threats emerge, while those relying on manual processes will fall further behind.

The future of security operations is automated, orchestrated, and intelligent. The time to begin that journey is now.

For more information on SOAR and incident response automation, explore the SANS Incident Response resources and CISA Automation Resources.

What to Do When Hackers Break Into Your Business (Explained Simply)

ELI10 version — real advice, plain language, no jargon.

TL;DR

Don't wipe or clean up — that destroys the evidence you need
Call your cyber insurer before anyone else, or you might not get paid out
Don't pay the ransom until you've checked for free solutions first
Get a specialist, not just your regular IT person

Imagine your office is a house. You walk in one morning and the front door is wide open. Drawers are pulled out. Papers everywhere. Someone was definitely here overnight.

What do you do?

Most people's first instinct: clean everything up, make it look normal again, pretend it didn't happen.

That's the worst thing you can do. Here's why.

Why You Shouldn't "Clean Up" First

When police investigate a break-in, they look for fingerprints, footprints, and anything the burglar touched. If you've cleaned the whole house, those clues are gone forever.

Computer forensics works exactly the same way. When investigators look at a hacked computer, they read the "footprints" left in the system — logs, memory, traces of what the attacker did. NIST's federal incident handling standard (SP 800-61r2) specifically requires preserving this evidence before any recovery actions are taken [1]. If you wipe the computer to "fix" it, you destroy all of that.

What to do instead: Pull the network cable out (so no one can still be sneaking around inside) but leave the computer on. Don't delete anything. Don't reformat anything. Just disconnect it from everything else.

Check If Your Spare Key Was Already Copied

Your backups are like a spare copy of everything in your business. But ransomware often breaks in quietly, weeks before anything obvious happens. It sits and waits. Then it strikes.

According to Veeam's 2024 Ransomware Trends Report, 75% of ransomware attacks successfully impacted backup repositories specifically to prevent recovery [2]. That means your backup from last Tuesday might already have the bad stuff inside it. You need to find a backup from before the attackers got in.

Call Your Insurance Company Before Anyone Else

If you have cyber insurance, call them first — before your IT person, before the police, before you start fixing anything. Many insurance policies say: "If you start fixing things before calling us, we won't pay." It's like calling your home insurer before you start rebuilding after a flood.

No cyber insurance? This is exactly what it costs to not have it.

Should You Pay the Ransom?

Ransomware is like a bully who locks your school locker and demands your lunch money for the combination back. The problem: sometimes the bully takes your lunch money and keeps the locker locked anyway. According to Veeam's 2024 report, 1 in 4 businesses that paid still couldn't get their data back [2].

Also important: the U.S. Treasury's OFAC has warned that paying certain ransomware groups may violate federal sanctions law [3].

Before you pay anything: Go to nomoreransom.org [4]. It's a free website run by Europol and police agencies worldwide that has free "unlock codes" for many ransomware programs. You might not need to pay at all.

Your IT Person vs. a Security Specialist

Your regular IT person is skilled at keeping things running. Incident response — figuring out what happened and fixing it properly — is a specialist skill requiring different certifications, different tools, and a completely different approach [1]. Using your IT admin for incident response is like asking the building manager to also investigate the burglary.

After It's Over: Fix the Hole

The break-in happened because there was a way in. Once you're back up and running, you need to find that hole and seal it. That means:

Turning on two-factor authentication everywhere (like needing both a key AND a PIN)
Getting an expert to check for other weak spots
Having a plan written down for next time — because there's always a next time

Your Action Items

Save your cyber insurer's emergency number somewhere you can find it in a panic
Know where your backups live and when they were last taken
Bookmark nomoreransom.org right now [4]
Turn on MFA (two-factor login) for your email, banking, and key systems today
Know who to call for incident response — lilMONSTER offers a free consult

FAQ

What's the very first thing to do when I get hacked? Disconnect affected computers from your network immediately — pull the cable or turn off Wi-Fi — but do NOT turn them off or wipe them. Then call your cyber insurer before anything else. NIST SP 800-61r2 defines this isolation-without-destruction as the critical first containment step [1].

Why shouldn't I just reformat my computer after a hack? Reformatting destroys the forensic evidence investigators need to understand what happened, what data was accessed, and how the attacker got in. That evidence matters for insurance claims, legal cases, and making sure you don't get hacked the same way again [1].

Is there a free way to get ransomware removed? Often yes — check nomoreransom.org [4] for free decryption tools. This site is run by Europol and major police agencies and covers hundreds of known ransomware strains at no cost.

References

[1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide," NIST Special Publication 800-61 Revision 2, National Institute of Standards and Technology, Aug. 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[2] Veeam Software, "2024 Ransomware Trends Report," Veeam Research, 2024. [Online]. Available: https://www.veeam.com/resources/wp-2024-ransomware-trends-executive-summary-apj.html

[3] U.S. Department of the Treasury, "Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments," OFAC Advisory, Oct. 2020. [Online]. Available: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

[4] No More Ransom Project (Europol / Dutch National Police), "Free Ransomware Decryption Tools," 2024. [Online]. Available: https://www.nomoreransom.org/

Worried your business isn't ready for this? Book a free consultation with lilMONSTER — we'll help you build a plan before you ever need it. Prevention costs a fraction of recovery.