DFIR Services in Delhi NCR · Government & Enterprise IR

Delhi NCR concentrates the incidents that draw national attention — government and PSU systems, critical-sector operators, and the large enterprises clustered in Gurugram's Cyber City and Noida's IT belt. When these are hit, the response has to satisfy CERT-In, the sectoral regulator, and — for protected systems — NCIIPC, all while containing a live attacker. Macksofy's DFIR practice delivers across the NCR with the forensic rigour and documentation discipline that government and critical-sector incidents demand, on retainer and on emergency call-out, as a CERT-In empanelled firm.

The first hours are run to two clocks: containment and the CERT-In six-hour notification under Direction 20(3)/2022. Our triage runs in parallel — scoping blast radius and preserving volatile evidence while drafting the notification and opening the containment plan with the in-house or empanelled-vendor IT team. For government and PSU environments we are deliberate about documentation from minute one, because the incident will be reviewed by CERT-In, possibly NCIIPC, the departmental authority, and sometimes a CAG-aligned audit. Acquisition is forensically sound with hashes and chain-of-custody so the evidence stands up to every one of them.

NCR incident patterns span a wide estate. Ransomware and human-operated intrusions against enterprise and PSU networks demand AD-forest forensics and lateral-movement timelines. Citizen-facing portal breaches demand web, API and database forensics and a fast read on whether citizen data was exposed. Critical-sector and manufacturing incidents (the NCR/Manesar auto and industrial belt) can cross from IT into OT, where we scope carefully and preserve evidence without disrupting a live process. BEC and data-theft against enterprise HQs round out the set. Each incident produces a documented timeline, a root cause, TTPs mapped to MITRE ATT&CK, and an indicator set for estate-wide hunting.

Reporting is built for the NCR's layered oversight. The CERT-In six-hour notification and follow-up; the NCIIPC reporting and coordination where the system is notified as protected; the sectoral-regulator incident note; the DPDP breach-notification trail to the Data Protection Board and affected principals where personal data is implicated; and the departmental/CAG-aligned documentation pack a government review will request. The technical report carries the forensic findings and root cause; the leadership report carries the one-page narrative, exposure and remediation commitments that a secretary or CISO can take upward without rewrite.

Eradication and recovery verify the attacker is gone before rebuild — no surviving persistence, no rogue account or trust — and pair recovery with hardening: identity and AD fixes, segmentation (including the IT/OT boundary where relevant), and detection-engineering so the incident's indicators become permanent SOC coverage. For retainer clients we run a post-incident tabletop and update the IR playbook against the real environment and the NCR's reporting obligations.

Procurement and readiness in the NCR favour a standing arrangement. A Macksofy IR retainer — structured to fit GeM, departmental and enterprise procurement — gives guaranteed SLAs, pre-agreed RoE, named responders who know the environment, and banked hours, converting a crisis into a call rather than an emergency tender. Onsite response is same-day across Gurugram Cyber City, Noida and central Delhi, with the wider NCR — Greater Noida, Manesar, Faridabad — reachable the same day, and remote forensic acquisition starting within the hour.