C.01
Evidence-first
We preserve before we investigate. Every artefact is captured under documented custody so the narrative holds up to cross-examination.
01 · Company
We investigate what matters.
Evidence-first digital forensics, delivered by practitioners qualified to testify.
Overview
ISRM Group is a digital forensics firm providing investigative, analytical, and remediation services to organisations navigating complex digital incidents. We investigate breaches, insider activity, litigation matters, and regulatory inquiries across endpoints, networks, and cloud environments — delivering defensible findings in language boards, counsel, and regulators can act on.
How we work
Operating principles.
The envelope our engagements are delivered inside.
C.02
Cross-disciplinary
Endpoint, network, cloud, mobile, and eDiscovery capabilities in one engagement team — the picture reconstructs across layers.
C.03
Translated for decisions
Technical reality, translated for boards, counsel, and regulators. Findings that inform decisions, not just describe events.
C.04
Built for cross-examination
Our reports and testimony are designed for opposing-counsel scrutiny. Chain of custody, method, and reasoning — documented, defensible, courtroom-ready.
How we differ
ISRM is not a threat intelligence vendor. We do the work after something has already gone wrong — when findings have to hold up to counsel, regulators, and a court.
Threat-intelligence platforms watch the outside world: actors, malware families, indicators of compromise. Useful, but it doesn't tell you what happened on your estate, who the data left through, or what you must disclose by Friday.
Below is the practical line between the two disciplines. It's also the boundary at which most general counsel call us in — when monitoring stops being enough and the matter has to become defensible.
| Capability | ISRM | Threat Intelligence |
|---|---|---|
| Information risk management | Included | Not included |
| Proactive data-exposure detection | Included | Not included |
| Actionable, organisation-specific insights | Included | Not included |
| Sensitive data erasure | Included | Not included |
| Integration with internal teams | Included | Not included |
| Monitoring threat actors & trends | Not included | Included |
| Broad malware & vulnerability analysis | Not included | Included |
| Incident containment & remediation | Included | Not included |
Threat intelligence tells you what's out there. ISRM tells you what happened, what was taken, and what is now defensible to say about it — to your board, to counsel, and to the regulator.
Plain English
What "defensible" actually means.
A finding is defensible when someone independent, looking at the same evidence with the same method, would land in the same place. Three things have to be true for that to hold up.
D.01
We can show where it came from.
Every piece of evidence is traceable from the moment it's captured to the moment it's cited. If we can't account for it the whole way through, it doesn't make the report.
D.02
Someone else could repeat it.
Tools, versions, settings and operator decisions are written down. Another examiner running the same procedure on the same data should land on the same answer.
D.03
The reasoning is on the page.
What we saw, what we inferred from it, and what we ruled out — all spelled out. Anyone disagreeing with the conclusion can do so without first reverse-engineering the analysis.
The team
Who you're actually working with.
We don't publish a roster of headshots. Three things stay true on every engagement, regardless of who is on it.
- T.01
Court-ready, by default.
Engagement leads are court-recognised expert witnesses. The work is run from the first hour as if it will end up in front of a judge — because often, by the end, it does.
- T.02
Independent of the tooling.
We don't resell software, we don't take referral fees, and we hold parallel certifications across the major forensic platforms. The conclusion is shaped by the evidence, not by what we happen to own a licence for.
- T.03
One team, every layer.
Endpoint, network, cloud, mobile and eDiscovery sit inside one engagement team — not stitched together from sub-contractors. The picture reconstructs across layers, and so does accountability for it.
Held across the teamCourt-recognised expert witnessGIAC GCFA / GCFE / GREMEnCECCEX-Ways
Engagement
By the time a finding reaches a courtroom, the work that made it admissible is already two months old.
If you anticipate a matter where the technical record will be examined — by a regulator, by counsel, by a court — the brief is best taken before the artefacts are touched.