Global Manufacturing Organisation Strengthens Security Resilience by Consolidating on Microsoft with Quorum Cyber
A North America–based manufacturing organisation with a large Windows and Microsoft 365 footprint set out to simplify security operations while improving visibility and resilience across its environment.
Over time, the organisation’s security stack had grown fragmented. Signals were spread across multiple tools, increasing investigation time, complicating operations, and creating dependency on point solutions for critical controls.
Following a major industry-wide endpoint disruption, leadership initiated a strategic review of endpoint and detection platforms, with a focus on operational resilience, vendor risk, and reducing single points of failure. The organisation engaged Quorum Cyber to help modernise its security operating model and consolidate around the Microsoft security platform.
The challenge
The organisation faced three interrelated challenges:
- Fragmented visibility: Security data was spread across multiple tools, slowing investigations and making it difficult to maintain a consistent view of risk
- Endpoint platform risk: A third-party endpoint detection and response (EDR) platform had become a critical dependency. After a high-impact industry incident, leadership reassessed the potential operational blast radius and the recovery implications of relying on a single endpoint control at scale
- Transition complexity: The organisation wanted to move to a new endpoint approach without disrupting day-to-day operations, duplicating cost, or creating gaps in detection coverage during the changeover.
From a commercial perspective, the status quo was anchored in the incumbent EDR deployment, long regarded internally as a best-of-breed control.
The solution
Quorum Cyber designed and delivered a phased consolidation strategy built on the Microsoft security platform, focused on resilience, clarity, and operational control.
Key elements included:
- Adoption of Quorum Cyber Clarity Extend as the MXDR managed service aligned to the customer’s Microsoft estate
- Enablement of Microsoft Sentinel in the customer’s tenant to centralise security analytics, investigations, and response
- A structured transition to Microsoft Defender for Endpoint, with telemetry and detections brought online in a controlled sequence to maintain continuity, avoid coverage gaps, and prevent unnecessary overlap.
This approach brought endpoint, SIEM, and wider security signals into a single operating model, reducing complexity while increasing confidence in day-to-day security operations.
Why this approach worked
The organisation’s priority was not adding new tools but reducing operational risk while improving outcomes.
Consolidating on Microsoft delivered:
- Unified visibility across endpoint, identity, and cloud signals
- Reduced vendor dependency for a critical control, lowering the risk associated with single-vendor update or sensor failures
- Predictable economics, supported by clear Sentinel ingestion modelling and better utilisation of existing Microsoft licences.
Importantly, many core Microsoft security signals could be ingested into Sentinel without additional cost, allowing the organisation to scale visibility while maintaining a predictable run-rate.
Decision criteria focused on three outcomes: resilience and availability, operational simplicity, and strong alignment with the Microsoft ecosystem.
Why Quorum Cyber
The organisation selected Quorum Cyber for its deep Microsoft security specialisation and its ability to translate platform capability into a practical operating model.
Quorum Cyber provided:
- A clear transition roadmap -what to consolidate first, how to stage implementation, and how to maintain service continuity.
- Outcome-led positioning of Clarity Extend, focused on visibility, resilience, and simplification rather than tool management alone.
- Commercially sensible migration planning that avoided prolonged dual-running of endpoint platforms.
This combination reassured stakeholders that the endpoint platform change could be managed with control, minimising risk, avoiding disruption, and maintaining continuity throughout.
Commercial and operational impact
The move to a consolidated Microsoft security model involved a modest increase in Microsoft licensing to support the target posture. Managed service costs remained broadly flat or slightly reduced.
The primary value came from consolidation:
- Reduced tooling sprawl
- Improved security visibility
- A clearer, more resilient foundation for detection and response using Microsoft Defender and Sentinel.
Operationally, the organisation established a centralised security data strategy, enabling more efficient investigations and a scalable foundation for future security maturity.
Delivery approach
Quorum Cyber and the customer followed a structured six-week onboarding programme with clear milestones and ownership:
- The customer led the endpoint platform transition to Microsoft Defender for Endpoint
- Quorum Cyber enabled Microsoft Sentinel and onboarded required telemetry into Clarity
- Delivery was phased to increase visibility incrementally while maintaining operational stability.
This approach ensured the organisation strengthened security posture without introducing unnecessary risk during change.
“By consolidating on Microsoft security with Quorum Cyber, we’ve strengthened resilience, improved visibility, and simplified how we operate security day to day, with a foundation we can trust long term.”
Director of Information Security, North America-based manufacturing organisation.
Driving Cyber Resilience Through Trusted Partnership: The AA’s Journey
When it comes to cyber security, even the most recognised brands face a familiar challenge: balancing technical protection with cultural transformation.
For The AA, one of the UK’s most trusted motoring organisations, the mission was clear- strengthen their cyber defences without losing focus on the people and processes that make security sustainable.
That’s where partnership made all the difference.
The challenge: Balancing security and culture
As the digital landscape evolved, The AA’s cyber team, led by Mark Vodden, Head of Cyber Security, recognised a growing pressure: limited internal bandwidth and a need for around-the-clock protection.
“We had the right intent,” Mark explains. “But internally, our resources were stretched thin, and we didn’t want the technology piece to consume all our energy. Our goal was to keep our people engaged; to win hearts and minds, not just deploy tools.”
The AA needed a partner who could do more than take on the heavy technical lifting. They needed one who could make every aspect of the programme relevant to their business, aligning protection with their specific risk appetite, industry landscape, and data sensitivities. Quorum Cyber brought that broader perspective.
Beyond managing technology, Quorum Cyber worked to ensure every element of the security approach reflected The AA’s real-world context: understanding where data exposure could have the greatest impact, what a breach might mean for customer trust, and how protective measures could empower the business rather than slow it down. That deep, contextual understanding meant The AA’s security posture wasn’t just stronger; it was smarter, more responsive, and directly tied to organisational goals.
The turning point: Partnering for clarity and confidence
After evaluating their needs, The AA partnered with Quorum Cyber to bolster defences and bring greater clarity to their cyber operations.
Their first step was implementing Clarity Defend, a managed service providing continuous monitoring, proactive threat detection, and rapid response. This immediately alleviated internal pressure and gave the cyber team the operational confidence to focus on higher-value priorities.
But as the partnership matured, a new priority emerged: data visibility. The AA wanted deeper insight into where sensitive information lived, how it moved across systems, and how compliance obligations could be managed across a growing landscape of cloud and collaboration tools.
Working closely with Quorum Cyber experts, The AA expanded their strategy with Clarity Data, adding richer visibility and control over sensitive information alongside robust detection and response capabilities. This evolution extended The AA’s security posture beyond endpoints to encompass comprehensive data governance, insider risk management, and compliance monitoring, enabling protection that followed the data, wherever it travelled.
From reactive to strategic: The AA’s data-driven evolution
Leveraging Clarity Data transformed how The AA approached information security, shifting from reactive protection to a proactive, insight-driven model that continually adapts to business needs.
With the solution in place, The AA could:
Expose unstructured data risks hidden across emails, messages, collaboration platforms, and end-user devices, bringing previously unseen vulnerabilities into focus.
Understand and mitigate risky interactions through contextual behaviour analysis, Quorum Cyber’s distinctive capability that correlates user actions across systems to reveal intent and highlight patterns of heightened risk. Instead of viewing activity in isolation, Clarity Data connects the dots between behaviours and data movement, allowing The AA to intervene precisely where risk emerges.
Continuously assess and evolve their security posture in line with business change and shifting legislation. The service’s evergreen design means it grows alongside The AA, adapting with every transformation, embedding new best practice, and ensuring security remains current rather than static. As Mark Vodden notes, “This isn’t a project with an end date, it’s a programme of continuous improvement. Our partnership with Quorum Cyber ensures we’re always moving forward.”
Simplify compliance and reporting, supported by improved visibility and granular control of sensitive data.
Prioritise high-impact actions that deliver measurable progress from day one, without chasing unattainable perfection.
This evolution wasn’t just about technology; it represented a mindset shift. With Quorum Cyber managing the technical foundation, The AA’s internal team could focus on cultural engagement, embedding data awareness across the organisation and empowering every employee to play an active role in protecting the business.
Lessons Learned: Data Security is a Journey, Not a Destination
Reflecting on the experience, Mark highlights several lessons for other organisations on a similar path:
- Technology alone isn’t the answer. True progress comes from combining technical excellence with cultural commitment.
- Choose a trusted partner. The right MSSP doesn’t just supply tools, they bring perspective, guidance, and flexibility.
- Focus on achievable wins. Small, visible successes build credibility and momentum across the business.
- Make it a partnership, not a handover. Shared accountability drives better outcomes and long-term trust.
The Results: Clarity, Confidence, and Culture
By leaning on their trusted partner for technical assurance, The AA gained:
- 24/7 protection without exhausting internal teams.
- Stronger compliance posture through better data oversight.
- Renewed cultural focus, empowering employees as part of the defence.
- A clear roadmap for continuous improvement, not one-off success.
“The partnership with Quorum Cyber gives us space to focus on people and purpose,” Mark notes. “That’s where resilience really lives.”
Final thoughts
The AA’s journey reflects a growing truth across industries: cyber resilience is as much about people as it is about protection.
By partnering with experts who not only manage technical complexity but also understand the unique risks, data sensitivities, and operational realities of their business, The AA unlocked the freedom to lead from within. Quorum Cyber’s partnership turned data governance and security from a technical function into a strategic, culturally embedded capability - one that reflects The AA’s values, risk appetite, and long-term ambitions.
Forrit Fortifies Technology to Protect its Customers from Cyber Threats
Forrit is a leading provider of cloud-native content management systems (CMSs) built for highly regulated industries such as financial services and healthcare. With a promise of “enterprise-grade security, rapid scalability, and global controls,” Forrit powers digital experiences for respected global organisations including Lloyd’s, NHS Scotland, Tesco Bank, and Craneware.
Challenge: Safeguarding trust in a high-stakes industry
As a member of the Chartered Institute of Information Security (CIISEC), Forrit needed a trusted cyber security partner to protect its product, data, and customers - around the clock. The company sought a partner who could:
- Respond swiftly to potential cyber incidents
- Offer proactive consulting and security advice
- Anticipate and defend against tomorrow’s evolving threats.
“Our customers operate in some of the world’s most regulated industries, there’s absolutely no room for compromise on security,” says Peter Proud, CEO, Forrit. “We needed a partner that could match our standards for trust, transparency, and technical excellence.”
Solution: A strategic partnership with Quorum Cyber
Forrit’s CMS platform is deployed within each customer’s own Azure subscription - a design that demands deep Microsoft security expertise and seamless collaboration between Forrit, Quorum Cyber, and end customers.
The partnership, which began in 2018, has grown steadily based on three pillars:
- Partnership: Built on a strong foundation of trust and collaboration
- Service Fit: A perfect alignment with Forrit’s Microsoft-based architecture and operational model
- Confidence: A proven track record of delivering high-quality, responsive cyber security services.
“Quorum Cyber feels like an extension of our own team,” adds Proud. “They understand our technology and our customers, and they share our commitment to keeping them safe.”
Outcome: Confidence, clarity, and continuous protection
To ensure comprehensive coverage, Forrit adopted Quorum Cyber’s Clarity Extend, an enhanced detection and response service covering the entire IT estate. The service is powered by a global Security Operations Centre (SOC) spanning the UK, US, and Canada, supported by Threat Intelligence (TI), Incident Response (IR), and threat-hunting specialists.
Together, they continue to deliver secure, resilient solutions for Forrit’s customers. Furthermore, for its cloud-first ambitions, Forrit needed an expert partner, fluent in Microsoft security. As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligence Security Association (MISA), Quorum Cyber matched all the main requirements.
As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligent Security Association (MISA), Quorum Cyber provides the advanced expertise Forrit needs to deliver secure, scalable CMS solutions to regulated enterprises.
“With Quorum Cyber watching over our environment, we have absolute confidence that we’re protected; before, during, and after any cyber incident,” says Proud. “That peace of mind means we can focus on what we do best: helping our customers deliver exceptional digital experiences.”
How services evolved over time
Since the partnership began in 2018, Forrit and Quorum Cyber have built a strong, collaborative relationship rooted in trust, shared goals, and technical alignment. Over the past seven years, the partnership has evolved in several ways:
- As Forrit’s CMS platform matured, so did the complexity of its security needs. Quorum Cyber has consistently adapted, integrating more deeply into our architecture and workflows, to ensure robust protection across customer environments
- Together, they’ve supported a growing number of enterprise clients, delivering secure, resilient solutions tailored to their operational models. Quorum Cyber’s ability to work seamlessly with both Forrit and its customers has been a cornerstone of that success
- Seven years of consistent delivery, responsiveness, and shared values have built a solid foundation of trust.
Positive outcomes
The benefits of Clarity Extend go far beyond cyber security alone. The service empowers Forrit to formalise and fast-track responses to potential cyber incidents, shifting from reactive defence to proactive resilience. Together, Forrit and Quorum Cyber establish a clear baseline of normal business behaviour, enabling them to spot, investigate, and neutralise anomalies before they escalate. This partnership model also lets Forrit maintain a lean, high-impact security team, confident that the Quorum Cyber experts are proactively acting on their behalf, providing trusted, around-the-clock support. This assurance frees Forrit to focus its resources on innovation and product excellence, keeping its customers equipped with the most advanced CMS solution on the market.
Clarity Extend also enables Forrit to meet its regulatory obligations under the Bank of England’s Prudential Regulation Authority, the EU’s Digital Operational Resilience Act (DORA), and the National Institute of Standards and Technology (NIST) standards, ensuring robust operational resilience, cyber risk management, and compliance with evolving industry requirements.
With Clarity Extend, Forrit doesn’t just tick cyber security boxes, it shows customers, investors, and partners that it’s guarded by top-tier protection 24/7. They have immediate access to a proactive, threat-led partner ready to detect, analyse, and respond to threats in real time, keeping their business one step ahead of cybercriminals.
“Our long-term partnership with Quorum Cyber is a cornerstone of our business,” says Peter Proud. “They really care about our security, and that of our customers, and go beyond the simple short-term business transaction model.”
“Working with Quorum Cyber gives us the confidence to deliver secure services to our customers to meet their objectives and satisfy their regulatory requirements,” says Doug Cunningham, Forrit Chief Technology Officer. “Without this partnership, we wouldn’t be able to deliver this level of service. Quorum Cyber isn’t just a supplier – they’re a long-term partner invested in our mission and growth.”
“We share Forrit’s commitment to protecting customers from cyber threats,” says Federico Charosky, CEO, Quorum Cyber. “Together, we’re safeguarding their customers and enabling trust in every digital interaction.”
Defending Hope: How CHAS Sets the Standard for Data Security in Children’s Palliative Care
Children’s Hospices Across Scotland (CHAS) is a charity providing unwavering care to children who may die young and their families, at every step on this hardest of journeys. Three children a week die in Scotland from an incurable condition, and CHAS works in partnership with Scotland’s health and social care providers to ensure hospice and palliative care services are provided for these babies, children, and young people (aged 0-21 years) and their families across Scotland.
Entrusted with the sensitive personal information of thousands of families and hundreds of staff, CHAS places information security at the very heart of its mission. Protecting this data from theft, loss, and cyber threats is essential to maintaining the trust and dignity of every family it serves.
To safeguard its digital assets and maintain smooth operations, CHAS partnered with Quorum Cyber to implement Clarity Extend, an enhanced managed detection and response (MDR) service. This 24/7 security monitoring capability helps protect its IT estate and, critically, shields its 400 employees, many of whom hold nursing and clinical roles, from increasingly sophisticated phishing attacks.
“We need to monitor our networks 24/7 for malware and prevent cybercriminals from using social engineering to access and exfiltrate our systems,” says Dave Blair, Lead System Analyst at CHAS. “Quorum Cyber helps us prevent phishing attacks, monitor system logs or stop outsiders using accounts that they shouldn’t have access to.”
A cyber security extension to the team
CHAS, which has partnered with Quorum Cyber for six years, benefits from Clarity Extend, managed by Quorum Cyber’s Security Operations Centre (SOC) team. The SOC functions like a seamless extension to CHAS’s team, providing continuous, comprehensive monitoring and security expertise to allow its team members to focus on their core mission with confidence, knowing their systems are protected around the clock, including weekends and holidays.
“We don’t have the knowledge of the threats and the threat landscape that their team has, so they take some of the workload off us,” adds Dave. "We see Quorum Cyber adding new behavioural rules... they're aware of what threats are happening at the moment."
Microsoft-first cyber security to protect all vendors’ products and tools
The international cyber security company’s Microsoft-first approach aligns with CHAS's IT infrastructure and security tools. With Clarity Extend’s excellent range of benefits, Microsoft Sentinel is integrated to third-party technologies, and CHAS has two extra safety nets in threat hunting and incident response up to containment. Furthermore, with Quorum Cyber's customer platform, Clarity, CHAS can see and track any potential issues and incidents, and how the SOC team is handling them in real time.
“Quorum Cyber’s team is great at flagging any potential issues at any time to take the pressure off our team and gives us the confidence that, if something were to happen, we would hear about it quickly,” says David Campbell, IT Project Manager for CHAS. “It's almost like having a member of the team focused on logs. Having someone there doing better monitoring than we could do ourselves gives us peace of mind.”
Delivering lasting peace of mind and resilience
By partnering with Quorum Cyber and using Clarity Extend, CHAS benefits from continuous, expert-managed protection of its sensitive data, ensuring compliance and resilience against evolving cyber threats. This trusted collaboration frees CHAS to focus on its vital care mission with true peace of mind, confident that its personal and confidential information is securely safeguarded around the clock.
Quorum Cyber Employs Microsoft Security Stack to Eradicate Two Threat Actors, whilst Thwarting a Ransomware Attack on an International Business
When a company is hit with ransomware, it needs a specialised cyber security partner with the experience and capabilities to support it through one of the worst challenges in business. When two threat actors breach a business simultaneously, only the best can contain the damage, protect critical data, and help it quickly and safely resume operations.
That was the case when an international professional services company, with highly sensitive customer information and offices worldwide, was attacked in early 2025.
The initial call for support
The company’s insurance carrier contacted Quorum Cyber to lead the forensic investigation begun by the incumbent managed security services company (MSSP), who had been fighting to regain control of the IT network for several weeks.
The international company had previously received emails from two threat actors – Cactus and RansomHub – which are both known to use Ransomware-as-a-Service (RaaS), claiming to have successfully penetrated the IT network and stolen data.
While the incumbent MSSP has defended the company for many years using SentinelOne, it hadn’t evolved with its customer to continue providing adequate security against a backdrop of ever-evolving cybercrime. The international company had outgrown its MSSP and lacked sufficient security, both on-premises and across the multi-cloud environment, around the clock.
Investigating two breaches – and eradicating two adversaries
Following a preliminary assessment, Quorum Cyber found evidence of a full IT domain compromise by an active ‘hands-on’ adversary lurking inside the network, which had full access to it. Furthermore, the team was certain that the threat actor was ready to encrypt data and therefore advised the victim company to take decisive action of temporarily disabling internet access to two sites, preventing an escalation encryption event, whilst the team worked on a remediation strategy to ensure damage limitation of business interruptions.
When dealing with incidents where a threat actor is active in the environment, it is imperative to rapidly gain and maintain operational visibility across the technology estate to identify actions taken by the adversary as quickly as possible. Containment is critical in minimizing the threat actor’s impact and acts as the last line of defense against long-term financial and reputational impact.
Digital Forensics and Incident Response (DFIR) teams worldwide take a similar approach to containment but often focus their monitoring on endpoint telemetry alone via Endpoint Detection and Response (EDR) tools. While EDR is critically important, we believe that in order to effectively contain an active sophisticated cybercriminal or nation-state, visibility into other telemetry is imperative, including cloud estate and – most critically – the identity and access management platforms which often contain rich evidence related to privilege escalation, lateral movement, and other middle-kill-chain steps present in nearly all serious incidents.
To orchestrate this, Quorum Cyber’s team also deployed additional security tooling and detection capabilities to the on-premise infrastructure and cloud-based estate, and provided robust 24/7 proactive security monitoring via Quorum Cyber’s Emergency Managed Detection and Response (MDR) service, which goes above and beyond the limitations of an EDR-only approach.
Over several weeks, Quorum Cyber collaborated with the customer’s US and UK counsels, its legal and IT teams, and the incumbent MSSP to remediate the threat safely.
A thorough root cause analysis revealed the Fortinet FortiGate firewall appliances, which control ingress/egress network traffic and VPN connectivity for the IT network, were found to be susceptible to two zero-day vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These were made public for the cyber security community to act upon on 14th January 2025.
Quorum Cyber took several remediation steps to mitigate the incident, including:
- Decommissioning compromised IT systems
- Creating new IT systems for critical business services
- Providing guidance regarding credential resets
- Identifying and removing malicious backdoors
- Patching vulnerable network appliances
- Addressing configuration gaps to address and improve overall security posture
- Conducting a comprehensive forensic investigation to support regulatory obligations.
Within six weeks of the engagement's start, Quorum Cyber successfully neutralised all threats and ceased negotiations with both cybercriminal groups. No further unauthorised activity has been detected within the customer’s IT environments since the initial call. The engagement gained a considerable amount of trust from the customer, which is now safe from harm from the two adversaries and, thanks to the Emergency MDR service, also safe from other potential cyber-attacks.
Quorum Cyber’s unique range of skillsets, including incident response and ransom negotiations, coupled with its advanced containment monitoring expertise, ensured that the situation was contained quickly. The two threat actors were eradicated from the systems and security was reinforced so that the same types of attacks won’t be successful again.
In addition to the technical expertise provided, Quorum Cyber’s team also delivered an executive briefing of the whole incident and advised on crisis communications to key stakeholders within the business and externally.
Uncovering historical security lapses
During the investigation using the Microsoft Security stack, Quorum Cyber flagged a number of serious issues which amounted to a lack of security across the IT estate:
- EDR was not implemented on every system
- IT networks had not been segmented
- Multi-factor authentication (MFA) had not been adopted
- Identity and Access management controls needed improvement to limit privileges to just those required
- Cloud estates, on-premise assets, endpoint and network security infrastructure lacked hardening through secure architectures and inconsistent vulnerability management practices
- Dearth of security controls
- Security tools were improperly configured, making them ineffective.
While these errors meant that the company wasn’t safe from cyber-attacks, the plethora of tools that were in place wouldn’t actually have given any cyber security company the complete visibility of the IT estate that Microsoft 365 Defender, Microsoft Defender for Identity, and Microsoft Defender for Cloud would have given.
Why Quorum Cyber?
Equipped with market-leading incident response and ransom negotiation teams, Quorum Cyber is perfectly positioned to handle any kind of cyber incident at any time of the day or night. It’s threat-led approach is backed up by threat intelligence and threat hunting teams, a suite of professional services, and a comprehensive range of managed security services delivered by a Security Operations Centre spanning the US, the UK, and Canada. In 2025, Quorum Cyber was recognised as the Microsoft Security Excellence Awards Winner for Security MSSP of the Year.
Safeguarding Retail Supply Chains and Data in the Face of Ransomware
Situation overview
Imagine a business at the heart of the UK’s retail ecosystem, providing the systems that underpin food safety and employee wellbeing across thousands of sites. This multinational, trusted to process and protect sensitive medical and personal information, suddenly faces a high-stakes ransomware attack: all servers and endpoints down and the integrity of the entire supply chain, including industrial refrigeration, lighting, and critical systems now at risk. Compounding the crisis, the possibility of leaked confidential health data threatened the company’s reputation and compliance standing.
Strategic response: partnership in action
Recognising the critical business implications, from regulatory repercussions to brand trust and operational continuity, the company immediately engaged Quorum Cyber and legal breach counsel. The mission: to contain the threat, discover what had happened and enable secure, rapid recovery.
Key business objectives
- Rapidly identify and close the entry point to contain financial and reputational damage
- Confirm whether customer and medical data was accessed or exfiltrated, limiting legal and regulatory exposure
- Verify that industrial control systems, essential to every supermarket’s operations, remained uncompromised
- Restore business operations with minimal downtime
Execution and assurance
Fast-tracked digital forensics & monitoring
Quorum Cyber deployed advanced remote forensic tools to swiftly gather time-critical evidence from operational systems, while working offline with preserved disk images from affected devices. Within hours, the organisation was onboarded into Quorum Cyber’s Security Operations Centre (SOC). Industry-leading protections; Microsoft Defender and Sentinel, were rapidly deployed, enabling round-the-clock vigilance.
Uncovering the attacker’s playbook
Our experienced team of cyber investigators traced the blueprint of the attack and discovered:
- Initial Access: The attackers gained entry by exploiting leaked credentials and abusing VPN access, bypassing perimeter security with legitimate-looking logins.
- Lateral Movement & Privilege Escalation: Once inside, they methodically navigated the environment, escalating privileges and probing connected systems to maximise their reach.
- Domain Trust Exploitation: Leveraging established trust relationships between global business units, the threat actors moved seamlessly from one region to another, demonstrating a deep understanding of the organisation’s infrastructure.
- Stealth and Persistence: For nearly two months, the attackers operated undetected, carefully gathering intelligence, exfiltrating sensitive data, and setting the stage for their ransomware deployment.
- Orchestrated Ransomware Detonation: Only after ensuring maximum impact did they trigger the ransomware, effectively disrupting operations at the most vulnerable moment.
By dissecting each stage, we not only restored business functionality but also provided actionable insights to harden defences against future threats
Business continuity for the supply chain
Recognising that industrial refrigeration and logistics directly affect food security, Quorum Cyber undertook forensic analysis of over 700 industrial control systems (ICS) endpoints. After exhaustive examination, we were able to certify, in a formal attestation, the safety of these critical environments, allowing our client to assure partners and regulators that food supplies were never at risk.
Protecting customer confidence
Intensive analysis of servers containing sensitive data assured leadership that, while attempted, there was no evidence of large-scale exfiltration from key databases. This enabled fast, transparent communication with stakeholders and regulatory bodies, preserving trust and mitigating legal exposure.
Lessons in leadership and resilience
Throughout the crisis, Quorum Cyber operated as a proactive advisor, delivering real-time tactical guidance and sharing up-to-the-minute attacker Indicators of Compromise. With our recommendations, the company not only remediated the breach, but emerged with enhanced security posture and renewed confidence from its leadership, partners, and customers.
The takeaways
- Preparation and Partnership Matter: Rapid engagement with trusted cyber security and legal experts can fundamentally change outcomes in a crisis.
- Business-Critical Infrastructure is a Prime Target: Safeguarding industrial systems must be an executive priority, as the downstream impact extends to supply chains and public wellbeing.
- Resilience is a Competitive Advantage: The ability to respond decisively, communicate transparently and recover securely turns a crisis into an opportunity to demonstrate leadership.
Safeguarding the Future of Education: Enhancing University Cyber Security with a Trusted Partner
A progressive UK-based university supports more than 10,000 students and 1,500 staff across multiple campuses. With a strong commitment to community engagement, the institution aims to widen access to higher education, address evolving skills demands, and deliver meaningful social and economic impact. It is also recognised for its strong graduate employment outcomes, helping to develop and retain skilled individuals across various sectors.
Cyber security has long been a strategic priority, as it is for most of the higher education sector. The university’s senior leadership recognised the need to bolster its ability to respond rapidly and effectively to potential cyber-attacks at any time, day or night.
“Our users are front and centre of our cyber security strategy,” says the University’s Director of Technology Services. “We see threats coming from multiple angles continuously, mostly in the form of phishing and spear phishing attacks attempting to deliver malware payloads.”
Extending the team with a trusted partner
To address growing cyber risks, the university sought a partner that could function as an extension of its internal team, offering automated, managed detection and response while allowing internal staff to focus on strategic initiatives. Out-of-hours security coverage was also a key requirement.
After a competitive tender process, the university selected Clarity Extend, a managed detection and response (MDR) service from Quorum Cyber. The service includes global threat detection, automated threat hunting, and sector-specific threat intelligence. The institution was particularly drawn to Quorum Cyber’s Microsoft-first approach and its robust incident response capabilities.
The Director of Technology Services adds: “We now have 24/7 managed detection and response operated by Quorum Cyber’s Security Operations Centre. We’ve gained reassurance from having mature and trusted processes, backed by a partner fully dedicated to managing and mitigating cyber threats.”
Achieving greater cyber resilience
The university continues to run a rigorous cyber incident response (IR) plan, including an annual tabletop exercise to ensure the entire organisation knows how to respond during a cyber event. This preparation is a vital part of maintaining business continuity.
Through its licensing agreement, the institution uses automated responses to specific types of suspicious system activity, significantly increasing operational efficiency. This is especially important for protecting students - seen as ‘frontline users’ - due to their constant interaction with digital platforms and sensitive information.
The customer platform, Clarity, plays a key role in incident transparency. It automatically generates detailed reports on threat activity, helping the technology team quickly understand and communicate incidents across the organisation.
A seamless extension of the team
“We trust Quorum Cyber as a true extension of our team,” their Director of Technology Services explains. “Their technical experts swiftly contain and mitigate threats and help restore services, which is critical to keeping operations running even during an incident.”
Nearly three years into the partnership, the university remains pleased with the deployment and ongoing service. The implementation phase, project management and monthly reviews have met expectations, and importantly, the value delivered continues to be consistent with what was promised during the procurement process.
Cyber reassurance, delivered
“We’ve always had a reliable service from Quorum Cyber - responsive and aligned to our needs,” the Director of Technology Services reflects. “I sleep better knowing we have a partner with the right expertise watching over our digital environment. They act immediately if there’s an issue, based on the controls we’ve agreed.
“In short, Quorum Cyber provides strategic cyber reassurance.”
Defending Data Trust in an Unpredictable Threat Landscape
Data Trust, established in 2011, is a leading first party data company specializing in US voter information and electoral data. The company's expertise lies in collecting, enriching, analyzing, and maintaining high-quality political data on a massive scale. With information on over 300 million individuals and more than 2,500 unique data points per person, Data Trust provides critical insights to various organizations involved in election campaigns across the United States.
The challenge
At the core of Data Trust's operations is the critical task of protecting sensitive information. The company's sophisticated data management systems safeguard not only publicly available data but also their proprietary insights and proven methodologies. This level of security is paramount, as a single data breach could severely undermine the trust of its clients and potentially tarnish the company's reputation.
By leveraging its expansive data warehouse and robust IT infrastructure, Data Trust ensures the integrity and confidentiality of its vast data resources. This commitment to data protection and privacy is fundamental to maintaining the confidence of its clients and solidifying its position as a trusted partner in the political data landscape. Needless to say, confidence in Data Trust's ability to manage sensitive information securely is crucial for both its business success and that of its clients. While the company primarily collects publicly available data, it must vigilantly protect its invaluable data insights and proven methodologies from theft or unauthorized access. Equally critical is safeguarding its IT infrastructure from potential compromises, including data breaches, cyberattacks, or system vulnerabilities. Any form of data compromise could not only jeopardize the company's proprietary information but also undermine the confidence its clients place in its ability to handle sensitive political data securely.
While satisfied with its previous cybersecurity set-up, the rising frequency of cyberattacks on all industries in recent years, and escalating geopolitical tensions around the world, led Data Trust to seek a cybersecurity partner that could elevate its data security to the world-class level. As a Microsoft-first company, it needed a global cybersecurity specialist with deep Microsoft expertise that could provide tailored, flexible, and scalable services while ensuring maximum protection around the clock. Microsoft recommended Data Trust reach out to Quorum Cyber, a Microsoft Solutions Partner for Security, a member of the Microsoft Intelligent Security Association (MISA), and holder of all four Microsoft Security specializations, to its shortlist of potential service providers.
"We wanted a company that wasn't just aware of Microsoft's services, but truly an expert in them – whether it's Sentinel or Microsoft's operations in general,” says Bill Dunne, Data Trust’s Chief Operating Officer. “This expertise was crucial because everything we do is natively Microsoft-based. Every device we use is Windows-based, and we host all our core assets in Azure. Although we have data in a few other clouds for marketing purposes, the core assets live in Azure and Microsoft. Therefore, it was essential for us that the firm we partnered with had a strong background in Microsoft services."
Vote of confidence for comprehensive security
“What put Quorum Cyber ahead of the field was the feel we got for the team,” says Bill. He was particularly impressed that Federico Charosky, Quorum Cyber’s Chief Executive Officer, attended the first meeting. And Data Trust’s technical team verified that the cyber security specialist’s experts had the skills, knowledge, and certifications required to master Microsoft’s security stack.
“Overall, we felt like we had a great rapport with Quorum Cyber’s team, and we were confident they could protect us 24/7, 365 days a year,” adds Bill. “They took the time to ask about our specific challenges and listened to us.”
Another major benefit was that an Incident Response service was included as standard, so that if an adversary should breach the company’s systems, Quorum Cyber’s qualified and highly experienced incident responders would rapidly investigate the emergency, day or night.
“The in-house incident response capability was a standout feature for us,” explains Bill. “We really appreciated that it was included within the service and not hidden behind a paywall. Knowing that resources would be available immediately if anything slipped through or if we faced any issues gave us great peace of mind. This showed they had 'skin in the game' because by stopping threats in the first place, they wouldn't need to expend resources on incident response. This demonstrated a true partnership rather than just a managed service, which was a significant point of our discussions."
Furthermore, with Quorum Cyber, cybersecurity isn’t just a business transaction, it’s a partnership and a collaboration to continuously fortify cyber resilience and reduce cyber risk. With this approach, organisations can focus on their goals without worrying about cyberattacks.
Threat-led managed detection and response
Data Trust opted for a security maturity assessment (SMA) to start so that Quorum Cyber’s team could review the firm’s current security posture and understand what it needed to do to strengthen it in the short, medium, and long term. In addition to the SMA, Data Trust opted for Quorum Cyber's managed detection and response service, Clarity Extend. This service incorporates advanced threat intelligence and proactive threat hunting capabilities, designed to identify and mitigate potential threat actors. To further reduce risk, Data Trust added pentesting, plus an annual cybersecurity audit to ensure good governance. Early in the partnership, Quorum Cyber's Threat Intelligence (TI) team conducted an in-depth assessment of the specific threats Data Trust might face. This evaluation provided the company with critical visibility into the threat landscape most relevant to its operations, enabling a proactive approach to mitigating risks.
Data Trust’s team has total transparency of the company’s security via Clarity, Quorum Cyber’s customer platform, which Bill believes is an added advantage of the service. “We've been able to see the workflow play out successfully, and we have clear insight into the logging of day-to-day activities because the platform is clean and easy to use. It's so intuitive that I've been able to pass it to a member of the team, who manages it daily, but I can still access and review it whenever needed. We feel confident in the platform's accurate reporting of what's happening in our systems and databases."
Peace of mind
“Throughout the process, I felt relieved and reassured by the rapport we established,” Bill explains. “One member of the Quorum Cyber team was local, and meeting in person helped build comfort and trust. Moreover, the support from the team, who would be managing this on a 24/7 basis, gave me confidence that our data was in capable hands.
“Quorum Cyber is the most important layer of our active security,” concludes Bill. “We certainly have cyber peace of mind.”
Scotland’s Biggest Mental Health Charity, SAMH, Elevates Cyber Security on Multi-year Journey
The Scottish Action for Mental Health, better known as SAMH, is the largest mental health charity in Scotland. The not-for-profit organisation provides over 70 different kinds of mental health service to cover everyone, from children to the elderly, across the whole of Scotland.
SAMH offers a comprehensive range of support from walk-in centres, crisis intervention, rehabilitation, counselling and advice. It also campaigns for better support from the government for vulnerable people and collaborates with the private sector to raise much-needed funds to improve quality-of-life.
Like organisations in the private and public sectors, not-for-profits are targeted by cybercriminals. Research indicates that 66% of high-income charities report that they have experienced some form of cyber security breach or attack in the last 12 months. After being the victim of a ransomware cyber-attack several years ago, SAMH put its trust in Quorum Cyber to contain the attack and facilitate recovery. Subsequently, they worked with the Quorum Cyber team to strengthen SAMH's cyber security measures to minimise the risk of future attacks. “You think your organisation is ok until something happens,” says Jason Bryce, Chief Operating Officer at SAMH. “Quorum Cyber’s team were very professional and brought calm to a frantic and stressful situation.”
Satisfied with the service it had received, SAMH went on to sign a multi-year managed detection and response service, Clarity Extend.
Continually strengthening cyber security
To continually enhance SAMH’s cyber security, Quorum Cyber mapped and measured key areas of cyber defences across the entire organisation to better understand any potential weaknesses and identify where improvements could be made. “Quorum Cyber understood the level of defence that our organisation needed based on what we do and the IT estate we have,” explains Jason. “They provided peace of mind and a plan to enable us to reach our goals, but they didn’t oversell and gave us lot of useful, practical advice about how to manage and improve our security.”
The charity additionally commissioned an independent review from another company, which provided “extremely positive” feedback regarding Quorum Cyber’s work and the outcomes achieved by SAMH.
In 2025, Scotland’s largest mental health charity extended the partnership by a further two years. Naturally, it followed good governance by talking to other cyber security companies to compare benefits and costs and chose to remain with Quorum Cyber. “The great services that Quorum Cyber has always given us made them a serious candidate,” says Jason.
Top criteria for a strong partnership
Reflecting on the renewal process, he lists quality of service, price, trust, and confidence as his top priorities when considering service providers.
In today’s inhospitable and unpredictable digital environment, cyber risk remains the number one risk for SAMH. And unlike financial risks, cyber risk comes with no warning flags or indicators to help the organisation plan for the future. Cyber-attacks can happen suddenly when they are least expected and disrupt operations virtually overnight.
Benefits of a Microsoft-first partner
As an almost entirely Microsoft house, all of SAMH’s devices and accounts are covered by the Microsoft Defender suite and managed through Microsoft Intune using Enterprise Mobility and Security (EMS). This is a suite of tools and technologies designed to manage and protect mobile devices, applications, and data within an organisation.
This also makes Quorum Cyber – a Microsoft Solutions Partner for Security with deep Microsoft expertise and experience – a great match for the charity.
“Quorum Cyber's deep understanding of Microsoft simplifies our decision to adopt the service and helps reduce spending on other vendors,” explains John Stoner, Head of Information Services at SAMH and chair of its Information Security Committee and Audit and Risk Committee.
John conveys valuable information he receives from the monthly service reviews and from Quorum Cyber’s customer platform, Clarity, into reports and meetings. “An external Security Operations Centre (SOC) shows that we take cyber security seriously when applying for funding and gives our trustees reassurance,” he says. “We’ve also moved to a true cloud-first infrastructure which has vastly removed our attack surface and need for infrastructure protection.”
SAMH also values Quorum Cyber because it’s a threat-led cyber security company that can apply the intelligence and lessons it learns from hundreds of other customers across a variety of sectors to help proactively protect the charity. “We value the Threat Intelligence team’s advice on what kind of attacks they see in the not-for-profit sector, and across other sectors that might reach us, either today or tomorrow,” says Jason.
Queen Mary University of London Fortifies Cyber Security with Long-term Partnership
As a member of the prestigious Russell Group of universities, Queen Mary University of London is a world-leading, research-intensive university with 32,000 students representing more than 170 nationalities. It offers over 240 degree programmes in a wide range of subjects from humanities and social sciences to medicine and dentistry through to science and engineering. The university conducts ground-breaking research programmes for the UK’s National Health Service (NHS) and numerous world-renowned specialist hospitals.
Cyber security incidents can happen at any time
When Queen Mary University identified a potential cyber security threat, it acted swiftly and decisively — demonstrating a strong commitment to protecting its digital infrastructure. The university reached out to Quorum Cyber, whose Incident Response (IR) and Threat Intelligence (TI) teams operate 24/7 to support organisations across all sectors. By the next day, their Emergency Managed Detection and Response (Emergency MDR) service was fully deployed, providing Queen Mary with around-the-clock monitoring and protection.
Quorum Cyber provided technical support and guidance on communicating to internal and external stakeholders. This comprehensive approach helped the university in its management of stakeholder relationship and reputation.
Forming a long-term partnership
Queen Mary University solidified its commitment to cyber security by entering into an agreement for Clarity Extend, our Managed Detection and Response (MDR) service, following a successful tender process.
This partnership ensures continuous monitoring, detection, and response across the university’s entire IT estate. The MDR service is delivered by Quorum Cyber’s Security Operations Centre (SOC) team, which is based in the UK.
The world-class research university demonstrated robust cyber resilience in the face of potential adversity. This case underscores the importance of both cyber security and resilience in maintaining the university’s global standing and operational integrity.
"Quorum Cyber expertly helped us navigate cyber security threats and supported us with stakeholder communications and insurance negotiations," said Richard Holland, Assistant Director of the Office CIO at Queen Mary University. "We were so impressed that partnering with them long-term was an easy decision."
