North American Manufacturer Reduces Cyber Risk and Insurance Costs with Quorum Cyber
Highlights
- North American manufacturer operating complex, always-on production environments
- Microsoft security estate enhanced with 24×7 monitoring and response
- Improved cyber resilience with ~30% reduction in insurance costs
Supported by Clarity Extend and Incident Response Retainer
.
A leading North American manufacturer operating across multiple states needed to strengthen cybersecurity across a complex, always-on environment. Supporting thousands of employees and production sites, the business uses Microsoft technologies as part of its wider estate. With operations running around the clock, any serious cyber incident could disrupt production immediately and cost thousands of dollars an hour.
While Microsoft Defender XDR introduced a new challenge: turning these high volumes of security data into clear, actionable insight. The organization needed a specialist partner to interpret signals, prioritize risk, and guide a more proactive security strategy.
“Through our collaboration with Quorum Cyber, we implemented a robust, proactive security strategy, using data to drive decisions and optimize our Microsoft Security investments,” said the Director of Cyber Security and IT Infrastructure.
Turning visibility into action
Quorum Cyber provided 24×7 monitoring and managed detection and response through Clarity Extend, giving the organization continuous oversight of its environment and the expertise to act quickly on emerging threats.
This partnership enabled the team to move beyond reactive security and establish a more structured, data-led approach to investment and operations.
“Quorum Cyber helped us understand our needs, set accountability standards, and establish clear benchmarks for our security budget. Now we know exactly what we’re getting for what we’re paying.”
To further strengthen preparedness, the organization also set up an Incident Response Retainer, ensuring immediate access to expert support in the event of a breach.
The result was a lean, focused internal team, able to prioritize prevention and cyber hygiene while relying on Quorum Cyber for specialist expertise.
“I’d rather have a smaller team with a great cybersecurity partner than a large team. My team can now focus on maintaining strong cyber hygiene across the organization.”
Expert support when it mattered most
That partnership proved critical when a social engineering attack gave a threat actor access to part of the environment.
Quorum Cyber’s Incident Response team rapidly investigated, contained the threat, and uncovered activity the internal team had not identified.
“They were some of the best incident response professionals I’ve seen in 30 years of working in security. When I realized we’d been compromised, my stress levels went through the roof, but once Quorum Cyber got involved, I felt much more confident.”
A third-party security team engaged by the organization’s cyber insurer later validated the response, confirming that the combined efforts successfully identified attacker activity and strengthened security controls.
Protecting operations and reducing costs
In a manufacturing environment, even brief downtime can result in losses of hundreds of thousands of dollars. A prolonged incident could have halted production, delayed shipments, and disrupted the wider supply chain.
“If it weren’t for Quorum Cyber, we’d have been down for months. We wouldn’t have been able to ship products, and the cost would have run into the millions.”
Following the incident, the organization estimates that its improved security posture, supported by Quorum Cyber and enhanced endpoint detection and response, contributed to a reduction in cyber insurance premiums of approximately 30%.
A long-term security partner
Today, Quorum Cyber is embedded as a core part of the organization’s long-term security strategy, providing continuous protection, strategic guidance, and peace of mind.
“This is the first time in a long time that I’ve felt truly confident in our security posture. Quorum Cyber feels like an internal partner rather than a third-party supplier. They protected us during a critical moment faster than anyone else could have; I’ve already recommended them to others.”
Modern MDR, Made Clear: 10 Questions Every CISO Should Ask
The cyber threat landscape has fundamentally changed. Attackers are faster, more automated, and increasingly exploiting identity and cloud complexity – leaving traditional detection and response approaches struggling to keep pace.
Modern MDR, Made Clear is a practical playbook designed to help CISOs build future-ready detection and response programmes – and ask the critical questions needed to select a partner that delivers measurable protection, prevention, and resilience.
Dark Web Credentials for Sale: Rapid and Secure Recovery for a Higher Education Institution
Highlights
- UK higher education institution supporting 150,000+ students and staff
- 24×7 monitoring to secure recovery and sustain protection
- Two weeks from dark web claim to evidence-backed findings
- Emergency MDR and Clarity Extend
The challenge
A UK higher education institution was alerted by a third-party that legitimate account credentials had been compromised and were being advertised for sale on the dark web. Alongside this, there were claims that over 100TB of data had been impacted. The activity pattern strongly suggested the involvement of an Initial Access Broker (IAB), cybercriminals who gain a foothold in systems, often using stolen credentials or vulnerabilities and then sell that access on to other threat actors to conduct follow-on attacks.
This presented an urgent risk – once access is sold, attackers are able to move rapidly from credential abuse to cause deeper compromise, service disruption and large-scale data extortion.
With a large and complex infrastructure covering over 12,000 endpoints and the potential exposure of highly sensitive data and intellectual property (IP), the institution urgently needed clear, defensible answers. How was access gained? What actions did the attacker take once inside? Was any data viewed or exfiltrated? And were the threat actor’s claims credible?
Quorum Cyber was engaged to rapidly get to the truth, coordinate a secure eradication and recovery, and establish the foundations for robust, long-term protection against future attacks.
The approach
Quorum Cyber conducted the investigation along two parallel tracks. The Incident Response (IR) team worked within the environment to pinpoint the likely ingress route and reconstruct attacker activity, tracking signs of enumeration, privilege escalation, persistence mechanisms, and any attempted lateral movement.
At the same time, Threat Intelligence (TI) experts traced the origin of the dark web listing and examined the surrounding claims, building a clear picture of what was being marketed, how the access was presented, and what this revealed about the threat actor’s intent and potential next steps.
To turn hypotheses into evidence, we deployed a remote forensics and artefact collection capability across the impacted servers. This established a clear defensible timeline and determined what data had been accessed, providing clear, evidence-led answers for operational stakeholders and legal counsel.
During the eradication and recovery phase, Quorum Cyber deployed emergency Managed Detection and Response (MDR) to secure the estate. Backed by 24×7 monitoring and rapid response from its Security Operations Centre (SOC) team, this gave the organisation immediate visibility across the environment, transformed previously opaque areas into actionable insight, reduced risk, and restored confidence.
“When a dark web claim surfaced, we needed to move quickly without disrupting critical services,” said the Director of Information Security, UK Higher Education Institution. “Quorum Cyber helped us turn uncertainty into evidence and then manage the threat with 24×7 monitoring that gave us confidence to recover safely.”
Importantly, emergency MDR gave the university security team immediate reassurance. Their team could progress recovery activities with confidence, knowing suspicious behaviour would be identified, contained and communicated quickly, with no surprises. The goal was to move the organisation from its vulnerable state to a safe one, so it could recover from the cyber incident and return to normal operations as quickly and securely as possible.
Once the incident stabilised, this emergency MDR posture became a stepping stone to a long-term MDR service, with Clarity Extend, providing the team with visibility, monitoring, and response capability as ‘business as usual’, not just during a crisis. The Clarity user interface gave their team immediate visibility into their security posture and how it was being managed by Quorum Cyber.Top of Form
“Quorum Cyber’s Emergency MDR service helped us contain the immediate threat and bring stability back to the environment. Once we recovered, we knew we wanted that same visibility, proactive monitoring, and reassurance on an ongoing basis, which made a long-term partnership the right decision for us,” explained the institution’s Director of Information Security.
Results
Within two weeks, the institution was able to replace speculation with certainty; crucial in a higher education environment where trust, continuity, and duty of care matter as much as technical recovery. With their evidence-backed understanding of the initial access and attacker behaviour, the stakeholders were able to make confident decisions about containment, communications, and legal posture.
Through 24×7 SOC-led threat detection and response, Quorum Cyber guided the organisation through eradication and recovery while keeping day-to-day services running across their large, diverse estate.
Just as importantly, clear findings and targeted remediation helped the institution demonstrate strengthened security controls and risk reduction to their leadership and third parties, supporting a secure return to normal service. By progressing from emergency MDR during the incident to ongoing MDR, with Clarity Extend, the institution was able to carry that assurance forward, maintaining continuous monitoring and response as part of a strengthened security baseline.
“When credentials are sold, the hardest part isn’t reacting, it’s proving what’s true,” said the Incident Response Team Lead at Quorum Cyber. “Our job was to replace uncertainty with evidence, fast. We confirmed the access path, reconstructed the attacker’s actions, and gave the customer the confidence to recover securely.”
Explore our managed services
Browse and compare our full range of Managed Security Services and contact us if you’d like to talk to an expert.
Global Manufacturing Organisation Strengthens Security Resilience by Consolidating on Microsoft with Quorum Cyber
A North America–based manufacturing organisation with a large Windows and Microsoft 365 footprint set out to simplify security operations while improving visibility and resilience across its environment.
Over time, the organisation’s security stack had grown fragmented. Signals were spread across multiple tools, increasing investigation time, complicating operations, and creating dependency on point solutions for critical controls.
Following a major industry-wide endpoint disruption, leadership initiated a strategic review of endpoint and detection platforms, with a focus on operational resilience, vendor risk, and reducing single points of failure. The organisation engaged Quorum Cyber to help modernise its security operating model and consolidate around the Microsoft security platform.
The challenge
The organisation faced three interrelated challenges:
- Fragmented visibility: Security data was spread across multiple tools, slowing investigations and making it difficult to maintain a consistent view of risk
- Endpoint platform risk: A third-party endpoint detection and response (EDR) platform had become a critical dependency. After a high-impact industry incident, leadership reassessed the potential operational blast radius and the recovery implications of relying on a single endpoint control at scale
- Transition complexity: The organisation wanted to move to a new endpoint approach without disrupting day-to-day operations, duplicating cost, or creating gaps in detection coverage during the changeover.
From a commercial perspective, the status quo was anchored in the incumbent EDR deployment, long regarded internally as a best-of-breed control.
The solution
Quorum Cyber designed and delivered a phased consolidation strategy built on the Microsoft security platform, focused on resilience, clarity, and operational control.
Key elements included:
- Adoption of Quorum Cyber Clarity Extend as the MXDR managed service aligned to the customer’s Microsoft estate
- Enablement of Microsoft Sentinel in the customer’s tenant to centralise security analytics, investigations, and response
- A structured transition to Microsoft Defender for Endpoint, with telemetry and detections brought online in a controlled sequence to maintain continuity, avoid coverage gaps, and prevent unnecessary overlap.
This approach brought endpoint, SIEM, and wider security signals into a single operating model, reducing complexity while increasing confidence in day-to-day security operations.
Why this approach worked
The organisation’s priority was not adding new tools but reducing operational risk while improving outcomes.
Consolidating on Microsoft delivered:
- Unified visibility across endpoint, identity, and cloud signals
- Reduced vendor dependency for a critical control, lowering the risk associated with single-vendor update or sensor failures
- Predictable economics, supported by clear Sentinel ingestion modelling and better utilisation of existing Microsoft licences.
Importantly, many core Microsoft security signals could be ingested into Sentinel without additional cost, allowing the organisation to scale visibility while maintaining a predictable run-rate.
Decision criteria focused on three outcomes: resilience and availability, operational simplicity, and strong alignment with the Microsoft ecosystem.
Why Quorum Cyber
The organisation selected Quorum Cyber for its deep Microsoft security specialisation and its ability to translate platform capability into a practical operating model.
Quorum Cyber provided:
- A clear transition roadmap -what to consolidate first, how to stage implementation, and how to maintain service continuity.
- Outcome-led positioning of Clarity Extend, focused on visibility, resilience, and simplification rather than tool management alone.
- Commercially sensible migration planning that avoided prolonged dual-running of endpoint platforms.
This combination reassured stakeholders that the endpoint platform change could be managed with control, minimising risk, avoiding disruption, and maintaining continuity throughout.
Commercial and operational impact
The move to a consolidated Microsoft security model involved a modest increase in Microsoft licensing to support the target posture. Managed service costs remained broadly flat or slightly reduced.
The primary value came from consolidation:
- Reduced tooling sprawl
- Improved security visibility
- A clearer, more resilient foundation for detection and response using Microsoft Defender and Sentinel.
Operationally, the organisation established a centralised security data strategy, enabling more efficient investigations and a scalable foundation for future security maturity.
Delivery approach
Quorum Cyber and the customer followed a structured six-week onboarding programme with clear milestones and ownership:
- The customer led the endpoint platform transition to Microsoft Defender for Endpoint
- Quorum Cyber enabled Microsoft Sentinel and onboarded required telemetry into Clarity
- Delivery was phased to increase visibility incrementally while maintaining operational stability.
This approach ensured the organisation strengthened security posture without introducing unnecessary risk during change.
“By consolidating on Microsoft security with Quorum Cyber, we’ve strengthened resilience, improved visibility, and simplified how we operate security day to day, with a foundation we can trust long term.”
Director of Information Security, North America-based manufacturing organisation.
Driving Cyber Resilience Through Trusted Partnership: The AA’s Journey
When it comes to cyber security, even the most recognised brands face a familiar challenge: balancing technical protection with cultural transformation.
For The AA, one of the UK’s most trusted motoring organisations, the mission was clear- strengthen their cyber defences without losing focus on the people and processes that make security sustainable.
That’s where partnership made all the difference.
The challenge: Balancing security and culture
As the digital landscape evolved, The AA’s cyber team, led by Mark Vodden, Head of Cyber Security, recognised a growing pressure: limited internal bandwidth and a need for around-the-clock protection.
“We had the right intent,” Mark explains. “But internally, our resources were stretched thin, and we didn’t want the technology piece to consume all our energy. Our goal was to keep our people engaged; to win hearts and minds, not just deploy tools.”
The AA needed a partner who could do more than take on the heavy technical lifting. They needed one who could make every aspect of the programme relevant to their business, aligning protection with their specific risk appetite, industry landscape, and data sensitivities. Quorum Cyber brought that broader perspective.
Beyond managing technology, Quorum Cyber worked to ensure every element of the security approach reflected The AA’s real-world context: understanding where data exposure could have the greatest impact, what a breach might mean for customer trust, and how protective measures could empower the business rather than slow it down. That deep, contextual understanding meant The AA’s security posture wasn’t just stronger; it was smarter, more responsive, and directly tied to organisational goals.
The turning point: Partnering for clarity and confidence
After evaluating their needs, The AA partnered with Quorum Cyber to bolster defences and bring greater clarity to their cyber operations.
Their first step was implementing Clarity Defend, a managed service providing continuous monitoring, proactive threat detection, and rapid response. This immediately alleviated internal pressure and gave the cyber team the operational confidence to focus on higher-value priorities.
But as the partnership matured, a new priority emerged: data visibility. The AA wanted deeper insight into where sensitive information lived, how it moved across systems, and how compliance obligations could be managed across a growing landscape of cloud and collaboration tools.
Working closely with Quorum Cyber experts, The AA expanded their strategy with Clarity Data, adding richer visibility and control over sensitive information alongside robust detection and response capabilities. This evolution extended The AA’s security posture beyond endpoints to encompass comprehensive data governance, insider risk management, and compliance monitoring, enabling protection that followed the data, wherever it travelled.
From reactive to strategic: The AA’s data-driven evolution
Leveraging Clarity Data transformed how The AA approached information security, shifting from reactive protection to a proactive, insight-driven model that continually adapts to business needs.
With the solution in place, The AA could:
Expose unstructured data risks hidden across emails, messages, collaboration platforms, and end-user devices, bringing previously unseen vulnerabilities into focus.
Understand and mitigate risky interactions through contextual behaviour analysis, Quorum Cyber’s distinctive capability that correlates user actions across systems to reveal intent and highlight patterns of heightened risk. Instead of viewing activity in isolation, Clarity Data connects the dots between behaviours and data movement, allowing The AA to intervene precisely where risk emerges.
Continuously assess and evolve their security posture in line with business change and shifting legislation. The service’s evergreen design means it grows alongside The AA, adapting with every transformation, embedding new best practice, and ensuring security remains current rather than static. As Mark Vodden notes, “This isn’t a project with an end date, it’s a programme of continuous improvement. Our partnership with Quorum Cyber ensures we’re always moving forward.”
Simplify compliance and reporting, supported by improved visibility and granular control of sensitive data.
Prioritise high-impact actions that deliver measurable progress from day one, without chasing unattainable perfection.
This evolution wasn’t just about technology; it represented a mindset shift. With Quorum Cyber managing the technical foundation, The AA’s internal team could focus on cultural engagement, embedding data awareness across the organisation and empowering every employee to play an active role in protecting the business.
Lessons Learned: Data Security is a Journey, Not a Destination
Reflecting on the experience, Mark highlights several lessons for other organisations on a similar path:
– Technology alone isn’t the answer. True progress comes from combining technical excellence with cultural commitment.
– Choose a trusted partner. The right MSSP doesn’t just supply tools, they bring perspective, guidance, and flexibility.
– Focus on achievable wins. Small, visible successes build credibility and momentum across the business.
– Make it a partnership, not a handover. Shared accountability drives better outcomes and long-term trust.
The Results: Clarity, Confidence, and Culture
By leaning on their trusted partner for technical assurance, The AA gained:
– 24/7 protection without exhausting internal teams.
– Stronger compliance posture through better data oversight.
– Renewed cultural focus, empowering employees as part of the defence.
– A clear roadmap for continuous improvement, not one-off success.
“The partnership with Quorum Cyber gives us space to focus on people and purpose,” Mark notes. “That’s where resilience really lives.”
Final thoughts
The AA’s journey reflects a growing truth across industries: cyber resilience is as much about people as it is about protection.
By partnering with experts who not only manage technical complexity but also understand the unique risks, data sensitivities, and operational realities of their business, The AA unlocked the freedom to lead from within. Quorum Cyber’s partnership turned data governance and security from a technical function into a strategic, culturally embedded capability – one that reflects The AA’s values, risk appetite, and long-term ambitions.
Modern MDR, Made Clear: 10 Questions Every CISO Should Ask
The cyber threat landscape has fundamentally changed. Attackers are faster, more automated, and increasingly exploiting identity and cloud complexity – leaving traditional detection and response approaches struggling to keep pace.
Modern MDR, Made Clear is a practical playbook designed to help CISOs build future-ready detection and response programmes – and ask the critical questions needed to select a partner that delivers measurable protection, prevention, and resilience.
Forrit Fortifies Technology to Protect its Customers from Cyber Threats
Forrit is a leading provider of cloud-native content management systems (CMSs) built for highly regulated industries such as financial services and healthcare. With a promise of “enterprise-grade security, rapid scalability, and global controls,” Forrit powers digital experiences for respected global organisations including Lloyd’s, NHS Scotland, Tesco Bank, and Craneware.
Challenge: Safeguarding trust in a high-stakes industry
As a member of the Chartered Institute of Information Security (CIISEC), Forrit needed a trusted cyber security partner to protect its product, data, and customers - around the clock. The company sought a partner who could:
- Respond swiftly to potential cyber incidents
- Offer proactive consulting and security advice
- Anticipate and defend against tomorrow’s evolving threats.
“Our customers operate in some of the world’s most regulated industries, there’s absolutely no room for compromise on security,” says Peter Proud, CEO, Forrit. “We needed a partner that could match our standards for trust, transparency, and technical excellence.”
Solution: A strategic partnership with Quorum Cyber
Forrit’s CMS platform is deployed within each customer’s own Azure subscription - a design that demands deep Microsoft security expertise and seamless collaboration between Forrit, Quorum Cyber, and end customers.
The partnership, which began in 2018, has grown steadily based on three pillars:
- Partnership: Built on a strong foundation of trust and collaboration
- Service Fit: A perfect alignment with Forrit’s Microsoft-based architecture and operational model
- Confidence: A proven track record of delivering high-quality, responsive cyber security services.
“Quorum Cyber feels like an extension of our own team,” adds Proud. “They understand our technology and our customers, and they share our commitment to keeping them safe.”
Outcome: Confidence, clarity, and continuous protection
To ensure comprehensive coverage, Forrit adopted Quorum Cyber’s Clarity Extend, an enhanced detection and response service covering the entire IT estate. The service is powered by a global Security Operations Centre (SOC) spanning the UK, US, and Canada, supported by Threat Intelligence (TI), Incident Response (IR), and threat-hunting specialists.
Together, they continue to deliver secure, resilient solutions for Forrit’s customers. Furthermore, for its cloud-first ambitions, Forrit needed an expert partner, fluent in Microsoft security. As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligence Security Association (MISA), Quorum Cyber matched all the main requirements.
As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligent Security Association (MISA), Quorum Cyber provides the advanced expertise Forrit needs to deliver secure, scalable CMS solutions to regulated enterprises.
“With Quorum Cyber watching over our environment, we have absolute confidence that we’re protected; before, during, and after any cyber incident,” says Proud. “That peace of mind means we can focus on what we do best: helping our customers deliver exceptional digital experiences.”
How services evolved over time
Since the partnership began in 2018, Forrit and Quorum Cyber have built a strong, collaborative relationship rooted in trust, shared goals, and technical alignment. Over the past seven years, the partnership has evolved in several ways:
- As Forrit’s CMS platform matured, so did the complexity of its security needs. Quorum Cyber has consistently adapted, integrating more deeply into our architecture and workflows, to ensure robust protection across customer environments
- Together, they’ve supported a growing number of enterprise clients, delivering secure, resilient solutions tailored to their operational models. Quorum Cyber’s ability to work seamlessly with both Forrit and its customers has been a cornerstone of that success
- Seven years of consistent delivery, responsiveness, and shared values have built a solid foundation of trust.
Positive outcomes
The benefits of Clarity Extend go far beyond cyber security alone. The service empowers Forrit to formalise and fast-track responses to potential cyber incidents, shifting from reactive defence to proactive resilience. Together, Forrit and Quorum Cyber establish a clear baseline of normal business behaviour, enabling them to spot, investigate, and neutralise anomalies before they escalate. This partnership model also lets Forrit maintain a lean, high-impact security team, confident that the Quorum Cyber experts are proactively acting on their behalf, providing trusted, around-the-clock support. This assurance frees Forrit to focus its resources on innovation and product excellence, keeping its customers equipped with the most advanced CMS solution on the market.
Clarity Extend also enables Forrit to meet its regulatory obligations under the Bank of England’s Prudential Regulation Authority, the EU’s Digital Operational Resilience Act (DORA), and the National Institute of Standards and Technology (NIST) standards, ensuring robust operational resilience, cyber risk management, and compliance with evolving industry requirements.
With Clarity Extend, Forrit doesn’t just tick cyber security boxes, it shows customers, investors, and partners that it’s guarded by top-tier protection 24/7. They have immediate access to a proactive, threat-led partner ready to detect, analyse, and respond to threats in real time, keeping their business one step ahead of cybercriminals.
“Our long-term partnership with Quorum Cyber is a cornerstone of our business,” says Peter Proud. “They really care about our security, and that of our customers, and go beyond the simple short-term business transaction model.”
“Working with Quorum Cyber gives us the confidence to deliver secure services to our customers to meet their objectives and satisfy their regulatory requirements,” says Doug Cunningham, Forrit Chief Technology Officer. “Without this partnership, we wouldn’t be able to deliver this level of service. Quorum Cyber isn’t just a supplier – they’re a long-term partner invested in our mission and growth.”
“We share Forrit’s commitment to protecting customers from cyber threats,” says Federico Charosky, CEO, Quorum Cyber. “Together, we’re safeguarding their customers and enabling trust in every digital interaction.”
Defending Hope: How CHAS Sets the Standard for Data Security in Children’s Palliative Care
Children’s Hospices Across Scotland (CHAS) is a charity providing unwavering care to children who may die young and their families, at every step on this hardest of journeys. Three children a week die in Scotland from an incurable condition, and CHAS works in partnership with Scotland’s health and social care providers to ensure hospice and palliative care services are provided for these babies, children, and young people (aged 0-21 years) and their families across Scotland.
Entrusted with the sensitive personal information of thousands of families and hundreds of staff, CHAS places information security at the very heart of its mission. Protecting this data from theft, loss, and cyber threats is essential to maintaining the trust and dignity of every family it serves.
To safeguard its digital assets and maintain smooth operations, CHAS partnered with Quorum Cyber to implement Clarity Extend, an enhanced managed detection and response (MDR) service. This 24/7 security monitoring capability helps protect its IT estate and, critically, shields its 400 employees, many of whom hold nursing and clinical roles, from increasingly sophisticated phishing attacks.
“We need to monitor our networks 24/7 for malware and prevent cybercriminals from using social engineering to access and exfiltrate our systems,” says Dave Blair, Lead System Analyst at CHAS. “Quorum Cyber helps us prevent phishing attacks, monitor system logs or stop outsiders using accounts that they shouldn’t have access to.”
A cyber security extension to the team
CHAS, which has partnered with Quorum Cyber for six years, benefits from Clarity Extend, managed by Quorum Cyber’s Security Operations Centre (SOC) team. The SOC functions like a seamless extension to CHAS’s team, providing continuous, comprehensive monitoring and security expertise to allow its team members to focus on their core mission with confidence, knowing their systems are protected around the clock, including weekends and holidays.
“We don’t have the knowledge of the threats and the threat landscape that their team has, so they take some of the workload off us,” adds Dave. "We see Quorum Cyber adding new behavioural rules... they're aware of what threats are happening at the moment."
Microsoft-first cyber security to protect all vendors’ products and tools
The international cyber security company’s Microsoft-first approach aligns with CHAS's IT infrastructure and security tools. With Clarity Extend’s excellent range of benefits, Microsoft Sentinel is integrated to third-party technologies, and CHAS has two extra safety nets in threat hunting and incident response up to containment. Furthermore, with Quorum Cyber's customer platform, Clarity, CHAS can see and track any potential issues and incidents, and how the SOC team is handling them in real time.
“Quorum Cyber’s team is great at flagging any potential issues at any time to take the pressure off our team and gives us the confidence that, if something were to happen, we would hear about it quickly,” says David Campbell, IT Project Manager for CHAS. “It's almost like having a member of the team focused on logs. Having someone there doing better monitoring than we could do ourselves gives us peace of mind.”
Delivering lasting peace of mind and resilience
By partnering with Quorum Cyber and using Clarity Extend, CHAS benefits from continuous, expert-managed protection of its sensitive data, ensuring compliance and resilience against evolving cyber threats. This trusted collaboration frees CHAS to focus on its vital care mission with true peace of mind, confident that its personal and confidential information is securely safeguarded around the clock.
Quorum Cyber Employs Microsoft Security Stack to Eradicate Two Threat Actors, whilst Thwarting a Ransomware Attack on an International Business
When a company is hit with ransomware, it needs a specialised cyber security partner with the experience and capabilities to support it through one of the worst challenges in business. When two threat actors breach a business simultaneously, only the best can contain the damage, protect critical data, and help it quickly and safely resume operations.
That was the case when an international professional services company, with highly sensitive customer information and offices worldwide, was attacked in early 2025.
The initial call for support
The company’s insurance carrier contacted Quorum Cyber to lead the forensic investigation begun by the incumbent managed security services company (MSSP), who had been fighting to regain control of the IT network for several weeks.
The international company had previously received emails from two threat actors – Cactus and RansomHub – which are both known to use Ransomware-as-a-Service (RaaS), claiming to have successfully penetrated the IT network and stolen data.
While the incumbent MSSP has defended the company for many years using SentinelOne, it hadn’t evolved with its customer to continue providing adequate security against a backdrop of ever-evolving cybercrime. The international company had outgrown its MSSP and lacked sufficient security, both on-premises and across the multi-cloud environment, around the clock.
Investigating two breaches – and eradicating two adversaries
Following a preliminary assessment, Quorum Cyber found evidence of a full IT domain compromise by an active ‘hands-on’ adversary lurking inside the network, which had full access to it. Furthermore, the team was certain that the threat actor was ready to encrypt data and therefore advised the victim company to take decisive action of temporarily disabling internet access to two sites, preventing an escalation encryption event, whilst the team worked on a remediation strategy to ensure damage limitation of business interruptions.
When dealing with incidents where a threat actor is active in the environment, it is imperative to rapidly gain and maintain operational visibility across the technology estate to identify actions taken by the adversary as quickly as possible. Containment is critical in minimizing the threat actor’s impact and acts as the last line of defense against long-term financial and reputational impact.
Digital Forensics and Incident Response (DFIR) teams worldwide take a similar approach to containment but often focus their monitoring on endpoint telemetry alone via Endpoint Detection and Response (EDR) tools. While EDR is critically important, we believe that in order to effectively contain an active sophisticated cybercriminal or nation-state, visibility into other telemetry is imperative, including cloud estate and – most critically – the identity and access management platforms which often contain rich evidence related to privilege escalation, lateral movement, and other middle-kill-chain steps present in nearly all serious incidents.
To orchestrate this, Quorum Cyber’s team also deployed additional security tooling and detection capabilities to the on-premise infrastructure and cloud-based estate, and provided robust 24/7 proactive security monitoring via Quorum Cyber’s Emergency Managed Detection and Response (MDR) service, which goes above and beyond the limitations of an EDR-only approach.
Over several weeks, Quorum Cyber collaborated with the customer’s US and UK counsels, its legal and IT teams, and the incumbent MSSP to remediate the threat safely.
A thorough root cause analysis revealed the Fortinet FortiGate firewall appliances, which control ingress/egress network traffic and VPN connectivity for the IT network, were found to be susceptible to two zero-day vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These were made public for the cyber security community to act upon on 14th January 2025.
Quorum Cyber took several remediation steps to mitigate the incident, including:
- Decommissioning compromised IT systems
- Creating new IT systems for critical business services
- Providing guidance regarding credential resets
- Identifying and removing malicious backdoors
- Patching vulnerable network appliances
- Addressing configuration gaps to address and improve overall security posture
- Conducting a comprehensive forensic investigation to support regulatory obligations.
Within six weeks of the engagement's start, Quorum Cyber successfully neutralised all threats and ceased negotiations with both cybercriminal groups. No further unauthorised activity has been detected within the customer’s IT environments since the initial call. The engagement gained a considerable amount of trust from the customer, which is now safe from harm from the two adversaries and, thanks to the Emergency MDR service, also safe from other potential cyber-attacks.
Quorum Cyber’s unique range of skillsets, including incident response and ransom negotiations, coupled with its advanced containment monitoring expertise, ensured that the situation was contained quickly. The two threat actors were eradicated from the systems and security was reinforced so that the same types of attacks won’t be successful again.
In addition to the technical expertise provided, Quorum Cyber’s team also delivered an executive briefing of the whole incident and advised on crisis communications to key stakeholders within the business and externally.
Uncovering historical security lapses
During the investigation using the Microsoft Security stack, Quorum Cyber flagged a number of serious issues which amounted to a lack of security across the IT estate:
- EDR was not implemented on every system
- IT networks had not been segmented
- Multi-factor authentication (MFA) had not been adopted
- Identity and Access management controls needed improvement to limit privileges to just those required
- Cloud estates, on-premise assets, endpoint and network security infrastructure lacked hardening through secure architectures and inconsistent vulnerability management practices
- Dearth of security controls
- Security tools were improperly configured, making them ineffective.
While these errors meant that the company wasn’t safe from cyber-attacks, the plethora of tools that were in place wouldn’t actually have given any cyber security company the complete visibility of the IT estate that Microsoft 365 Defender, Microsoft Defender for Identity, and Microsoft Defender for Cloud would have given.
Why Quorum Cyber?
Equipped with market-leading incident response and ransom negotiation teams, Quorum Cyber is perfectly positioned to handle any kind of cyber incident at any time of the day or night. It’s threat-led approach is backed up by threat intelligence and threat hunting teams, a suite of professional services, and a comprehensive range of managed security services delivered by a Security Operations Centre spanning the US, the UK, and Canada. In 2025, Quorum Cyber was recognised as the Microsoft Security Excellence Awards Winner for Security MSSP of the Year.
Safeguarding Retail Supply Chains and Data in the Face of Ransomware
Situation overview
Imagine a business at the heart of the UK’s retail ecosystem, providing the systems that underpin food safety and employee wellbeing across thousands of sites. This multinational, trusted to process and protect sensitive medical and personal information, suddenly faces a high-stakes ransomware attack: all servers and endpoints down and the integrity of the entire supply chain, including industrial refrigeration, lighting, and critical systems now at risk. Compounding the crisis, the possibility of leaked confidential health data threatened the company’s reputation and compliance standing.
Strategic response: partnership in action
Recognising the critical business implications, from regulatory repercussions to brand trust and operational continuity, the company immediately engaged Quorum Cyber and legal breach counsel. The mission: to contain the threat, discover what had happened and enable secure, rapid recovery.
Key business objectives
- Rapidly identify and close the entry point to contain financial and reputational damage
- Confirm whether customer and medical data was accessed or exfiltrated, limiting legal and regulatory exposure
- Verify that industrial control systems, essential to every supermarket’s operations, remained uncompromised
- Restore business operations with minimal downtime
Execution and assurance
Fast-tracked digital forensics & monitoring
Quorum Cyber deployed advanced remote forensic tools to swiftly gather time-critical evidence from operational systems, while working offline with preserved disk images from affected devices. Within hours, the organisation was onboarded into Quorum Cyber’s Security Operations Centre (SOC). Industry-leading protections; Microsoft Defender and Sentinel, were rapidly deployed, enabling round-the-clock vigilance.
Uncovering the attacker’s playbook
Our experienced team of cyber investigators traced the blueprint of the attack and discovered:
- Initial Access: The attackers gained entry by exploiting leaked credentials and abusing VPN access, bypassing perimeter security with legitimate-looking logins.
- Lateral Movement & Privilege Escalation: Once inside, they methodically navigated the environment, escalating privileges and probing connected systems to maximise their reach.
- Domain Trust Exploitation: Leveraging established trust relationships between global business units, the threat actors moved seamlessly from one region to another, demonstrating a deep understanding of the organisation’s infrastructure.
- Stealth and Persistence: For nearly two months, the attackers operated undetected, carefully gathering intelligence, exfiltrating sensitive data, and setting the stage for their ransomware deployment.
- Orchestrated Ransomware Detonation: Only after ensuring maximum impact did they trigger the ransomware, effectively disrupting operations at the most vulnerable moment.
By dissecting each stage, we not only restored business functionality but also provided actionable insights to harden defences against future threats
Business continuity for the supply chain
Recognising that industrial refrigeration and logistics directly affect food security, Quorum Cyber undertook forensic analysis of over 700 industrial control systems (ICS) endpoints. After exhaustive examination, we were able to certify, in a formal attestation, the safety of these critical environments, allowing our client to assure partners and regulators that food supplies were never at risk.
Protecting customer confidence
Intensive analysis of servers containing sensitive data assured leadership that, while attempted, there was no evidence of large-scale exfiltration from key databases. This enabled fast, transparent communication with stakeholders and regulatory bodies, preserving trust and mitigating legal exposure.
Lessons in leadership and resilience
Throughout the crisis, Quorum Cyber operated as a proactive advisor, delivering real-time tactical guidance and sharing up-to-the-minute attacker Indicators of Compromise. With our recommendations, the company not only remediated the breach, but emerged with enhanced security posture and renewed confidence from its leadership, partners, and customers.
The takeaways
- Preparation and Partnership Matter: Rapid engagement with trusted cyber security and legal experts can fundamentally change outcomes in a crisis.
- Business-Critical Infrastructure is a Prime Target: Safeguarding industrial systems must be an executive priority, as the downstream impact extends to supply chains and public wellbeing.
- Resilience is a Competitive Advantage: The ability to respond decisively, communicate transparently and recover securely turns a crisis into an opportunity to demonstrate leadership.
Safeguarding the Future of Education: Enhancing University Cyber Security with a Trusted Partner
A progressive UK-based university supports more than 10,000 students and 1,500 staff across multiple campuses. With a strong commitment to community engagement, the institution aims to widen access to higher education, address evolving skills demands, and deliver meaningful social and economic impact. It is also recognised for its strong graduate employment outcomes, helping to develop and retain skilled individuals across various sectors.
Cyber security has long been a strategic priority, as it is for most of the higher education sector. The university’s senior leadership recognised the need to bolster its ability to respond rapidly and effectively to potential cyber-attacks at any time, day or night.
“Our users are front and centre of our cyber security strategy,” says the University’s Director of Technology Services. “We see threats coming from multiple angles continuously, mostly in the form of phishing and spear phishing attacks attempting to deliver malware payloads.”
Extending the team with a trusted partner
To address growing cyber risks, the university sought a partner that could function as an extension of its internal team, offering automated, managed detection and response while allowing internal staff to focus on strategic initiatives. Out-of-hours security coverage was also a key requirement.
After a competitive tender process, the university selected Clarity Extend, a managed detection and response (MDR) service from Quorum Cyber. The service includes global threat detection, automated threat hunting, and sector-specific threat intelligence. The institution was particularly drawn to Quorum Cyber’s Microsoft-first approach and its robust incident response capabilities.
The Director of Technology Services adds: “We now have 24/7 managed detection and response operated by Quorum Cyber’s Security Operations Centre. We’ve gained reassurance from having mature and trusted processes, backed by a partner fully dedicated to managing and mitigating cyber threats.”
Achieving greater cyber resilience
The university continues to run a rigorous cyber incident response (IR) plan, including an annual tabletop exercise to ensure the entire organisation knows how to respond during a cyber event. This preparation is a vital part of maintaining business continuity.
Through its licensing agreement, the institution uses automated responses to specific types of suspicious system activity, significantly increasing operational efficiency. This is especially important for protecting students - seen as ‘frontline users’ - due to their constant interaction with digital platforms and sensitive information.
The customer platform, Clarity, plays a key role in incident transparency. It automatically generates detailed reports on threat activity, helping the technology team quickly understand and communicate incidents across the organisation.
A seamless extension of the team
“We trust Quorum Cyber as a true extension of our team,” their Director of Technology Services explains. “Their technical experts swiftly contain and mitigate threats and help restore services, which is critical to keeping operations running even during an incident.”
Nearly three years into the partnership, the university remains pleased with the deployment and ongoing service. The implementation phase, project management and monthly reviews have met expectations, and importantly, the value delivered continues to be consistent with what was promised during the procurement process.
Cyber reassurance, delivered
“We’ve always had a reliable service from Quorum Cyber - responsive and aligned to our needs,” the Director of Technology Services reflects. “I sleep better knowing we have a partner with the right expertise watching over our digital environment. They act immediately if there’s an issue, based on the controls we’ve agreed.
“In short, Quorum Cyber provides strategic cyber reassurance.”
Defending Data Trust in an Unpredictable Threat Landscape
Data Trust, established in 2011, is a leading first party data company specializing in US voter information and electoral data. The company’s expertise lies in collecting, enriching, analyzing, and maintaining high-quality political data on a massive scale. With information on over 300 million individuals and more than 2,500 unique data points per person, Data Trust provides critical insights to various organizations involved in election campaigns across the United States.
The challenge
At the core of Data Trust’s operations is the critical task of protecting sensitive information. The company’s sophisticated data management systems safeguard not only publicly available data but also their proprietary insights and proven methodologies. This level of security is paramount, as a single data breach could severely undermine the trust of its clients and potentially tarnish the company’s reputation.
By leveraging its expansive data warehouse and robust IT infrastructure, Data Trust ensures the integrity and confidentiality of its vast data resources. This commitment to data protection and privacy is fundamental to maintaining the confidence of its clients and solidifying its position as a trusted partner in the political data landscape. Needless to say, confidence in Data Trust’s ability to manage sensitive information securely is crucial for both its business success and that of its clients. While the company primarily collects publicly available data, it must vigilantly protect its invaluable data insights and proven methodologies from theft or unauthorized access. Equally critical is safeguarding its IT infrastructure from potential compromises, including data breaches, cyberattacks, or system vulnerabilities. Any form of data compromise could not only jeopardize the company’s proprietary information but also undermine the confidence its clients place in its ability to handle sensitive political data securely.
While satisfied with its previous cybersecurity set-up, the rising frequency of cyberattacks on all industries in recent years, and escalating geopolitical tensions around the world, led Data Trust to seek a cybersecurity partner that could elevate its data security to the world-class level. As a Microsoft-first company, it needed a global cybersecurity specialist with deep Microsoft expertise that could provide tailored, flexible, and scalable services while ensuring maximum protection around the clock. Microsoft recommended Data Trust reach out to Quorum Cyber, a Microsoft Solutions Partner for Security, a member of the Microsoft Intelligent Security Association (MISA), and holder of all four Microsoft Security specializations, to its shortlist of potential service providers.
“We wanted a company that wasn’t just aware of Microsoft’s services, but truly an expert in them – whether it’s Sentinel or Microsoft’s operations in general,” says Bill Dunne, Data Trust’s Chief Operating Officer. “This expertise was crucial because everything we do is natively Microsoft-based. Every device we use is Windows-based, and we host all our core assets in Azure. Although we have data in a few other clouds for marketing purposes, the core assets live in Azure and Microsoft. Therefore, it was essential for us that the firm we partnered with had a strong background in Microsoft services.”
Vote of confidence for comprehensive security
“What put Quorum Cyber ahead of the field was the feel we got for the team,” says Bill. He was particularly impressed that Federico Charosky, Quorum Cyber’s Chief Executive Officer, attended the first meeting. And Data Trust’s technical team verified that the cyber security specialist’s experts had the skills, knowledge, and certifications required to master Microsoft’s security stack.
“Overall, we felt like we had a great rapport with Quorum Cyber’s team, and we were confident they could protect us 24/7, 365 days a year,” adds Bill. “They took the time to ask about our specific challenges and listened to us.”
Another major benefit was that an Incident Response service was included as standard, so that if an adversary should breach the company’s systems, Quorum Cyber’s qualified and highly experienced incident responders would rapidly investigate the emergency, day or night.
“The in-house incident response capability was a standout feature for us,” explains Bill. “We really appreciated that it was included within the service and not hidden behind a paywall. Knowing that resources would be available immediately if anything slipped through or if we faced any issues gave us great peace of mind. This showed they had ‘skin in the game’ because by stopping threats in the first place, they wouldn’t need to expend resources on incident response. This demonstrated a true partnership rather than just a managed service, which was a significant point of our discussions.”
Furthermore, with Quorum Cyber, cybersecurity isn’t just a business transaction, it’s a partnership and a collaboration to continuously fortify cyber resilience and reduce cyber risk. With this approach, organisations can focus on their goals without worrying about cyberattacks.
Threat-led managed detection and response
Data Trust opted for a security maturity assessment (SMA) to start so that Quorum Cyber’s team could review the firm’s current security posture and understand what it needed to do to strengthen it in the short, medium, and long term. In addition to the SMA, Data Trust opted for Quorum Cyber’s managed detection and response service, Clarity Extend. This service incorporates advanced threat intelligence and proactive threat hunting capabilities, designed to identify and mitigate potential threat actors. To further reduce risk, Data Trust added pentesting, plus an annual cybersecurity audit to ensure good governance. Early in the partnership, Quorum Cyber’s Threat Intelligence (TI) team conducted an in-depth assessment of the specific threats Data Trust might face. This evaluation provided the company with critical visibility into the threat landscape most relevant to its operations, enabling a proactive approach to mitigating risks.
Data Trust’s team has total transparency of the company’s security via Clarity, Quorum Cyber’s customer platform, which Bill believes is an added advantage of the service. “We’ve been able to see the workflow play out successfully, and we have clear insight into the logging of day-to-day activities because the platform is clean and easy to use. It’s so intuitive that I’ve been able to pass it to a member of the team, who manages it daily, but I can still access and review it whenever needed. We feel confident in the platform’s accurate reporting of what’s happening in our systems and databases.”
Peace of mind
“Throughout the process, I felt relieved and reassured by the rapport we established,” Bill explains. “One member of the Quorum Cyber team was local, and meeting in person helped build comfort and trust. Moreover, the support from the team, who would be managing this on a 24/7 basis, gave me confidence that our data was in capable hands.
“Quorum Cyber is the most important layer of our active security,” concludes Bill. “We certainly have cyber peace of mind.”
You can read an extended version of the Data Trust customer success story on the Microsoft Partner Portal.
