Forrit Fortifies Technology to Protect its Customers from Cyber Threats
Forrit is a leading provider of cloud-native content management systems (CMSs) built for highly regulated industries such as financial services and healthcare. With a promise of “enterprise-grade security, rapid scalability, and global controls,” Forrit powers digital experiences for respected global organisations including Lloyd’s, NHS Scotland, Tesco Bank, and Craneware.
Challenge: Safeguarding trust in a high-stakes industry
As a member of the Chartered Institute of Information Security (CIISEC), Forrit needed a trusted cyber security partner to protect its product, data, and customers - around the clock. The company sought a partner who could:
- Respond swiftly to potential cyber incidents
- Offer proactive consulting and security advice
- Anticipate and defend against tomorrow’s evolving threats.
“Our customers operate in some of the world’s most regulated industries, there’s absolutely no room for compromise on security,” says Peter Proud, CEO, Forrit. “We needed a partner that could match our standards for trust, transparency, and technical excellence.”
Solution: A strategic partnership with Quorum Cyber
Forrit’s CMS platform is deployed within each customer’s own Azure subscription - a design that demands deep Microsoft security expertise and seamless collaboration between Forrit, Quorum Cyber, and end customers.
The partnership, which began in 2018, has grown steadily based on three pillars:
- Partnership: Built on a strong foundation of trust and collaboration
- Service Fit: A perfect alignment with Forrit’s Microsoft-based architecture and operational model
- Confidence: A proven track record of delivering high-quality, responsive cyber security services.
“Quorum Cyber feels like an extension of our own team,” adds Proud. “They understand our technology and our customers, and they share our commitment to keeping them safe.”
Outcome: Confidence, clarity, and continuous protection
To ensure comprehensive coverage, Forrit adopted Quorum Cyber’s Clarity Extend, an enhanced detection and response service covering the entire IT estate. The service is powered by a global Security Operations Centre (SOC) spanning the UK, US, and Canada, supported by Threat Intelligence (TI), Incident Response (IR), and threat-hunting specialists.
Together, they continue to deliver secure, resilient solutions for Forrit’s customers. Furthermore, for its cloud-first ambitions, Forrit needed an expert partner, fluent in Microsoft security. As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligence Security Association (MISA), Quorum Cyber matched all the main requirements.
As a Microsoft Solutions Partner for Security and member of the Microsoft Intelligent Security Association (MISA), Quorum Cyber provides the advanced expertise Forrit needs to deliver secure, scalable CMS solutions to regulated enterprises.
“With Quorum Cyber watching over our environment, we have absolute confidence that we’re protected; before, during, and after any cyber incident,” says Proud. “That peace of mind means we can focus on what we do best: helping our customers deliver exceptional digital experiences.”
How services evolved over time
Since the partnership began in 2018, Forrit and Quorum Cyber have built a strong, collaborative relationship rooted in trust, shared goals, and technical alignment. Over the past seven years, the partnership has evolved in several ways:
- As Forrit’s CMS platform matured, so did the complexity of its security needs. Quorum Cyber has consistently adapted, integrating more deeply into our architecture and workflows, to ensure robust protection across customer environments
- Together, they’ve supported a growing number of enterprise clients, delivering secure, resilient solutions tailored to their operational models. Quorum Cyber’s ability to work seamlessly with both Forrit and its customers has been a cornerstone of that success
- Seven years of consistent delivery, responsiveness, and shared values have built a solid foundation of trust.
Positive outcomes
The benefits of Clarity Extend go far beyond cyber security alone. The service empowers Forrit to formalise and fast-track responses to potential cyber incidents, shifting from reactive defence to proactive resilience. Together, Forrit and Quorum Cyber establish a clear baseline of normal business behaviour, enabling them to spot, investigate, and neutralise anomalies before they escalate. This partnership model also lets Forrit maintain a lean, high-impact security team, confident that the Quorum Cyber experts are proactively acting on their behalf, providing trusted, around-the-clock support. This assurance frees Forrit to focus its resources on innovation and product excellence, keeping its customers equipped with the most advanced CMS solution on the market.
Clarity Extend also enables Forrit to meet its regulatory obligations under the Bank of England’s Prudential Regulation Authority, the EU’s Digital Operational Resilience Act (DORA), and the National Institute of Standards and Technology (NIST) standards, ensuring robust operational resilience, cyber risk management, and compliance with evolving industry requirements.
With Clarity Extend, Forrit doesn’t just tick cyber security boxes, it shows customers, investors, and partners that it’s guarded by top-tier protection 24/7. They have immediate access to a proactive, threat-led partner ready to detect, analyse, and respond to threats in real time, keeping their business one step ahead of cybercriminals.
“Our long-term partnership with Quorum Cyber is a cornerstone of our business,” says Peter Proud. “They really care about our security, and that of our customers, and go beyond the simple short-term business transaction model.”
“Working with Quorum Cyber gives us the confidence to deliver secure services to our customers to meet their objectives and satisfy their regulatory requirements,” says Doug Cunningham, Forrit Chief Technology Officer. “Without this partnership, we wouldn’t be able to deliver this level of service. Quorum Cyber isn’t just a supplier – they’re a long-term partner invested in our mission and growth.”
“We share Forrit’s commitment to protecting customers from cyber threats,” says Federico Charosky, CEO, Quorum Cyber. “Together, we’re safeguarding their customers and enabling trust in every digital interaction.”
Quorum Cyber Employs Microsoft Security Stack to Eradicate Two Threat Actors, whilst Thwarting a Ransomware Attack on an International Business
When a company is hit with ransomware, it needs a specialised cyber security partner with the experience and capabilities to support it through one of the worst challenges in business. When two threat actors breach a business simultaneously, only the best can contain the damage, protect critical data, and help it quickly and safely resume operations.
That was the case when an international professional services company, with highly sensitive customer information and offices worldwide, was attacked in early 2025.
The initial call for support
The company’s insurance carrier contacted Quorum Cyber to lead the forensic investigation begun by the incumbent managed security services company (MSSP), who had been fighting to regain control of the IT network for several weeks.
The international company had previously received emails from two threat actors – Cactus and RansomHub – which are both known to use Ransomware-as-a-Service (RaaS), claiming to have successfully penetrated the IT network and stolen data.
While the incumbent MSSP has defended the company for many years using SentinelOne, it hadn’t evolved with its customer to continue providing adequate security against a backdrop of ever-evolving cybercrime. The international company had outgrown its MSSP and lacked sufficient security, both on-premises and across the multi-cloud environment, around the clock.
Investigating two breaches – and eradicating two adversaries
Following a preliminary assessment, Quorum Cyber found evidence of a full IT domain compromise by an active ‘hands-on’ adversary lurking inside the network, which had full access to it. Furthermore, the team was certain that the threat actor was ready to encrypt data and therefore advised the victim company to take decisive action of temporarily disabling internet access to two sites, preventing an escalation encryption event, whilst the team worked on a remediation strategy to ensure damage limitation of business interruptions.
When dealing with incidents where a threat actor is active in the environment, it is imperative to rapidly gain and maintain operational visibility across the technology estate to identify actions taken by the adversary as quickly as possible. Containment is critical in minimizing the threat actor’s impact and acts as the last line of defense against long-term financial and reputational impact.
Digital Forensics and Incident Response (DFIR) teams worldwide take a similar approach to containment but often focus their monitoring on endpoint telemetry alone via Endpoint Detection and Response (EDR) tools. While EDR is critically important, we believe that in order to effectively contain an active sophisticated cybercriminal or nation-state, visibility into other telemetry is imperative, including cloud estate and – most critically – the identity and access management platforms which often contain rich evidence related to privilege escalation, lateral movement, and other middle-kill-chain steps present in nearly all serious incidents.
To orchestrate this, Quorum Cyber’s team also deployed additional security tooling and detection capabilities to the on-premise infrastructure and cloud-based estate, and provided robust 24/7 proactive security monitoring via Quorum Cyber’s Emergency Managed Detection and Response (MDR) service, which goes above and beyond the limitations of an EDR-only approach.
Over several weeks, Quorum Cyber collaborated with the customer’s US and UK counsels, its legal and IT teams, and the incumbent MSSP to remediate the threat safely.
A thorough root cause analysis revealed the Fortinet FortiGate firewall appliances, which control ingress/egress network traffic and VPN connectivity for the IT network, were found to be susceptible to two zero-day vulnerabilities: CVE-2024-55591 and CVE-2025-24472. These were made public for the cyber security community to act upon on 14th January 2025.
Quorum Cyber took several remediation steps to mitigate the incident, including:
- Decommissioning compromised IT systems
- Creating new IT systems for critical business services
- Providing guidance regarding credential resets
- Identifying and removing malicious backdoors
- Patching vulnerable network appliances
- Addressing configuration gaps to address and improve overall security posture
- Conducting a comprehensive forensic investigation to support regulatory obligations.
Within six weeks of the engagement's start, Quorum Cyber successfully neutralised all threats and ceased negotiations with both cybercriminal groups. No further unauthorised activity has been detected within the customer’s IT environments since the initial call. The engagement gained a considerable amount of trust from the customer, which is now safe from harm from the two adversaries and, thanks to the Emergency MDR service, also safe from other potential cyber-attacks.
Quorum Cyber’s unique range of skillsets, including incident response and ransom negotiations, coupled with its advanced containment monitoring expertise, ensured that the situation was contained quickly. The two threat actors were eradicated from the systems and security was reinforced so that the same types of attacks won’t be successful again.
In addition to the technical expertise provided, Quorum Cyber’s team also delivered an executive briefing of the whole incident and advised on crisis communications to key stakeholders within the business and externally.
Uncovering historical security lapses
During the investigation using the Microsoft Security stack, Quorum Cyber flagged a number of serious issues which amounted to a lack of security across the IT estate:
- EDR was not implemented on every system
- IT networks had not been segmented
- Multi-factor authentication (MFA) had not been adopted
- Identity and Access management controls needed improvement to limit privileges to just those required
- Cloud estates, on-premise assets, endpoint and network security infrastructure lacked hardening through secure architectures and inconsistent vulnerability management practices
- Dearth of security controls
- Security tools were improperly configured, making them ineffective.
While these errors meant that the company wasn’t safe from cyber-attacks, the plethora of tools that were in place wouldn’t actually have given any cyber security company the complete visibility of the IT estate that Microsoft 365 Defender, Microsoft Defender for Identity, and Microsoft Defender for Cloud would have given.
Why Quorum Cyber?
Equipped with market-leading incident response and ransom negotiation teams, Quorum Cyber is perfectly positioned to handle any kind of cyber incident at any time of the day or night. It’s threat-led approach is backed up by threat intelligence and threat hunting teams, a suite of professional services, and a comprehensive range of managed security services delivered by a Security Operations Centre spanning the US, the UK, and Canada. In 2025, Quorum Cyber was recognised as the Microsoft Security Excellence Awards Winner for Security MSSP of the Year.
Strengthening Security for a Managed Cloud Service Provider
Hit by a ransomware attack
A Canadian managed cloud service provider faced a severe security breach when a ransomware attack infiltrated their systems. The attack was initiated through a vulnerability in a business partner’s customer system, leading to the encryption of all data managed by the provider. Having recently acquired new infrastructure, the provider was operating with limited tooling and lacked a log retention strategy, complicating its ability to respond effectively to the breach.
Identifying and mitigating the threats
To counter the ransomware attack, the provider worked with Kivu, a part of Quorum Cyber, to rapidly deploy endpoint detection and response (EDR) solutions to identify and mitigate the threat. Additionally, Kivu was engaged in negotiations and facilitated payment, enabling the successful decryption of the compromised data. Subsequently, Kivu, a Quorum Cyber company, conducted a thorough forensic analysis to identify the initial point of compromise, known as "patient zero."
Recovering with stronger security
The interventions led to several significant outcomes:
- Enhanced Security Monitoring: The provider established 24/7 Managed Detection & Response (MDR) coverage, ensuring continuous monitoring and rapid threat detection.
- Operational Restoration: All operations were successfully restored, allowing the provider to resume normal business activities without further disruptions.
- Legal Support: A critical forensic timeline was developed to aid the provider in its legal proceedings, offering detailed insights into the breach.
- Infrastructure Security Reinforcement: The Canadian company reconstructed its infrastructure with a strong emphasis on security defence principles, reducing vulnerabilities and strengthening its overall security posture.
By swiftly addressing the ransomware attack and implementing robust security measures, the managed cloud service provider restored its operations and also fortified its defences against future threats, ensuring the integrity and reliability of its cloud services.
Get in touch if you would like to talk through any of your cyber security needs.
