For breach counsel, panels & insurers

Forensic answers that hold up — in regulator submissions, in arbitration, in court.

Panels and counsel need a DFIR partner whose technical conclusions survive cross-examination. Makkari is built for that standard from the first artefact collection to the final report.

The problem for counsel today

A DFIR report is only useful if it's defensible.

Too many breach investigations are being produced to a standard that cannot survive a determined challenge. Evidence is altered in collection. Conclusions rest on a single vendor's telemetry. Timelines are extrapolated where the data doesn't support it. AI-generated summaries are inserted without reviewer attribution. When those reports are later challenged — by a regulator, a class action, a reinsurer — they fail.

Breach counsel deserve better. The victims you represent deserve better. Makkari was built for the engagements where the answer has to be right, and has to be shown to be right.

What we see too often

Live acquisition with no hash baseline — no way to prove evidence integrity later
Reliance on a single commercial tool's parser — conclusions unverifiable independently
AI-drafted narrative sections with no human attribution or reproducibility
Timeline gaps papered over with speculation framed as "likely"
Chain of custody that cannot survive a deposition
Expert witness unavailability when the case actually moves

The Makkari commitment

Forensically sound acquisition, hash-verified, fully logged
Multi-tool, multi-source analysis — every critical finding cross-verified
Every conclusion traceable to a named analyst and an artefact
Timelines that stop at the data — and say so when they do
Chain of custody documented to evidential standard from minute one
Named senior practitioners available for expert witness testimony

How we work with counsel

Privilege-aware. Panel-ready. On the record.

Counsel-led engagement

Engagement letter executed with counsel as the instructing party where legal privilege is intended. Scope, deliverables and reporting cadence aligned to the matter's legal posture.

Evidence preservation first

We land on site with forensic acquisition as the first action. No remediation, no EDR cleanup, no container restart until the volatile and non-volatile evidence is secured.

Parallel reporting

Privileged technical narrative for counsel. Factual submission report for regulators or courts. Both from the same, reproducible underlying analysis — never two different stories.

Expert witness

Our senior practitioners accept expert witness instructions. Duty-of-the-expert understood, evidence-first, comfortable under cross-examination.

Panel arrangements

We support legal panels and insurer panels with standardised SLAs, rate cards, and conflict-of-interest processes. Pre-approval and rapid mobilisation for panel matters.

Regulator submissions

ICO, CNIL, BaFin, and sector regulators (FCA, PRA, Ofcom). We produce the forensic sections of notifications to a standard that withstands follow-up enquiry.

Why this matters

Regulators and claimant firms are getting sharper. So must the forensics.

Regulator follow-up enquiries are more technical than they used to be. Claimant firms are hiring their own technical advisors. Reinsurers and cyber carriers are scrutinising forensic reports for reasons to deny or reduce cover. And plaintiffs are learning what a weak causal chain looks like.

The DFIR partner on your engagement is no longer the last word on what happened — they are the first witness whose conclusions will be examined by everyone else. They have to be right, and they have to be able to defend it.

Causation, not correlation.
"We saw X and then Y" is not a defensible conclusion. We build the causal chain with artefact-level rigour.
Data provenance.
Every artefact has a collection time, hash, custodian and method — in the report appendix, not a separate spreadsheet.
Explicit uncertainty.
Where the data does not support a conclusion, the report says so. Uncertainty is stated, not papered over.
Defensible exfil determination.
Exfil volume, selectivity, and destination — analysed from multiple telemetry sources, not a single firewall log.
Post-incident access control proof.
For regulator and insurer queries: evidence that the actor's access paths are measurably closed.