The industry standard has drifted. Somewhere between commercial tool dashboards, unverified AI output and reputational defence, the people paying the bill — the victims — stopped being the priority. Makkari Security exists to put that back.
Too many consultancies have standardised on a single commercial tool, told clients what the dashboard told them, and handed over a report. That is not forensics. It is administration.
When a breach lands in court, when a regulator asks for evidence, when counsel needs to know whether data was exfiltrated or merely accessed — a screenshot of a vendor console does not hold up. The answer has to be reproducible by a second examiner, defensible under cross-examination, and grounded in primary artefacts. Not in a tool's opinion of them.
Increasingly, firms rely on AI to summarise findings without independent verification, reproduction or competent engineering behind it. LLM output is a useful starting point. It is not evidence. Presented as evidence, it is a liability — to the client, to counsel, and to the practitioner who signed the report.
And there is a quieter failure: consultancies that protect their own reputation ahead of the client's outcome. Findings softened. Root causes blurred. Recommendations hedged to avoid future blame. The client, meanwhile, is still breached.
Tier-one DFIR work has historically been priced for tier-one balance sheets. The small manufacturer, the regional law firm, the NHS trust, the family office — they get the same attackers, but rarely the same standard of response.
Our engagement model is built for that gap. Flat-fee assessments. Transparent retainers. Senior practitioners — combined 25+ years across nation-state intrusion response, ransomware eradication, and expert-witness forensics — on the engagement you commission, not handed down to a pool.
What we are seeing in the field — and what industry telemetry is confirming.
Ransomware-as-a-Service affiliates now resemble organised crime cartels — with affiliates, negotiators, PR arms and dedicated data-brokerage channels. Fragmented defenders are outmatched by consolidated offenders.
Phishing at native fluency. Polymorphic payloads. LLM-driven privilege discovery. The human-scale attack window is closing — median time from initial access to encryption is already under 24 hours in most engagements.
Cloud tenancy, SaaS sprawl and federated identity mean the breach almost never starts on the endpoint any more. Token theft, OAuth abuse and IdP misconfiguration dominate the root-cause picture we see.
No finding leaves the firm without corroboration from independent telemetry. One vendor's view is an input, not a conclusion.
Every evidentiary claim is traceable to preserved artefacts and documented tooling. If we cannot re-run it, we did not prove it.
Machine learning accelerates triage and pattern-matching. It does not write reports, draw conclusions, or testify. Humans do.
We do not soften findings, bury root causes, or hedge recommendations to protect ourselves. Our only obligation is a defensible answer.
The practitioner who scopes your engagement is the practitioner who works it. No hand-off to a training pool.
Chain-of-custody, tooling hashes and examiner notes are produced from day one — not reconstructed when counsel asks.
Whether you are actively breached, preparing retained counsel, or simply want to understand what a real IR partner looks like — we are listening.