CyXcel TRACE

Threat Intelligence, Risk Analysis and Cyber Exposure

Reduce the impact of cyber incidents with 24/7/365 access to our global TRACE team, specializing in threat intelligence monitoring that goes beyond the dark web.

Decorative image illustrating 'CyXcel TRACE'

Go Beyond the Dark Web with CyXcel TRACE

CyXcel TRACE

Every digital interaction leaves a trace and while most threat intelligence providers stop at dark web monitoring, at CyXcel, our TRACE team goes further. We pull on threads available to us across a vast range of digital communications platforms, providing you with deep insight into emerging threats to your business.

 

Our TRACE team monitors for exposure across your critical supply chain partners, identifying risks impacting vendors that could expose your data, or risk downtime which might significantly disrupt your business operations.

 

Our curated reports help you focus on what truly matters, highlighting the most relevant threats to your organization. We provide actionable insights into the threat actors targeting your industry, empowering you to take proactive steps to defend against cyberattacks.

Industry-Acclaimed

Incident Response Team of the Year finalists at Zywave's 2025 Cyber Risk Awards

Accredited

ISO/IEC 27001:2022 certification, NCSC CIR Assured Service Provider, and CREST accreditation for Cyber Incident Response Services

Your Partner in a Crisis

The world's leading cyber insurers and law firms trust us as their chosen incident response provider

24/7/365 Cyber Incident Response

Our global TRACE team responds 24/7/365 to the most complex of cyber incidents, providing effective advice within hours.

Our Services Include

Threat Intelligence

CyXcel monitors across three core areas, identifying exposure and risk across a range of dark web forums and marketplaces and digital communication channels, both for organizations and their critical supply chains:

  • Situational Analysis
  • Cyber Threat Intelligence
  • Threat Actor Engagement Negotiation
  • Asset Tracing and Discovery 

Incident Management

Expert crisis leadership driven by clear objectives and execution of a comprehensive incident response strategy tailored to the needs of your organization:

  • Objectives and Response Strategy
  • Leadership Support for Execs and C-Suite
  • Resourcing and Business Continuity
  • Change and Improvement Planning

Containment and Forensics

Containment, threat hunting, and forensic analysis to secure your systems, uncover how attackers bypassed defences, and get you back up and running quickly and safely:

  • Technical Investigation and Root Cause Analysis
  • Eviction
  • Evidence Preservation
  • Compromised Identities and Impact Assessment

Restoration

Reconstruction and recovery of critical systems and data, upgrading of infrastructure, and strengthening of security for improved protection and resilience:

  • Systems and Data Recovery
  • Infrastructure Rebuild
  • Security Hardening
  • Post-Incident Analysis and Learning

 

Case Studies

Each cyber incident requires a tailored response and a bespoke set of capabilities. Here’s how CyXcel’s TRACE team has enabled some of our clients to manage different crises effectively and swiftly.

Data Exfiltration and Extortion

Hackers stole a staggering 3TB of data and then presented ransom demands to avoid its publication and distribution on the dark web. The stolen data included personal and sensitive personal information belonging to tens of thousands of individuals.


We devised the response strategy and then brought together a specialist team to seamlessly deliver the remedial action required, which included negotiations with the threat actor, restoration of data from back-up and remediation of the client’s environment, support with an ICO investigation, and notifications to the client’s key customers and stakeholders. 

Due to our efforts, the client faced nil claims and no enforcement action.

Finance

DDoS and Supply Chain Compromise

A key member of our client’s supply chain was targeted by hackers who encrypted its systems and launched a DDoS attack on its website when it refused to pay a ransom. The impact on our client was significant across its global customer base.

We engaged with the incident response vendors acting for the supply chain partner to understand the security risk to our client through connected systems and then created a red network to contain any propagation, while hardening controls and stepping up threat hunting on the rest of the environment. 

We also checked the extent of third-party processing and data deletion to create a profile of the data subjects likely affected for whom our client had responsibility as controller, and thereafter notifying and liaising with the relevant supervisory authorities, while risk assessing and making notifications to individuals as required by law. 

Our mitigation steps were highly effective, resulting in just a fortnight’s disruption and no loss of revenue for our client.

Retail

APP Fraud

Our clients' emails were intercepted and invoice details manipulated, allowing fraudsters to divert funds during a container leasing transaction between our client, a marine cargo company in the UK, and the counterparty in Latvia.

We secured and removed the threat actor’s presence from the client’s IT environment, while simultaneously tracing and successfully recovering 80% of the diverted funds from a network of banks across the UK, Spain, and France.

Transport and Logistics

Software Misconfiguration

We managed the response to a data breach arising from a configuration error on software used to produce statistical analyses from crime occurrence logs. The breach involved the inadvertent disclosure online of highly sensitive and detailed data on sexual offences, including victims and perpetrators.

Key activities included: risk assessing, notifying and counselling the affected individuals, media engagement, representing our client in the regulatory investigation, identification and remediation of the relevant configurations, and advice on improvements in detection and governance.

Public services (Emergency Services)

Mobile Malware and VM Hacking

Our client’s CEO was targeted by a drug cartel who successfully installed malware on his mobile phone, obtained credentials to access his voicemail, and took over several of his social media accounts, as well as WhatsApp and Signal. From there the cartel impersonated our client to deceive his contacts and secure significant wire transfers of funds by deception.

We worked alongside the Security Ops teams at T-Mobile and Meta to recover our client’s accounts and enforce a hard reset of his credentials. Signal was more challenging because of its open-source distributed technology, so we devised a persistent brute force response utilising hacker techniques.

Our strategy successfully displaced the threat actor and eventually allowed us to regain account control.

Finance

Restricted Transfer Infringements

A series of poorly-informed executive decisions led to our client outsourcing its web development, hosting and data processing to third countries without an adequate decision or suitable protections, including Australia, Nepal and Pakistan. The new CEO called us for advice and thereafter extended our remit to implement remediation at pace to mitigate the risk of regulatory sanctions.

We terminated the unlawful hosting and processing arrangements immediately, albeit with a full commitment from the vendors to support our steps to move operations to new hosts in the UK. We prepared the new contractual framework, including the specification of appropriate organisational and technical measures to protect the client’s data. We also engaged with the ICO on the client’s behalf to manage regulatory fallouts.

Public Services (Charity)

Hardware Theft

Following a data breach caused by the theft of a hard drive from an employee’s vehicle, we were called in to manage the incident, analyse the data, assess the risk, and advise on reporting to the ICO and notification to data subjects.

Through empirical testing of the client’s security and careful presentation of the results we were successful in the negotiation of an ICO closure notice. No further action was taken against our client.  

Finance

Business Email Compromise

A university whose Office365 environment was breached fell victim to a Business Email Compromise, affecting both staff and students. Incident protocols were inadequate, so they reached out to us for help.

Using proprietary technology, we were able to accelerate our analysis of the attack’s scope and risk assess all affected accounts, before reporting to the client with our findings within just four days, also limiting the need for further manual analysis of those accounts deemed to be at ‘high risk’ by the client’s HR team.

Gun to tape, we resolved the incident in less than four weeks.

Public services (Education)

Meet Your TRACE Team Leads

Steve Sandford, Cyxcel

Steve Sandford

Partner, Digital Forensics and Incident Response

Steve Sandford, Cyxcel

Steve Sandford

Partner, Digital Forensics and Incident Response

steves@cyxcel.com

020 7227 6657

Steve serves as CyXcel’s Partner of Digital Forensics & Incident Response, bringing nearly two decades of experience responding to and advising on complex cyber incidents and forensic investigations across multiple jurisdictions. 

He leads CyXcel’s global response operations, supporting clients through ransomware attacks, business email compromise, and large-scale data breaches. Steve provides strategic guidance throughout the incident lifecycle, aligning technical, legal, and insurance considerations to ensure effective, coordinated outcomes. 

With deep expertise in digital forensics, investigative methodology and threat intelligence, Steve helps organisations manage fast-moving investigations whilst protecting critical business interests. His work includes investigating threat actor activity, assessing data exposure, and identifying attack vectors to support informed response and recovery decisions 

He regularly advises on ransom negotiation strategies, payment considerations, and associated legal and regulatory implications by working closely with legal counsel, insurers, and breach response teams. 

Steve also has experience working in close partnership with technology providers to deliver integrated response strategies that minimise disruption and support long-term resilience. His approach is grounded in clear communication, operational precision, and a deep understanding of cyber risk in real-world business context. 

Prior to joining CyXcel, Steve held a leadership role Ankura Consulting, where he built and led cyber response teams. He is recognised for his calm, pragmatic approach and his ability to translate technical complexity into practical decisions during high-stakes incidents. 

Danny Howett, Cyxcel

Danny Howett

Technical Director, Digital Forensics and Incident Response

Danny Howett, Cyxcel

Danny Howett

Technical Director, Digital Forensics and Incident Response

dannyh@cyxcel.com

020 7227 6672

Danny Howett is Technical Director at CyXcel, where he leads the organisations Threat Intelligence and Incident Response capabilities. With 15+ years of experience spanning law enforcement and consultancy, he has developed a deep understanding of the cyber threat landscape, particularly in relation to threat actor tactics, techniques and procedures, as well as emerging risks. 

Danny specialises in dark web threat intelligence, with extensive experience tracking threat actors, analysing their methods and motivations, and translating that intelligence into actionable insights for clients. His work has enabled numerous organisations to proactively strengthen their defences, identify vulnerabilities, and prevent breaches before they occur. 

Prior to joining CyXcel, Danny worked in both Consultancy and Law Enforcement roles, most recently as a Director at Ankura, where he led complex investigations into incidents such as ransomware attacks, data breaches, and insider threats. He worked closely with legal teams, insurers, and senior leadership teams to manage incident response and provide clear, defensible reporting.  

A core part of Danny’s expertise involves direct engagement with threat actors across open and closed forums, including ransomware groups and criminal marketplaces. This work has supported both proactive intelligence gathering and active incident response, allowing clients to verify claims, assess credibility, and gain early insight into threat activity. He has supported negotiations, validated data leaks, and provided context to help organisations make informed decisions under pressure. 

Danny also spent 13 years in law enforcement as a Detective, investigating Cyber Crime and supporting the investigation of including cross-border criminality and covert dark web operations through forensic investigation of digital devices. This work laid the foundation for his detailed understanding of threat actor behaviour and the technical and legal complexities involved in cyber investigations. 

Danny takes a methodical and pragmatic approach to intelligence and response. He regularly engages with clients in high-pressure situations, offering calm, strategic guidance across technical and legal domains. He also contributes to industry discussions on cyber risk, threat actor behaviour, and response readiness. 

Speak to our Experts

Expand your threat intelligence monitoring capabilities beyond the dark web with support from CyXcel’s TRACE team. Contact our experts today to find out more.

General TRACE requests:

info@cyxcel.com

Experiencing a Cyber Breach?

Call or email our emergency 24-hour hotlines for immediate rescue.

North America

+1-855-490-4945

EMEA

+44-330-057-0662

Global email:

incident@cyxcel.com