Fixed fee. No hourly meter. AI-augmented forensics that bring discovery down from twenty hours to four. You pay for the certainty: known scope, known timeline, known deliverable.
Most compromises are a single-site, single-event problem, and Tier 1 closes them. Tier 2 exists for the harder cases: persistent attackers, multi-site networks, or a report a third party will actually accept.
No findings, full refund. 50% on engagement start, 50% on report delivery. Stripe invoice issued after scope confirmation.
No findings, full refund. 50% on engagement start, 50% on report delivery. Stripe invoice issued after scope confirmation.
We've codified the work into a five-phase playbook backed by an AI-augmented analysis layer that reads logs, diffs files against canonical versions, and surfaces anomalies in minutes. The discovery phase that traditionally bills 20+ hours runs in 4–8.
You send the site URL and a sentence on what you're seeing. We confirm scope within 24 hours and issue the Stripe invoice. Access credentials exchanged after the upfront payment clears.
Full snapshot of the compromised state (files, database, configuration) stored before any change is made. If you ever need to talk to an insurer or a regulator, the evidence is intact.
File-system scan, database audit, log review, plugin and theme integrity check. Findings triaged by an AI analysis layer that catches the patterns a human eye glides past: encoded payloads, mtime anomalies, autoload bloat, orphaned active plugins.
Backdoors deleted. Rogue admins removed. Salts and database passwords rotated. .htaccess deny-blocks added for known attacker URLs. File permissions tightened. Quarantined evidence retained outside the public root.
Every scan re-run. Every quarantined URL re-tested. One-page incident report delivered as PDF: what was found, what was done, what you need to rotate yourself, what's out of scope and worth quoting separately.
Site running 4-year-old WordPress core and an outdated LayerSlider plugin. Three distinct backdoors discovered: a fake "SEO" plugin acting as the attacker's toolkit, a must-use plugin disguised as a devops file, and an AES-encrypted PHP shell loader inside the theme. Entry vector: known CVE in the outdated slider plugin.
Surgical clean completed inside five business days. Site restored. Hardening report delivered. Rebuild proposal scoped separately. Client retained control of their stack throughout, and held the credentials we never saw.
Incident response is one of those services where "who" matters more than "what". You're handing over admin access to a site that is currently bleeding traffic, trust, and probably SEO equity. That's not a job for a faceless agency with a contractor pool.
I've spent two decades in software: enterprise integration at Accenture, mobile architecture at Home Depot, technology leadership across half a dozen startups. The last two years, I've been operating my own infrastructure businesses, and seen, cleaned, and documented enough WordPress compromises to know exactly what's worth doing inside a 5-day window and what's a rebuild conversation.
Every engagement runs through me directly. There is no offshored team. The work is supported by AI tooling I've built around Anthropic's Claude. That's how we collapse the discovery timeline. The judgment, the access, and the signature on the report stay mine.
Full refund. We don't sell "peace of mind" engagements. If there's nothing to clean, you should not be billed.
No. That's a separate rebuild engagement, and we'll quote it after the clean is done. We keep the surgical-clean scope tight on purpose: you need the bleeding stopped first, then a calm conversation about the larger investment.
Anything with cPanel, DirectAdmin, Plesk, or SSH access. That covers Namecheap, SiteGround, Bluehost, Kinsta, WP Engine, GoDaddy, A2, DigitalOcean droplets, AWS instances. If you can give us a way in, we can work there.
Not yet, as a standalone product. Tier 2 includes a 30-day re-check. If you want monthly monitoring after that, we can quote it separately, but most clients are better served by Wordfence, Sucuri, or their host's built-in monitoring with a sane configuration.
We've built a runbook around Anthropic's Claude that reads access logs, diffs files against canonical WordPress versions, triages PHP files by suspicion score, and drafts the client-facing report. It does not have access to your site. We run it locally against forensic artifacts. The judgment calls stay human.
Beamhaus Ltd, a UK private limited company. Invoices and refunds are processed through Stripe; receipts are valid for VAT-reclaiming clients in the UK and EU.
Yes. If you're a WordPress agency who occasionally gets the "we got hacked" call and doesn't want to take it on hourly, we run a white-label partner programme. You bill the client at your markup, we stay invisible. Email [email protected] with "agency partner" in the subject.
One sentence on what you're seeing. We'll confirm scope within 24 hours and tell you exactly what it costs.
[email protected]