Incident stories · Anonymized composite cases
What it actually looks like when a business like yours gets hit.
These are anonymized composite stories drawn from real EFROS engagements. Names, locations, industries, and identifying details have been changed. The patterns, costs, and recovery timelines are typical — your specific incident will vary. We publish them because owner buyers told us they want to know "what does this look like for someone like me?" before talking to a vendor.
Each story walks through the day-by-day: what the attacker did, what the owner saw, what it cost, and what would have prevented it. Owner-language throughout. Specific dollar amounts. No jargon. If any of these patterns feel close to your business, run the Cost-of-Getting-Hit calculator or book a 20-minute call.
Five attack patterns
Read the one that feels closest to your business
Regional law firm
Ransomware
$2.4M total cost · 11 days down
Tuesday phishing email to the bookkeeper. Friday afternoon, every file encrypted. The firm had backups. Restoring took eight days to confirm what was actually restorable.
Read the full story →Metal-fab manufacturer
Business email compromise
$185K wire stolen · insurance denied
AP clerk's email was watched for six weeks. The attacker waited for a real $185,000 vendor invoice, swapped the routing details mid-thread, and disappeared overnight. The owner had said MFA on the insurance application — meaning available, not enforced.
Read the full story →Orthopedic specialty clinic
Insider data theft
$1.8M HHS-OCR settlement · 4,200 patients notified
A medical assistant gave 60 days notice and spent the last two weeks copying patient records to personal cloud. The first sign was a patient calling to ask why a different practice already knew her treatment history.
Read the full story →Regional trucking + warehousing
Supply-chain compromise
$8M ARR lost · DOT audit triggered
The dispatch software vendor pushed a routine update. The update contained a backdoor. Eight weeks later the firm's dispatch logs and customer contracts appeared on a dark-web forum, and the largest two shippers did not renew.
Read the full story →Tax + advisory CPA firm
AI tool data exposure
31% of A-tier clients lost in 90 days
An associate pasted entire client tax document sets into the consumer version of ChatGPT to summarize. Consumer-tier retains for training. Two weeks of client SSNs, returns, and bank details were in the training pipeline before the firm noticed.
Read the full story →Why these are anonymized
Real engagements, scrubbed identities
We do not name clients in incident write-ups. Privilege, NDAs, and basic decency rule it out. Every story on this hub is a composite: the attack pattern, the cost shape, the recovery timeline, and the owner's wished-they-had-done-first list are all drawn from real engagements, but industry, region, revenue, and personal details have been changed enough that no individual client is identifiable.
Where ranges are involved, we picked specific numbers inside the typical EFROS engagement range rather than averaging. Real incidents do not average — they spike. The dollar amounts here are realistic for a single event in the profile described. Your case will differ.
If you want the unredacted version: book a 20-minute call. Under NDA we walk through the actual engagement timelines, including the parts that never make it into a marketing page.
Three quick ways to find out where you stand
None of these will sell you anything. They give you a private number for your own use — and the same numbers we run before scoping an engagement.
Names, locations, industries, and identifying details have been changed. Stories are composite cases drawn from EFROS engagements. Numbers represent typical ranges; specific incidents vary. Nothing on this page is legal advice.