Nerium specialises in Managed Detection & Response (MDR) and Incident Response (IR)—the two core services the company provides. Cybersecurity editor Jan Meijroos speaks with Bob Hilgersom; co-founder of Nerium and responsible for Business Development.
What exactly does Managed Detection & Response entail?
Bob: ‘It’s a service where specialists monitor a customer’s systems and network 24/7 for cyberattacks, enabling rapid detection and response. We offer tailor-made solutions because every IT environment is different and faces distinct risks. For example, we build custom detection rules for client applications and implement honeytokens at strategic locations within systems to detect attackers early.’
‘If we detect suspicious activity, we can take immediate action based on a pre-agreed mandate. For instance, if we see an active attacker on your laptop, we can remotely isolate it and investigate further. Since we already have permission to act, we don’t need to waste valuable time waiting for approval—this prevents attackers from getting deeper into the system. Once the attacker is stopped, we provide recommendations to minimise the risk of recurrence.’
What does Nerium do in the field of Incident Response?
Bob: ‘We assist government organisations and businesses facing large-scale cybersecurity incidents. Think of a ransomware attack where an organisation is locked out of its own systems. We step in to limit the damage, investigate the root cause, and determine what data has been compromised to prevent future attacks.’
‘We also support organisations targeted by state-sponsored cyberattacks (e.g., from China, Iran, North Korea, or Russia), where the goal is espionage rather than financial gain. In such cases, we investigate what happened and how to prevent a repeat.’
What makes Nerium unique?
Bob: ‘Customers who use our MDR service receive Incident Response at no extra cost. We provide custom solutions—from detection rules to honeytokens—directly within the customer’s Microsoft tenant. This approach avoids vendor lock-in and ensures the client retains full control.’
‘We see cybersecurity as a shared responsibility: a well-designed MDR setup reduces risks and forces us to maintain high-quality standards. The better our protection, the fewer incidents we need to resolve.’
If Incident Response is needed, how do you handle it?
Bob: ‘We start with an assessment to determine the nature of the incident—whether it’s phishing, Business Email Compromise (BEC), or ransomware. Many issues can be resolved remotely, but for severe cases—or at the customer’s request—we deploy on-site. There, we form a crisis response team and take immediate action to contain the incident.’
Have you ever arrived too late—when a company has already suffered major damage?
Bob: ‘Yes, we regularly help organisations where operations have completely shut down due to an attack. However, this has never happened to a company that was already a customer of ours. Fortunately, we see fewer companies attempting to fix things themselves first, only seeking help when they’re in too deep.’
‘The fastest recovering businesses are those with a solid backup strategy. Even then, an investigation is crucial because attackers often linger inside networks for long periods and may reactivate backdoors once the backup is restored.’
Do you assist with negotiations and ransom payments?
Bob: ‘Yes. If a company decides to pay, it typically follows a three-step process:
- Sanctions check – ensuring the payment doesn’t violate international sanctions.
- Test transaction – sending a small amount (in Bitcoin) to verify the payment reaches the intended wallet.
- Final transaction – completing the full payment.
‘There are different negotiation tactics. If a company has a robust backup, we can negotiate more aggressively. As the investigation and recovery progress, the company’s bargaining position changes, and in some cases, payment can be avoided altogether.’
‘At the same time, attackers want to maintain their business model—if they take the ransom but still publish the stolen data, victims will be less likely to pay in the future.’
Why does Nerium handle these negotiations?
Bob: ‘Because we approach it rationally, without emotion. Plus, we know there’s always room to negotiate. Hackers initially demand high amounts, but through smart negotiations, we often reduce the ransom significantly.’
‘Negotiating also serves another purpose: buying time. While we engage the attackers, we investigate alternative recovery options and assess what exactly happened to the data. This can alter the negotiation strategy.’
Can you determine how an attack occurred?
Bob: ‘Yes, that’s part of our investigation. Our goal is to prevent similar future incidents and determine whether data was stolen and what exactly was compromised.’
The upcoming NIS2 directive aims to improve cybersecurity resilience and prevent cyberattacks. Is this an important development?
Bob: ‘Absolutely! But look at the history of seat belt laws—they became mandatory in 1975, yet it took 20 years before universal compliance. Today, it’s second nature. The same shift needs to happen with cybersecurity. Right now, there’s still too much voluntary compliance, but regulations like NIS2 force businesses to take responsibility.’
How do you encourage companies to take cybersecurity responsibility?
Bob: ‘Leadership and management must take charge—there’s still too little top-down cybersecurity policy. This leads to disconnects between IT teams and management, resulting in security gaps.’
‘If you truly want strong security, you need to establish clear agreements and foster mutual understanding between leadership and IT teams. That collaboration leads to better protection.’
There are different certifications, such as ISO 27001 for larger businesses and the NIS2 Quality Mark, which provides a more accessible option for SMEs. What’s your take on this?
Bob: ‘I think it’s great that there’s a middle ground. Not every company needs a heavy ISO certification.
‘For example, if a business remotely manages ventilation systems, it doesn’t necessarily need ISO 27001. But the NIS2 Quality Mark provides a manageable cybersecurity baseline with three levels: Basic, High, and Substantial. This allows businesses to demonstrate their cybersecurity commitment without diving into the complexities of ISO certification.’
Many companies view NIS2 as just ‘another set of regulations.’ How do you shift that mindset?
Bob: ‘It must come from the top-down, and it’s a process. Executives and board members need to be held accountable. They must integrate security into their organisation. But if they don’t? That’s their risk.’
‘I often talk to municipalities—they want to improve cybersecurity, but if a budget-holding official doesn’t allocate funds, things fall apart. This is why awareness among policymakers and executives is crucial. Without executive buy-in, IT security remains an afterthought.’
