Capability / Investigations & Cyber

Investigations & Cyber

Resolved. Wherever it leads.

Resolvedinvestigations completed

Investigations & Cyber is the capability retained when the question requires a defensible record. The firm runs digital investigations, asset tracing across jurisdictions, cyber incident response, insider-threat investigations, counterintelligence, and investigative support to litigation and regulatory inquiries. Reports are written to a standard a regulator or counsel can rely on. Sources, methods, and analytic chains are documented and reconstructable. The firm operates under the privilege framework of the engaging counsel and reports to the engagement's named lead.

How we operate

Four engagement models. Privilege fixed at signing.

Project is a single piece of work against a fixed scope. Managed places sustained investigative or cyber capacity over a defined window under the firm's operation. Advisory covers program design and review for a client's own investigations or security function. Embedded integrates investigators or analysts with a client's permanent team for a fixed window. The privilege framework is set at signing under counsel's direction.

Cyber and investigations service imagery.
Sub-capabilities

Six lines. One reporting standard.

Sources are documented; analytic chains are reconstructable; conclusions are written to the standard the engaging counsel can rely on.

  • Digital Investigations

    Forensic acquisition under chain-of-custody, malware and intrusion analysis, and attribution to the standard a court will accept. A multinational principal retained the firm following a suspected exfiltration; the investigation reconstructed the intrusion across multiple systems on a single chain of custody.

  • Asset Tracing

    Beneficial-ownership reconstruction, corporate-structure mapping across opaque jurisdictions, and source-led inquiry where the public record is insufficient. A finance institution traced exposure across multiple jurisdictions to a counterparty structure not reflected in the original onboarding file.

  • Cyber Incident Response

    Stand-up of incident response capacity within hours. Triage and containment under live conditions, forensic acquisition, attribution, and post-incident hardening. The practice operates in parallel with the firm's intelligence and field functions where the incident has implications across the engagement.

  • Insider-Threat Investigations

    Behavioural indicator review, access-pattern analysis, and source-led inquiry under counsel's direction. Operates under heightened confidentiality posture; the firm declines work where the engaging counterparty cannot demonstrate authority to commission it.

  • Counterintelligence

    Source-led counter-inquiry where a principal's organization, vendor, or counterparty has been compromised against. Output is reported to the standard the engaging counsel can rely on under privilege and reconstruct under deposition.

  • Litigation & Regulatory Support

    Investigative support to litigation and regulatory inquiries. Sources, methods, and analytic chains are documented and reconstructable. Reports are written to the standard a regulator or counsel can rely on; the firm operates under the privilege framework of the engaging counsel.

Discretion is the engagement. The findings are for the client.
Director of InvestigationsAmericas
Where this capability is engaged

Across every market the firm serves.

The capability is retained for asset tracing, counterparty integrity, digital investigations, and counterintelligence work across sovereign, financial, infrastructure, and program markets.

Engagement lifecycle

Four phases. One privileged record.

  • Phase I

    Privilege and mandate

    The engaging counsel sets the privilege framework. Mandate, scope, named engagement lead, and reporting standard are documented before any acquisition or inquiry begins. The firm declines work where authority to commission cannot be demonstrated.

  • Phase II

    Pre-engagement diligence

    Investigators, analysts, and cyber engineers are cleared against the firm's four-tier screening standard. Counterparty diligence is completed before any external approach is made. Sources, methods, and the analytic chain are scoped to the standard the deliverable will be tabled at.

  • Phase III

    Investigation and analysis

    Forensic acquisition runs under chain-of-custody. Source-led inquiry runs under counsel's direction. Attribution and analytic chain are reconstructed to the standard a court will accept. Disagreement inside the team is documented before any conclusion is tabled.

  • Phase IV

    Reporting and hardened posture

    Output is drafted to counsel's framework under privilege. Where the engagement closes with a hardened posture, controls, monitoring, and reporting cadence are documented for the client's compliance function and reviewable at the next engagement window.

Advisory and investigations division imagery.
How we vet ourselves

Investigators under the same standard as operators.

Every investigator and forensic specialist clears the firm's four-tier screening before any tasking: identity verification against jurisdictional documents; background screening per local jurisdiction with the firm's compliance function as the residual check; professional history reconstructed under reference; and continuous monitoring across the specialist's standing tenure. The privilege framework belongs to the engaging counsel; the screening standard belongs to the firm.

Selected outcomes

Anonymized. Illustrative. Verifiable in confidence.

Outcome 01

A multinational principal closed a regulatory inquiry on a hardened posture.

A multinational principal retained the firm following a suspected data exfiltration. The investigation reconstructed the intrusion across multiple systems on a single chain of custody, supported counsel through a regulatory inquiry, and closed with a hardened posture documented for board review. The privilege framework held across the engagement.

Outcome 02

A finance institution traced exposure across multiple opaque jurisdictions.

A finance institution traced asset exposure across multiple opaque jurisdictions to a counterparty structure not reflected in the original onboarding. The recovery action proceeded on the documentary record produced by the firm; counsel cited the chain-of-custody framework in pleadings. The engagement closed inside the contracted window.

Outcome 03

A national authority documented a hostile-interest picture across premises and personnel.

A national authority commissioned a counterintelligence engagement against a hostile-interest picture across multiple premises and personnel. Surveillance-detection and communications-hygiene work documented findings reviewable by the principal's compliance function and successor administrations. The engagement closed under counsel's privilege framework.

Selected publications

Methods on the record.

An abstract tactical decision surface, glass tabletop with concentric ring markers, geometric tokens, and a single hovering cyan indicator marking a decision point.
methods note
2026-05-06

on the irreversibility of decisions

Every fragile engagement has a last reversible point. Naming it, and timestamping it, is the analytic act that distinguishes counsel from commentary.

UG UAE
Read
A dimly lit signing room with a single sealed envelope and a fountain pen on a heavy walnut conference table, lit by a warm banker's lamp.
point of view
2026-03-18

on neutrality

Why UG UAE governs itself by a categorical exclusion list, and why that list is the instrument that disciplines what the firm will and will not do

UG UAE
Read
Begin

Where it leads.

Investigative engagements begin with a scoping conversation, conducted under counsel's privilege framework, followed by an engagement letter before work commences.

Request a briefingView Markets