Incident Response
Incident Response
Technical response to security incidents — from containment to recovery
Incident Response helps you analyze, contain, and recover from security incidents — from the first signs of compromise to structured remediation.
Goal: stop lateral spread, identify the entry point, assess data exposure, and restore operations in a controlled way.
Rapid containment
Stop active spread and stabilize affected systems.
Forensics-first
Entry point, timeline and evidence — not just cleanup.
Clear remediation
Concrete recovery and hardening steps for your teams.
Immediate Actions (preserve evidence)
- Do not rebuild systems or delete data (preserve evidence)
- Isolate networks instead of powering off (unless imminent risk)
- Secure admin credentials and enforce MFA
- Preserve alerts and logs (EDR, SIEM, Cloud, M365)
- Assign Incident Lead + decision maker
- Report the incident before uncoordinated actions start
When is Incident Response relevant?
- Suspected account, server or cloud compromise
- Ransomware or malware detections
- Unusual logins or possible data exfiltration
- Security alerts from EDR / SIEM / MDR
- Regulatory pressure (GDPR / NIS2)
- Root cause unclear
- Partial visibility
- Operational pressure
- Too many alerts, too little certainty
Process Overview
Stabilize
Stop spread
Root cause
Restore safely
Prevent recurrence
Typical Technical Scope
- EDR (Defender, CrowdStrike, SentinelOne)
- M365 / Entra ID sign-ins, Unified Audit Log
- AWS CloudTrail / GuardDuty
- Azure Activity Logs
- Firewall / VPN / proxy logs
- Active Directory security events
- Kubernetes audit logs (if applicable)
- Endpoint and server forensics
- IAM analysis & access paths
- Persistence mechanisms
- Data exfiltration risk assessment
- Remediation guidance
- Documentation for management & data protection
What to Prepare
If possible immediately
- Alert screenshots / exports
- Short timeline (“since when / what observed”)
- Known affected systems or accounts
- Actions already taken (password resets, rules changed)
If available
- SIEM / EDR / Cloud access
- Asset inventory / network overview
- Data protection / legal contacts
- Decision maker with authority
Deliverables
Executive Summary
Management-level risk overview.
Technical Timeline
What happened when.
Forensic Findings
Entry point, persistence.
Remediation Plan
Concrete recovery steps.
Typical Costs
€2k+
€8k+
€5k+
- Number of systems
- Log quality
- Cloud / hybrid complexity
- Night / weekend response
- Retest / verification
Provider Scorecard
- Forensics-first approach
- Daily communication cadence
- Dedicated Incident Lead
- Evidence handling / chain of custody
- Final report + action plan
- GDPR / NIS2 awareness
- Immediate rebuild
- No evidence preservation
- Only AV scans
- No formal Rules of Engagement
- Unclear ownership
Common Incident Mistakes
- Rebuilding systems too early
- Password resets without root cause
- No clear incident ownership
- Missing documentation
- Delayed communication
Legal & Data Protection
We support technical documentation for management and data protection, evidence preservation, and extraction of facts relevant for notification decisions.
(No legal advice — technical foundations only.)
FAQ
Should we reset passwords immediately?
Yes — but coordinated. Uncontrolled changes can destroy indicators.
Should we power off systems?
Usually isolate networks instead. Power-off only in acute danger.
How fast can you start?
Typically within 1–2 business days depending on availability.
Do we need to notify authorities (GDPR/NIS2)?
Possibly. We provide technical facts to support your decision.
Can you work with our MDR / IT provider?
Yes — collaboration is common and recommended.
Will we receive a final report?
Yes — including executive summary and technical details.
Related
- Managed Detection & Response
- Vulnerability Management
- Penetration Testing
- Guide: When is Incident Response needed?
Request Incident Response
If you’re unsure whether this is a real incident: briefly describe your situation — we’ll help assess.