When it hits, we're already there.

The six-phase IR lifecycle

Every incident we handle runs through the phased lifecycle documented in NIST SP 800-61 Computer Security Incident Handling Guide. This isn't academic. Every phase has its own success criteria, its own typical failure modes, and its own handoff to the next phase. The phases below map directly to the playbooks we execute in production.

Pre-authorized containment: the 15-minute rule

The single biggest operational lever on incident outcomes is pre-authorized containment. The typical MSSP approval flow (alert fires, analyst reviews, ticket to client, client approves, action executes) takes 45-90 minutes in the 2 AM reality. Ransomware runtime from initial access to full encryption on mid-market estates is typically 60-120 minutes. The math doesn't work.

We pre-authorize containment actions at contract signing within an agreed scope. EDR host isolation, privileged account disable, token revocation, network segmentation enforcement, and specific other actions execute without approval when detection conditions match. The client signs the runbook once, we execute on detection. Median MTTC on our operation is under 15 minutes, because the approval loop isn't there. The client retains the ability to revoke pre-authorization at any time. For actions outside pre-authorized scope, explicit approval still happens.

Playbooks for the scenarios that actually happen

Most IR programs have generic playbooks that don't match what incidents look like in practice. We maintain scenario-specific playbooks for the incident types that drive most of our actual response volume, with the steps, decisions, and evidence requirements documented for each.

Forensic preservation and chain of custody

Every incident produces evidence. Whether that evidence holds up in regulatory proceedings, litigation, or insurance negotiations depends on how it was preserved. We preserve memory, disk images, and log extractions under documented chain of custody from the moment an incident is declared. Forensic-grade acquisition uses write-blockers on physical drives, volatility frameworks for memory analysis, and hash verification at every handoff. Evidence that can't survive an adversarial legal challenge isn't useful evidence.

The technical practice aligns with ISO/IEC 27037 (identification, collection, acquisition, and preservation of digital evidence) and NIST CFTT tool validation for the acquisition tools used. Our forensic analysts hold GCFA, GCFE, EnCE, and CCE credentials.

Breach notification and regulator coordination

Breach notification is the part of IR that ends up in lawsuits when it's done wrong. The regulatory landscape is now dense: HIPAA breach notification rule for healthcare, state AG notification under 50-plus state breach laws, SEC 8-K material cybersecurity incident disclosure for public companies, GDPR 72-hour notification for EU data subjects, industry-specific regulator rules (FFIEC for banks, NYDFS Part 500 for NY-regulated financial institutions, FTC Safeguards for financial services), and increasingly sector-specific obligations under CISA's critical infrastructure framework.

We maintain the notification playbook as a live document per client, mapping which incident types trigger which notifications, on what timelines, to which authorities, with what content requirements. When an incident is declared, the notification decisions surface in the first 24 hours with documentation ready for breach counsel review. The CISA incident response guidance and the FBI IC3 reporting portal are part of the standard flow when law enforcement referral is appropriate.

IR retainer structure

An IR retainer converts incident response from a crisis procurement exercise into a ready capability. Retainer clients get guaranteed response SLAs, on-site support within 24 hours, pre-authorized containment, and the integration with MDR and SIEM operations that lets us engage within minutes rather than hours. The retainer fee covers guaranteed availability; actual incident-hour billing happens at a pre-agreed rate on the rare occasion a retainer client hits an incident.

Retainer hours not consumed by incidents roll over quarterly into tabletop exercises, playbook updates, detection engineering contributions, and the tabletop-to-production feedback loop that makes the response program stronger over time. Clients who engage us on an IR-only basis without an existing MDR relationship typically add MDR within the first year, because the preparation-through-recovery cycle works substantially better when the same team that responds also operates the detection layer.

How this integrates with the rest of the security program

Incident response doesn't live in isolation. It connects to detection (via our managed detection and response and SOC as a service practices), to detection engineering (our managed SIEM team tunes rules against lessons learned from incidents), to executive security leadership (our vCISO service handles board-level communications during and after material incidents), and to strategic architecture (our Zero Trust implementation reduces the attack surface that generates incidents in the first place).

The practical benefit of running all of these under one contract is that incidents don't get stuck in handoffs between vendors at 3 AM. One team owns detection, containment, forensics, leadership communication, and the post-incident control strengthening. For the case-study view of how this plays out in regulated environments, see the financial services SOC 2 case study and the healthcare HIPAA migration case study.

Related reading

• Ransomware response playbook (blog) — hour-by-hour through the first 24 hours of a ransomware incident.
• Top cybersecurity threats 2026 — the threat landscape that drives incident volume.
• Zero Trust architecture — the prevention layer that reduces incident frequency.
• Managed Detection and Response — the detection layer that feeds incident response.

Frequently asked questions