When something breaks at 3am, a senior responder is already paged.
Pre-positioned IR retainer — senior responders on standby, runbooks pre-written, communication templates approved by your legal team. You pay a small monthly retainer; we pay attention so you don't lose hours figuring out who to call.
When you have a breach or major incident, the worst time to figure out logistics is during the incident. IR retainer means we already know your environment, have signed contracts in place, and can be in your war-room within an hour.
- ·Signed IR retainer + DPA + NDA + indemnity letters (pre-incident)
- ·IR runbook tailored to your environment (top 5–10 scenarios)
- ·Communication templates: customer notice, regulatory notice, board update, internal staff
- ·Quarterly tabletop exercise with your exec + tech leads
- ·On-call senior responder reachable within 1 hour
- ·During incident: lead investigator, evidence preservation, containment, eradication, recovery
- ·Post-incident: forensic report + lessons learned + control gap fixes
- ·Optional: insurer + law-enforcement liaison
- ◇SANS-aligned IR runbooks
- ◇Velociraptor + GRR (DFIR)
- ◇KAPE / Volatility (memory forensics)
- ◇CarbonBlack / CrowdStrike / SentinelOne live response
- ◇Custom YARA rules + Sigma detections
- ◇Encrypted comms (Signal + matrix + age)
Environment walkthrough, contact tree, escalation paths, runbook writing.
Quarterly tabletops + monthly runbook reviews + asset/contact tree currency.
You page us OR our SOC detects (if also our customer).
Within 1 hour: lead responder online, war-room established, IR runbook activated, evidence preservation begins.
Stop the bleeding, evict the attacker, validate clean state.
Restore operations, lessons-learned writeup, control gap remediation plan.
- ◆CERT-In 6-hour reporting (India)
- ◆DPDPA breach notification
- ◆GDPR Article 33 (72-hour)
- ◆PCI-DSS Requirement 12.10
- ◆Cyber insurance carrier requirements
IR Runbook v1 — your environment-specific playbook for the top 5–10 incident scenarios (ransomware, BEC, credential theft, data exfil, third-party breach, insider threat). Each scenario has detection signals, containment steps, comms templates, legal/regulatory clocks, and decision points clearly marked.
How fast can you actually be in our war room?+
SLA: senior responder online within 1 hour of page. We staff IR-on-call 24×7 for retainer clients.
How is this priced?+
Low monthly retainer (fixed) + hours used during incidents. Tabletops and runbook updates included in retainer.
Will you coordinate with our cyber insurer?+
Yes — we have worked with most major Indian and global carriers. We can interface directly with the panel-counsel assigned to your claim.
What about CERT-In 6-hour reporting?+
Built into the runbook. The clock starts at first detection; the draft report is templated; we get to compliant within the window.