When an incident is discovered, uncertainty is often the biggest challenge: Where is the attacker? What do they have access to? What are they after?
< 6 h
From escalation to prioritised action plan
100 %
Logs and evidence preserved before eradication
1
Joint call with clear roles from the start
Structured mapping
By combining log analysis, threat intelligence, and experienced analysts, scope can be narrowed faster — so actions are prioritized correctly.
Typical response flow
-
Hour 0
Escalation and clarification
SOC and incident lead establish situational awareness: what we know, what must be verified, who owns decisions.
-
Hours 1–4
Mapping and prioritisation
Attack vector and compromised accounts are identified. Systems are prioritised by operational impact.
-
Days 1–2
Containment and eradication
Actions are taken step by step with documentation — without losing evidence or worsening the situation.
-
Afterwards
Follow-up and learning
A thorough report gives leadership a basis for investments that actually reduce risk going forward.
Safe handling
Containment and eradication happen step by step with documentation, so recovery can proceed without losing evidence or worsening the situation.
What the team prioritised
- Clarified scope and escalation with the customer and leadership before technical actions
- Mapped lateral movement and prioritised critical systems first
- Isolated compromised accounts without unnecessarily shutting down the whole environment
- Preserved logs and memory images for further analysis and possible police reporting
- Delivered written status and recommendations to leadership throughout
Follow-up
A thorough post-incident report gives leadership a basis for investments that actually reduce risk going forward.