Home/ Services/ Incident Response & SOC

04 Response

A retained team on the worst day of your year.

24/7 detection, response and digital forensics — on retainer, with a contractual response SLA and a named team. The point of an IR partner is that you do not negotiate one in the middle of a breach.

SLA< 4 h critical

Coverage24 × 7 × 365

ForensicsGCFA · GREM · GCFE

RetainerHours bankable

01 Overview

Detection engineered for your environment — response prepared for your worst day.

Generic monitoring detects generic attacks. Real adversaries do not file generic playbooks. We engineer detection for your specific stack, business processes and threat model — then we are the team on the bridge call when something goes wrong.

An Onidef IR retainer combines three capabilities. First, detection engineering: we author and tune the rules, queries and analytics that fire in your SIEM, EDR and cloud audit logs. Second, 24/7 monitoring with a tier-2 analyst on every alert. Third, a senior IR lead available within a contractual SLA when an alert becomes an incident.

The same retainer covers proactive work: tabletop exercises, ransomware preparedness, threat hunting, and DFIR-grade investigation when needed. Unused hours bank quarterly — we will not bill you for an idle quarter and we will not refuse the call in a busy one.

When an incident is declared, a named senior responder is on a bridge inside the SLA, with playbooks already mapped to your environment. Your team is not explaining the architecture for the first time at 03:00.

02 The incident lifecycle

From the first suspicious log entry to the post-mortem you read to your board.

We use a six-phase model adapted from NIST SP 800-61 and the work of FIRST.org. Every phase has a written runbook, a named owner, and an evidence trail.

01 · PREPARE

Preparation & readiness

Runbooks, communication trees, evidence-handling procedures, contractual escalation paths and pre-authorised response actions — set up before any incident occurs.
02 · DETECT

Detection & triage

Tuned detections fire into our SOC; an analyst correlates with context within minutes. False positives die quietly; real signal escalates instantly.
03 · CONTAIN

Containment

Within the SLA, a senior responder is on the bridge with you. We isolate affected systems, preserve evidence, and freeze the blast radius — without unnecessary disruption.
04 · ERADICATE

Eradication & forensics

Root-cause analysis with court-admissible evidence handling. We find every foothold, every persistence mechanism, every staging artefact — and we document the chain of custody.
05 · RECOVER

Recovery & restoration

A sequenced restoration plan: which systems come back first, in what trust state, with what monitoring uplift. Coordinated with your engineering, business and legal teams.
06 · LEARN

Post-incident & hardening

A written post-mortem — blameless, calibrated for the board, the regulator and the engineers. Followed by a hardening backlog scoped to prevent recurrence within the quarter.

03 Deliverables

What a retainer actually buys you — incident or no incident.

The retainer pays for capability you should never need to use most months. The output, in calm quarters, is preparedness; in loud quarters, response.

Tuned detection content

Authored rules, dashboards and analytic queries for your specific SIEM and EDR — versioned, tested, MITRE ATT&CK-mapped.

Runbook library

A library of incident playbooks (ransomware, BEC, credential theft, insider, cloud takeover, supply chain) tailored to your environment.

24/7 monitoring

Tier-2 analysts on every alert. Hand-off to a senior responder within the SLA on any confirmed incident.

DFIR investigations

Memory, disk, cloud and email forensics with evidentiary chain of custody — usable in litigation, regulatory and insurance contexts.

Tabletop exercises

Two facilitated exercises per year — one technical, one executive. Findings tracked in a remediation backlog with named owners.

Post-incident reporting

Written narrative for board, regulator and engineering — calibrated for each audience, drafted by the responder who led the work.

04 Frequently asked

The questions every CISO and CTO asks before signing a retainer.

If yours is not here, write to us. We will answer it in writing within one business day.

What is the response SLA, and is it real?

Critical: 4 hours to a senior responder on the bridge, 24/7. High: 8 hours. The SLA is contractually committed with penalties, and our median over the last 36 months is well under one hour. It is real, and we will share recent SLA performance under NDA.

Can you respond if we are not already a client?

Yes, on a best-effort basis. Onboarding mid-incident is harder and slower, and capacity may be limited. If you suspect you are in an active incident, call our 24/7 line on the contact page. We will tell you in the first ten minutes whether we can take the job.

Do you work with our cyber-insurance carrier?

We are on the approved panel of several major underwriters in the EU and UK. If yours is unfamiliar, we will work directly with the broker — our reporting and forensic standards meet the bar for claim substantiation.

How is the retainer priced?

A flat monthly fee for SOC coverage and detection content, plus a quarterly bank of senior responder hours. Unused hours roll forward one quarter; overage is at a transparent rate, capped per incident. No hidden invoices.

Will you negotiate with ransomware operators on our behalf?

We do not negotiate with operators directly. We coordinate with a specialised negotiation firm we have worked with for years, and we manage the technical recovery in parallel. Payment is your decision, made with full information from us, your legal counsel and your insurer.

What if the incident requires regulator notification?

We draft the notification with you and your legal counsel — GDPR Article 33, NIS2 reporting, sector-specific obligations. The first version is on the table within hours of confirmation, not days.