When the attack has already happened,
what matters is knowing exactly what occurred.
Containment, forensic analysis, full report and recommendations to prevent it happening again. Activated when you need it. No upfront hour packages that you hope you'll never use.
Nobody wants to pay for something they hope
they'll never need.
Most companies offering incident response sell a bank of days. Ten hours, twenty hours — paid upfront, drawn down every time something happens.
The problem is that if nothing happens, those hours expire or renew. And if something serious does happen, ten hours aren't enough and you have to buy more — at the worst possible moment, when you're already in the middle of an incident.
- Bank of hours purchased before anything happens
- If you don't use it, you lose it or renew it
- If the incident is serious, the hours run out
- Hourly rate at the worst possible moment
- A one-off activation fee to have the service available
- Zero additional cost if nothing happens
- Per-incident pricing — not per hour, not upfront
- Cost agreed before anything happens, without urgency
One activation fee.
The rest, only if you need it.
No annual day renewals, no volume commitments. Covered from the moment you sign.
We don't just put out the fire.
We analyse why it burned.
Containment stops the attack. Forensic analysis answers the questions that matter afterwards: how they got in, when they got in, what they did while they were inside, and what they left behind.
Without that information, the incident is closed but the problem remains open. Most companies that suffer a ransomware attack suffer another within twelve months — because they patched the visible hole but didn't find the real one.
- Entry vector — how they accessed your systems
- Attack timeline — what happened, in what order, how long they'd been inside
- Scope — which systems were affected and to what extent
- Compromised data — what information was exposed, if it can be determined
- Concrete recommendations — what needs to change to prevent it happening again
First stop the attack.
Then understand what happened.
If you have EDR contracted with us, containment is already covered — the system automatically isolates compromised endpoints and our engineers manage the response from the very first moment.
If you don't have EDR, the first phase is evaluating how to contain the incident based on the specific case. There's no standard response because no two incidents are the same — but the goal is always the same: stop propagation before starting the analysis.
If you already have the SOC,
the analysis is faster.
You don't need to be a SOC client to contract incident response coverage. It's available for any company.
That said, if you already have the managed SOC with us, we know your infrastructure, we have access to your historical logs and the forensic analysis is more complete and faster. The SIEM has already been recording what was happening — the forensics start from there.
See Managed SOC →Better to arrange it before you need it.
Tell us how your security is set up right now. An engineer will explain how the service fits your situation and what it would cost if an incident occurred — without urgency, without already being in the middle of one.