This work package provides organisations with expert support to prepare for, detect, respond to, and recover from cyber incidents. It combines Incident Response (IR), Digital Forensics (DF), and Crisis Management into a unified service that strengthens resilience, reduces business impact, and ensures regulatory and legal obligations are met.
The service is modular and can be delivered as a proactive readiness programme, a retained response service, or a post‑incident investigation engagement.
Establish a robust, repeatable Incident Response capability.
Provide expert digital forensics support to investigate cyber incidents.
Reduce the impact, duration, and cost of security breaches.
Ensure compliance with regulatory reporting and evidence‑handling requirements.
Strengthen organisational resilience through training, playbooks, and governance.
A complete IR framework aligned to NIST, ISO 27035, and industry best practice.
Clear visibility of root causes, attack vectors, and compromised assets.
Evidence‑based recommendations to prevent recurrence.
Improved detection, response, and recovery maturity.
Board‑ready reporting and communication artefacts.
Review of current IR capabilities, processes, and tooling.
Assessment of detection and monitoring coverage.
Gap analysis against NIST CSF, ISO 27035, and MITRE ATT&CK.
Maturity scoring and prioritised improvement roadmap.
Development of an IR framework covering:
Preparation
Detection & Analysis
Containment
Eradication
Recovery
Lessons Learned
Creation of tailored IR playbooks for:
Ransomware
Business Email Compromise (BEC)
Insider threat
Cloud compromise
DDoS
Data breach
Communication templates for executives, regulators, and customers.
Forensic imaging of endpoints, servers, cloud workloads, and mobile devices.
Chain‑of‑custody documentation.
Volatile memory capture and analysis.
File system, registry, and artefact analysis.
Malware analysis (static and behavioural).
Log correlation and timeline reconstruction.
Identification of persistence mechanisms, lateral movement, and exfiltration.
Evidentially sound reporting suitable for legal, regulatory, or HR processes.
Executive summaries for leadership and board audiences.
Rapid triage and scoping of the incident.
Containment strategy (short‑term and long‑term).
Threat eradication and environment hardening.
Recovery planning and support.
Coordination with legal, HR, communications, and third parties.
Regulator‑aligned breach reporting guidance.
Proactive threat hunting using MITRE ATT&CK techniques.
Identification of indicators of compromise (IOCs) and attacker behaviours.
Review of logs, telemetry, and endpoint data.
Recommendations for detection engineering and monitoring improvements.
Crisis management framework and escalation paths.
Executive and board‑level briefings during major incidents.
Decision‑support for containment, communication, and recovery.
Post‑incident workshops and resilience planning.
Tabletop exercises for executives and technical teams.
Hands‑on IR simulations for SOC and engineering teams.
Awareness training for business units.
After‑action reports and capability uplift plans.
Incident Response Readiness Assessment
IR Framework & Playbooks
Digital Forensics Report (technical + executive versions)
Compromise Assessment Report
Threat Hunting Findings
Crisis Management Framework
Post‑Incident Lessons Learned Report
Executive Board Pack
Retained Incident Response Service (SLA‑based)
24/7 On‑Call IR Support
Forensic Imaging Kits & Procedures
Detection Engineering Improvement Pack
IR Training & Simulation Programme
Initiation & Discovery (1–2 weeks)
IR Readiness Assessment (2–4 weeks)
Framework & Playbook Development (3–6 weeks)
Digital Forensics & Incident Response Support (as required)
Threat Hunting & Compromise Assessment (1–3 weeks)
Training, Exercises & Capability Uplift (ongoing)
Optional: Retained IR Service (annual subscription)
Lead Incident Response Consultant
Digital Forensics Specialist
Threat Hunter
Security Architect
Crisis Management Advisor
Project Manager
Fixed‑price for assessments, frameworks, and playbooks.
Time & materials for reactive IR and forensic investigations.
Subscription/retainer for ongoing IR readiness and rapid response.
Access to logs, systems, and SMEs during investigations.
Availability of monitoring and telemetry data.
Client engagement in crisis and IR workshops.
Legal and HR coordination for sensitive investigations.
Incomplete logs or telemetry → mitigated through enhanced detection engineering.
Delayed incident reporting → mitigated through training and clear escalation paths.
Evidence contamination → mitigated through strict forensic procedures.
Operational disruption → mitigated through phased containment and recovery planning.