Incident response
Incident response plan (IR plan), emergency breach intervention, forensics, CNIL notification within 72h, rigorous post-mortem. NIS 2 preparation and crisis support.
The context
In 2026, it's no longer « if » but « when ». According to IBM Security 2025, 81% of companies suffered at least one security incident in the year. Average breach cost reaches $4.8M. But this cost varies enormously: companies with tested IR plan → $1.8M. Without plan → $6.2M. The main factor: the first 24 hours.
Many teams discover they don't know what to do when it happens: who to call, how to isolate, how to preserve evidence, how to communicate, when to notify the CNIL (72h mandatory under GDPR). Improvisation = panic = costly decisions. Good news: it's preparable.
Our approach: IR plan documented AND tested (quarterly tabletop exercises), runbook per incident type (ransomware, data breach, compromised account, DDoS), CNIL notification procedure ready to deploy, and 24/7 retainer available for structures without their own security team. When it breaks, we respond before panic sets in.
< 1 h
Intervention time
For retainer clients 24/7. Initial mobilisation guaranteed.
72 h
CNIL notification
GDPR legal deadline strictly respected via ready workflow
$3.4M
Average saving
On breach cost for companies with tested IR plan
0
Improvisation
Every action documented in runbook before incident
What we cover
From upfront preparation to crisis intervention, from forensics to post-mortem.
Prepare before it breaks.
Documented incident response plan: team, roles, communications, escalations, vendors. Runbooks per incident type (ransomware, data breach, compromised account, DDoS, web defacement). Internal and external communication templates. Tabletop tested quarterly.
24/7 retainer on request.
Immediate activation on call/email. Initial triage (severity, scope, impact). Compromised system isolation. Forensic evidence preservation. Coordination with your internal team and vendors (cloud, ISP).
Reconstruct the attack.
Log analysis (system, app, network, cloud). Complete incident timeline. Kill chain identification (entry, lateral movement, exfiltration). Indicators of compromise (IOC) extracted. Chain-of-custody preservation for legal aspects.
Within 72h, ready to deploy.
Notification necessity assessment (article 33 GDPR). Compliant CNIL notification drafting. Notification to data subjects if necessary (article 34). Preparation for possible CNIL questions. Complete documentation preserved.
So it doesn't happen again.
Blameless post-mortem. Root cause analysis (RCA). Prioritised corrective actions list. IR plan and runbooks update based on learnings. Internal sharing to raise team awareness.
Test without risk.
Quarterly simulation exercises with your team. Realistic scenarios (ransomware, malicious ex-employee, compromised vendor, data breach). Response time measurement, weakness identification. Gap documentation for continuous improvement.
Our approach
Inspired by NIST SP 800-61 and SANS framework, adapted to operational reality of structures we support.
IR plan construction: team, roles, escalations, communications. Runbooks per incident type. Critical vendor inventory (cloud, legal support, communications). Notification channel testing (CNIL, team, clients).
SIEM/EDR alert configuration on critical indicators. Tuning to reduce false positives. PagerDuty/Slack integration to wake the right person. Threshold and escalation procedure documentation.
IR activation. Fast triage: severity, scope. Containment (isolate affected systems). Eradication (remove attacker access). Recovery (restore services properly). Continuous communication with your management.
Blameless post-mortem with your team. Technical and organisational RCA. Prioritised corrective actions list (immediate / 30d / 90d). IR plan and runbooks update. Executive presentation.
Tools & frameworks
SIEM/EDR tools combination, recognised IR frameworks, and tested communication templates.
SIEM & EDR
Datadog · Sentinel · Splunk · CrowdStrike · SentinelOne
Datadog if already APM. Sentinel for Azure accounts. Splunk in enterprise. CrowdStrike Falcon for modern endpoint protection. SentinelOne competitive alternative.
IR frameworks
NIST SP 800-61 · SANS PICERL · MITRE ATT&CK · ENISA
NIST SP 800-61 US standard method. SANS PICERL operational framework. MITRE ATT&CK to map kill chain. ENISA for European context and NIS 2.
Forensics
Volatility · Autopsy · Wireshark · ELK · Velociraptor
Volatility for memory. Autopsy for disk analysis. Wireshark for network captures. ELK for log analysis. Velociraptor modern and performant.
Communications & coord
Slack · PagerDuty · OpsGenie · Statuspage · Notion
Slack/PagerDuty for alerting. OpsGenie alternative. Statuspage for external comms. Notion as single source of truth during crisis.
Threat intel
MISP · OpenCTI · VirusTotal · CrowdStrike Intel
MISP for IOC sharing. OpenCTI open-source CTI platform. VirusTotal for quick verification. CrowdStrike Intel premium if already client.
Compliance & legal
CNIL · ANSSI · Cert-FR · CCN-CERT · NIS 2
CNIL for GDPR breach notification. ANSSI for France advice and assistance. Cert-FR for national alerts. CCN-CERT Spanish equivalent. NIS 2 transposed in France 2024.
Measurable guarantees
< 1 h
Mobilisation
For retainer clients: initial intervention within 1 business hour, within 4 h outside business hours.
72 h
CNIL notification
GDPR legal deadline strictly respected. Workflow and templates prepared in advance.
0
Improvisation
All actions documented in pre-tested runbooks. No panic-driven decisions.
100%
Post-mortem delivered
Every incident closed with complete post-mortem and prioritised corrective actions.
Preise
Statt abstrakter Pakete passen wir uns deinem Kontext an: Umfang, Komplexität, Fristen, Einschränkungen. Schreib uns in 3 Sätzen, was du tun möchtest — wir kommen mit einem festen Angebot innerhalb von 48 Werkstunden zurück.
Antwort innerhalb von 48 Werkstunden Angebot anfordern →Deine E-Mail ist bereit 🚀
Wir haben dein Mail-Programm mit allem vorausgefüllt geöffnet. Klick auf Senden, das Team antwortet binnen 24 Geschäftsstunden.
