Defensive · Incident Response

Incident response — retainer + emergency, with platform-backed evidence

Retainer-backed IR with KeenSafe-derived attack-path evidence to accelerate scoping, containment and lessons-learned. Emergency response within named SLAs.

Engage IR retainer All services

Defensive Security·Managed detection & response

LiveIncident Response · Containment

Validated

The problem

Where teams get stuck

Incident response without attack-path context is reactive archaeology. Teams chase alerts, miss adjacent compromised assets, and close incidents without knowing whether the original entry path is still open.

The KeenSafe approach

How we engage

KeenSafe IR uses the same platform engine that finds attack paths offensively to scope incidents — within hours we know which assets are compromised, which paths are still open, and what containment will actually close them. Retainer clients also receive proactive readiness exercises and run-books.

Methodology

Four-step engagement model

Same rigour every engagement, calibrated to your environment, threat model and regulatory exposure.

STEP 01

Triage & scoping

Initial telemetry collection, IOC pivoting, attack-path reconstruction within hours.

STEP 02

Containment

Identity, endpoint and network containment guided by validated attack-path evidence.

STEP 03

Eradication & recovery

Persistence cleanup, identity reset, control rebuild — verified by re-running the attack path.

STEP 04

Lessons learned

Detection gaps, control gaps and process gaps captured with measurable follow-up.

What you get

Deliverables

Every engagement ships these outputs — reproducible, evidence-backed and ready for executives, engineers and auditors.

Named IR SLA

Retainer with first-responder SLA in business hours and emergency hours.

Attack-path scoping

Within hours we map every compromised asset and every still-open ingress.

Containment plan

Identity, endpoint, network and cloud containment guided by validated paths.

Lessons-learned report

Measurable follow-ups: detection engineering, hardening, run-book updates.

Scope of engagement

What this engagement covers

Concrete coverage. Clear boundaries. Optional add-on tracks where customers want to extend.

Included

Named IR retainer with 24×7 hotline (customers receive direct phone + Signal)
Initial-response SLA: 15 min hotline pickup, 1h scoping, 4h on-call lead
Triage + scoping using KeenSafe attack-path graph for instant context
Containment guidance across identity, endpoint, network, cloud
Forensic acquisition (memory, disk, network) without spoliation
Eradication validation: original attack path replayed after fix
Lessons-learned report with detection + hardening backlog
Regulator + insurer narrative drafting (GDPR / NIS2 / sectoral)

Optional add-ons

Cleared-personnel response (defence / government engagements)
Onsite physical presence within 24h for declared major incidents
Pre-incident readiness exercises (tabletop, threat-actor specific)
Insurance-led panel coordination (work with your insurer's panel)
Long-term forensic investigation extension

Out of scope

✕Routine 24×7 monitoring (covered by MDR / SOC service)
✕Legal counsel — we coordinate with, not replace, your legal team
✕Public-relations work — we provide technical narrative for your PR team

Engagement model

How we deliver

Duration

Retainer (annual) · or emergency engagement (best-effort + onboarding fee)

Team

Senior IR lead + 2–4 responders + forensic specialist on demand

Format

Remote-first · onsite within 24h for declared major incidents · 24×7 hotline

Who it is for

Enterprises with crown-jewel data
NIS2 essential entities (regulator-facing IR)
Regulated industries with breach-notification obligations
Insured organisations with cyber-insurance retainer requirements

Sample report

What lands on your desk

Sections customers actually see in the engagement deliverable.

01
Initial scoping report
Within 4–8h of engagement start: known compromised assets, still-open ingress paths, immediate containment actions.
02
Containment plan
Identity, endpoint, network and cloud containment guided by validated attack-path evidence. Sequenced for safe execution.
03
Forensic timeline
Reconstructed adversary timeline from earliest evidence through containment, with every artefact preserved.
04
Regulator narrative draft
GDPR Article 33 / NIS2 / sectoral notification draft ready for your legal team to adapt.
05
Lessons-learned report
Detection gaps, control gaps, process gaps with measurable follow-up backlog.

Compliance mapping

Frameworks & regulations

ISO 27001 A.16NIS2 incident reportingGDPR Art. 33DORA Major ICT Incident

Common questions

Frequently asked

Do you take live emergency calls?

Retainer customers get a named SLA and a 24×7 hotline. Non-retainer emergencies are accepted on a best-effort basis with onboarding fees.

Can you support GDPR breach reporting?

Yes — our IR output feeds the regulator-facing narrative and the technical evidence appendix expected by GDPR / NIS2 / sectoral regulators.

What does post-IR retesting look like?

After containment, we replay the original attack path through the platform to verify it is genuinely closed — not just patched in one spot.

Related services

Pairs well with

Defensive · MDR / SOC

Work with the team behind KeenSafe

Continuous adversarial validation, managed security operations and executive-grade risk visibility — delivered by senior offensive security engineers.

Request engagement Explore the platform