Incident Response
ThreatDefence provides a 24/7 Incident Response (IR) service that guarantees the availability of qualified Digital Forensics and Incident Response (DFIR) personnel.
The service covers:
Containment actions such as isolating affected endpoints or accounts.
Forensic investigation to determine the nature and scope of the incident.
Remediation support to restore affected systems and services.
The DFIR team works in coordination with the SOC to ensure incidents are logged, classified, and managed consistently. Detailed evidence is collected to support both technical resolution and post-incident review.
This approach is designed to:
Minimise disruption.
Reduce the likelihood of recurrence.
Ensure a complete record of the incident and response is maintained.
Engaging the 24/7 Incident Response Team
For urgent incidents, the Customer must immediately call the 24/7 SOC hotline. This ensures direct escalation to on-duty analysts and immediate triage.
Customers will receive a response within 30 minutes of ThreatDefence confirming that the activity constitutes a high-severity security incident.
A “security incident” is defined as an incident ticket comprising an event or group of events deemed high severity by the SOC.
Automatically created incident tickets (via correlation technology) or events deemed low severity will not be escalated but will remain visible for reporting through the platform.
Communication During an Incident
During a major incident, customers should avoid using their standard corporate ICT systems for communications, as they may be compromised or under investigation. ThreatDefence will provide out-of-band communication channels to ensure uninterrupted collaboration with our security engineers and responders.
Services Provided During a Critical Security Incident
Service Management
A dedicated Incident Coordinator is assigned to manage the response.
24x7 Incident Response Line
Customers can contact our IR team at a dedicated hotline.
Live Videoconference
A Conference bridge is opened for continuous incident collaboration.
Secure IM Channel
Set up by the SOC team if additional communication is required.
Sample Incident Response Scenario
The following example illustrates a typical sequence of activities during a high-severity incident. Actual timelines may vary depending on severity and complexity, but SLA commitments are noted where applicable.
1
Preparation
Escalation contacts documented, isolation actions approved, customer reviewed Operations Manual.
Prior to incident
2
Signal Analysis
Security events recorded in platform. Alert detected and correlated.
T (time of detection)
3
Detection & Analysis
SOC triages alert. Initial analyst review conducted.
Within 15 minutes for high-severity incidents (SLA); typically faster.
4
Incident Declaration & Escalation
Activity classified as an incident. Initial email escalation sent to Customer.
Within 5 minutes
5
Containment
SOC executes containment (e.g., disable compromised Microsoft 365 account) if authorized.
As applicable
6
Phone Escalation
Direct phone call to Customer contacts per Escalation Contact Order.
Within 5 minutes
7
Response Coordination
Incident Coordinator appointed. Live conference bridge established.
Within 5 minutes
8
Response Plan
Situational response plan developed.
Within 4 hours (SLA); typically 30–60 minutes.
9
Eradication & Recovery
Investigation continues. Updates provided. Recovery actions carried out.
Ongoing until resolution
10
Post-Incident Activities
Delivery of post-incident report. Post-incident review scheduled.
After recovery
Last updated