Question 1

What is the four-hour first-response SLA actually about?

Accepted Answer

On retainer activation, a senior incident responder is on a live call with you within four hours. By "first response" we mean the start of triage and a live communication channel — not full containment, which depends on what is happening. The four-hour clock is a firm contractual commitment under retainer, day or night.

Question 2

Why no SLA without a retainer?

Accepted Answer

Without a retainer, we have no pre-agreed access to your environment, no contact tree, no evidence-handling procedures, and no IR plan we have reviewed. A "no-retainer" engagement starts from a phone call from someone we have never spoken to. We can still help — many of our IR engagements are ad-hoc — but we will not promise a four-hour clock when the first hour will be spent setting up access. We are honest about that on the page.

Question 3

Do you offer 24/7 IR cover?

Accepted Answer

The retainer SLA is twenty-four-seven for first response. We do not market the IR service as a 24/7 staffed function in the way a SOC is — those are different operating models. If you need continuous monitoring with in-band response, look at SOC as a Service, which then escalates to the IR team when something exceeds SOC scope.

Question 4

How does an IR engagement satisfy PCI DSS Requirement 12.10?

Accepted Answer

Requirement 12.10 covers the maintenance and execution of an incident response plan. The retainer setup produces the documented plan; the tabletop exercise demonstrates rehearsal; an actual engagement produces the post-incident report. All three are evidence. Because we are also a QSAC, the report format matches what the assessor will expect to see.

Question 5

What about UK GDPR breach notification?

Accepted Answer

Article 33 of the UK GDPR requires notification to the ICO within 72 hours of becoming aware of a personal-data breach, where the breach is likely to result in risk to data subjects. Our IR engagements are structured to give you a defensible position by the 72-hour mark — what data was affected, how, and what you have done. We work with your legal counsel on the notification itself; we do not draft regulatory submissions on your behalf.

Question 6

What types of incident do you cover?

Accepted Answer

Ransomware, business email compromise (BEC), insider threats, malware outbreaks, unauthorised access, data breaches, denial-of-service incidents. The methodology is the same across types — what changes is the playbook content and the specialist skills involved.

Question 7

Will you do digital forensics work?

Accepted Answer

Yes — forensic acquisition and analysis are part of the IR engagement where they are warranted. Chain of custody is documented from the moment we engage. The old /services/digital-forensics URL now redirects to this page because forensics is integrated into the IR service rather than sold separately.

Question 8

How long does a typical engagement run?

Accepted Answer

There is no typical answer because incidents differ, but two markers matter. Active response (containment and eradication) typically runs days to a few weeks. The full engagement including recovery, lessons learned, and any forensic write-up usually closes inside two to four weeks post-incident. Anything substantially longer is unusual and is normally driven by regulatory or litigation work, not the IR itself.

Question 9

What does the post-incident report cover?

Accepted Answer

Timeline of events, scope and impact assessment, root cause, what was contained and how, evidence handling, communications log, and prioritised follow-up actions. The report is structured to be readable by board members, auditors and regulators — not just by the security team. We deliberately do not pad it with generic "lessons" that do not apply to your environment.

Question 10

Can you handle a tabletop exercise without an active incident?

Accepted Answer

Yes. Tabletops are the cheapest IR investment most organisations can make. We facilitate scenario-based exercises for leadership, technical responders, or both. Output is a written report with prioritised improvement actions. Half-day or full-day options. Annual cadence is the right baseline for most organisations.

Incident response, on retainer or on call.

What we mean by incident response

How we engage

IR retainer

Per-engagement IR

IR plan & playbook authoring

Tabletop exercises

How an engagement runs

Scoping call

Retainer setup

Activation

Containment & eradication

Closure & lessons learned

The six IR phases

Why 1 Sequence Cyber

Standards-aligned, not improvised

Same firm that runs the audit

Frequently asked questions

Need IR cover?