Incident Response Support
When something goes wrong — ransomware, account takeover, wire fraud — every minute matters. We're on call 24/7 with named responders who already know your environment, so containment starts in minutes, not days.
Why Retained IR Beats Emergency IR Every Time
The worst time to interview an incident responder is during an incident. Yet most SMBs find themselves doing exactly that — calling around at 3am trying to find someone who can help, paying premium emergency rates, and watching response time creep into hours while the attacker continues lateral movement.
A retained IR relationship inverts the dynamic. The responder already knows your environment, your stack, your insurance carrier, and your runbooks. The first hour — which is when containment matters most — runs against a prepared playbook, not a discovery call.
Cyber insurance carriers know this too. Most modern policies explicitly require a pre-arranged IR plan and reduce coverage significantly when one doesn't exist. The retainer pays for itself in lower premiums before you ever use it.
24/7
availability — every hour, every day
<15 min
P1 acknowledgement SLA
<1 hr
first containment action for P1
What's Included
Preparation, response, recovery, and reporting — under one retainer.
The Six-Phase Response Process
A documented playbook, executed under pressure.
Prepare
Before any incident, we document your environment, build runbooks, agree on contact lists, run a tabletop exercise, and confirm coordination with your insurer.
Detect
Detection comes from our SOC monitoring, your alarms, customer complaints, or external notification (insurance carrier, law enforcement, partner).
Contain
Within minutes, we isolate affected systems, revoke sessions and tokens, block attacker accounts, and stop lateral movement. The goal is to stop the bleeding fast.
Eradicate
Identify and remove the root cause: malicious binaries, persistence mechanisms, web shells, attacker accounts. Confirm clean state before recovery.
Recover
Rebuild compromised systems, restore from verified-clean backups, reset credentials at scale, monitor for re-infection during the 2-week post-incident window.
Report
Written post-incident report for insurance, regulators, and leadership. Lessons-learned session. Updates to runbooks, controls, and training.
When to Pick Up the Phone
Nine scenarios that should trigger an immediate call. When in doubt, call anyway.
Reactive vs Retained IR
The economics of being prepared.
| Dimension | Reactive (No Retainer) | Kapacyber Retainer |
|---|---|---|
| When you call | After damage is done | At first sign of trouble |
| Hourly rate | $500–$1,000/hour emergency | Included in monthly |
| Familiarity with your environment | Zero — starts from scratch | Full — runbooks, asset map, contact list ready |
| Time to first containment action | Hours to days | Under 1 hour for P1 |
| Insurance coordination | You manage it | We coordinate directly with carrier |
| Tabletop exercises | None | Annual |
| Outcome quality | Variable, often messy | Repeatable, documented |
Built For
- • Businesses where a multi-day outage would cause material harm
- • Cyber-insured companies (most insurers require a retainer)
- • Regulated industries with breach-notification timelines
- • Companies that have experienced or narrowly avoided an incident
- • Any business handling payment, health, or financial data
Not Built For
- • Already-breached companies (we offer separate emergency engagements)
- • Solo consultancies with no infrastructure to respond to
Related Reading
Incident Response
The First 24 Hours After a Breach
Step-by-step playbook for the worst day.
Threat Alert
Lessons from the CDK Global Ransomware Attack
What dealers lost and the controls that change the next outcome.
Compliance
Cyber Insurance Is Getting Harder to Get
What insurers now require — including IR.
Threat Alert
Business Email Compromise: The $50B Threat
How BEC happens and how to respond.
Frequently Asked Questions
What counts as a security incident?
Anything that suggests an attacker has access or has tried to: a successful phishing click, suspicious sign-in from an unusual location, malware detection that fired, ransomware activity, unusual outbound traffic, unauthorised admin changes, lost laptop with company data, or a customer reporting fraud that involves you. When in doubt, call.
Do I need an IR retainer if I have cyber insurance?
Yes — and your insurer probably requires it. Cyber insurance pays out for incident costs but doesn't actually do the response. You still need a pre-arranged responder. Many policies offer a panel of approved IR firms; we coordinate directly with your insurer when needed.
What does response time really look like?
P1 incidents (active ransomware, confirmed compromise): under 15 minutes to acknowledgement, under 1 hour to containment actions. P2 (suspicious but not confirmed): 1-hour acknowledgement, 4-hour investigation. We commit these SLAs in the contract.
Can you handle a breach if you weren't our MSSP beforehand?
Yes — we offer emergency IR engagements at a premium rate. But the cheapest IR work is the work done before an incident: tabletop exercises, runbooks, contact lists, backup tests. An ongoing retainer always beats emergency response.
What do you do during an active ransomware attack?
Containment first: isolate affected devices, revoke sessions, kill the lateral-movement paths. Then preservation (forensic snapshots), eradication (remove the threat), recovery (restore from clean backups), and a written post-incident report for insurance and regulatory needs.
The Cheapest IR Hour You'll Ever Buy Is Before You Need It
Free assessment. We'll review your current readiness — runbooks, insurance, contact lists, backups — and tell you where the gaps sit.
Book Free Assessment