Abstract blue network of connected light trails

Home / IT Security / Incident Response

The plan you write calmly decides the night you cannot.

Preparation, containment, eradication and recovery — aligned to NIST SP 800-61r3. Rehearsed before the incident, executed during it.

What this is

Two things, and honest firms sell both: readiness before, and response during.

Nobody makes good decisions at 3 a.m. with the database encrypted. The decisions have to already exist.

Incident response is not heroics. It is preparation cashed in: a plan that names who decides, who speaks, who touches the keyboard; runbooks for the likely scenarios; and rehearsals that surface the gaps while it is still cheap to find them. When something does happen, that preparation is the difference between hours and weeks.

NIST rebuilt this guidance in 2025. SP 800-61 Revision 3 retired the old rigid four-phase lifecycle and reframed incident response around the six functions of the Cybersecurity Framework 2.0 — Govern, Identify, Protect, Detect, Respond, Recover — treating response as continuous risk management, not a fire drill you run once. We build to that model.


Before an incident

Where the real work is. This is what actually determines the outcome.

IR plan
Roles, decision authority, communications, legal and insurer contacts, and thresholds for declaring an incident — written for the people who will use it, not for a binder.
Runbooks
Step-by-step response for the scenarios that actually occur: ransomware, business email compromise, a compromised admin account, a lost laptop, a data-exposure report.
Tabletop exercises
Your team walks a realistic scenario with us. Every exercise finds gaps — a missing contact, an untested backup, an unclear decision owner — while they are cheap to fix.
Readiness check
Do you have the logs to investigate? Backups you can trust? A way to reach staff if email is down? We verify the assumptions a response depends on.
During an incident

What we do when it is live. Contain first; understand fully; recover clean.

01 — TRIAGE

Scope it

What is affected, what is at risk, how the actor got in and whether they are still inside.

02 — CONTAIN

Stop the spread

Isolate hosts, cut attacker access, disable compromised accounts — without destroying the evidence you will need.

03 — ERADICATE

Remove the foothold

Persistence, backdoors, malicious accounts and rules — eliminated, so recovery is not onto a still-compromised system.

04 — RECOVER

Restore safely

Return service from verified-clean backups, monitor closely for the actor's return, and confirm normal operation.

05 — LEARN

Post-incident review

A blameless write-up: what happened, how it was handled, what changes prevent a repeat.


Forensics & evidence

Handled so it holds up — for your insurer, your counsel, and if needed a court.

When it matters, we preserve evidence properly: sound acquisition, documented chain of custody, and analysis of logs, endpoints and cloud audit trails to establish what happened and what left. We work under your breach counsel's direction where privilege applies, and produce the technical record your cyber-insurance policy requires.

NIST SP 800-61r3NIST CSF 2.0 — Respond & RecoverChain of custodyMITRE ATT&CKInsurer-ready reporting
Common questions

The three we are asked most.

Can you help if we are being attacked right now?

Email info@bstedge.com with “INCIDENT” in the subject line. If we have capacity to take the case, an engineer will reply with the first containment steps. Existing managed clients have a defined incident channel and agreed response times.

Do you work with our cyber insurer and counsel?

Yes. Insurers and breach counsel often direct the process; we slot into that structure, preserve evidence to a standard they accept, and produce the technical record they need.

Will you tell us if we should pay a ransom?

No. That decision belongs to your leadership, counsel and insurer. We give you the technical facts it depends on: what was encrypted, what was exfiltrated, whether backups survived, and what recovery without payment would take.

Do you have a plan, or a hope?

Most small companies have the second. A retainer and one tabletop turn it into the first. Or, if something is happening now, email us with “INCIDENT” in the subject.

Contact us
Active incident
Subject line “INCIDENT”
Aligned to
NIST SP 800-61r3 / CSF 2.0