
Home / IT Security / Incident Response
The plan you write calmly decides the night you cannot.
Preparation, containment, eradication and recovery — aligned to NIST SP 800-61r3. Rehearsed before the incident, executed during it.
Two things, and honest firms sell both: readiness before, and response during.
Nobody makes good decisions at 3 a.m. with the database encrypted. The decisions have to already exist.
Incident response is not heroics. It is preparation cashed in: a plan that names who decides, who speaks, who touches the keyboard; runbooks for the likely scenarios; and rehearsals that surface the gaps while it is still cheap to find them. When something does happen, that preparation is the difference between hours and weeks.
NIST rebuilt this guidance in 2025. SP 800-61 Revision 3 retired the old rigid four-phase lifecycle and reframed incident response around the six functions of the Cybersecurity Framework 2.0 — Govern, Identify, Protect, Detect, Respond, Recover — treating response as continuous risk management, not a fire drill you run once. We build to that model.
Where the real work is. This is what actually determines the outcome.
- IR plan
- Roles, decision authority, communications, legal and insurer contacts, and thresholds for declaring an incident — written for the people who will use it, not for a binder.
- Runbooks
- Step-by-step response for the scenarios that actually occur: ransomware, business email compromise, a compromised admin account, a lost laptop, a data-exposure report.
- Tabletop exercises
- Your team walks a realistic scenario with us. Every exercise finds gaps — a missing contact, an untested backup, an unclear decision owner — while they are cheap to fix.
- Readiness check
- Do you have the logs to investigate? Backups you can trust? A way to reach staff if email is down? We verify the assumptions a response depends on.
What we do when it is live. Contain first; understand fully; recover clean.
Scope it
What is affected, what is at risk, how the actor got in and whether they are still inside.
Stop the spread
Isolate hosts, cut attacker access, disable compromised accounts — without destroying the evidence you will need.
Remove the foothold
Persistence, backdoors, malicious accounts and rules — eliminated, so recovery is not onto a still-compromised system.
Restore safely
Return service from verified-clean backups, monitor closely for the actor's return, and confirm normal operation.
Post-incident review
A blameless write-up: what happened, how it was handled, what changes prevent a repeat.
Handled so it holds up — for your insurer, your counsel, and if needed a court.
When it matters, we preserve evidence properly: sound acquisition, documented chain of custody, and analysis of logs, endpoints and cloud audit trails to establish what happened and what left. We work under your breach counsel's direction where privilege applies, and produce the technical record your cyber-insurance policy requires.
The three we are asked most.
Can you help if we are being attacked right now?
Email info@bstedge.com with “INCIDENT” in the subject line. If we have capacity to take the case, an engineer will reply with the first containment steps. Existing managed clients have a defined incident channel and agreed response times.
Do you work with our cyber insurer and counsel?
Yes. Insurers and breach counsel often direct the process; we slot into that structure, preserve evidence to a standard they accept, and produce the technical record they need.
Will you tell us if we should pay a ransom?
No. That decision belongs to your leadership, counsel and insurer. We give you the technical facts it depends on: what was encrypted, what was exfiltrated, whether backups survived, and what recovery without payment would take.
Do you have a plan, or a hope?
Most small companies have the second. A retainer and one tabletop turn it into the first. Or, if something is happening now, email us with “INCIDENT” in the subject.
Contact us- info@bstedge.com
- Active incident
- Subject line “INCIDENT”
- Aligned to
- NIST SP 800-61r3 / CSF 2.0