Cyber Security Incident Response (CSIR)

We provide Cyber Security Incident Response (CSIR) services to organisations who would like to prepare for or are suffering from a cyber-attack or breach. We offer four-tiers of retained service to deliver peace of mind, and in the event that an incident is currently taking place we can be deployed on-demand. Our Cyber Threat Hunting (TH) services are integrated with our retained CSIR service tiers.

CSIR Service Levels 2.0

Cyber Security Incident Response (CSIR), Threat Hunting (TH), *arrival on site or begin travel

It’s not a matter of if, but when. In 2017, 74% of British businesses said that cyber security is a high priority for their senior management, with 49% of those having experienced an attack or breach within that year. Despite this, only 11% have a formal cyber security incident management process or response capability in place.

Our retained service

We offer retained cyber security incident response services across four levels, each offering expert help in preparing for or responding to an incident. Each paid-for level includes discounted CSIR and Threat Hunting (TH) rates.

Telephone Advice
Expert advice is available at every level over the phone. For our silver tier and up, 24/7 telephone advice is provided through a dedicated number handled by a team of on-call responders.

Site Deployment
Where necessary, responders can be deployed on-site (or begin travelling) within the timeframes specified for each level. The Gold and Platinum levels offer same-day deployment.

Remote Support
When site deployment is not practicable or immediate support is required, all of our service levels offer remote support via a secure remote access point which is to be agreed on during initial consultations.

Service Level Agreement
All levels are backed by an agreement which gives you peace in mind that we will help you when you need it, and you know what service to expect.

One-day Workshop
Our silver level includes a half-price one-day workshop and gold and platinum include this for free. This workshop will be run by one of our responders and enable us to better work together. It will include discussions on how to best facilitate our response efforts within your infrastructure.

Reduced Rates
Hourly rates for our CSIR and Threat Hunting services are discounted according to the service level chosen.

CSIR Plan Review
Our platinum service includes a free CSIR Plan Review, and other levels can benefit from this at their relevant CSIR rate discounts. The plan review will assess your readiness for a cyber security incident in line with best practice and the CREST approach. If you don’t have a CSIR plan in place already, this can be used to give you advice on where to start.


Our on-demand service

Outside of our retained services we can respond to cyber-attacks and breaches when needed. Contact us in confidence for expert advice. 

​Email our CSIR team: cyberincidentresponse@​

Why ​choose us?

Supported by our parent company PA Consulting, we offer a comprehensive portfolio of cyber resilience services.

cyber resilience circle

Building your own capability

Education underpins everything we do. We offer world-leading hands-on cyber incident responder training courses to help organisations build their own capability to confidently respond to cyber attacks.

We can also help organisations build comprehensive CSIR plans so they are ready for an incident from both a technical and managerial ​approach. Visit our blog to see why you need an incident response plan.

CREST ​Provider

We are a member of CREST and we apply and adhere to the rigorous CREST standards. We have adopted the 3-Phase CREST model for Cyber Security Incident Response (CSIR) and we are a registered Cyber Security Incident response provider on the CREST website, see here


Threat Hunting

Cyber Threat Hunting is the process by which infrastructure in an organisation is proactively scanned for evidence of ‘threats’ which have gone undetected by other means – indicating that an organisation has already been compromised. Read more about our Cyber Threat Hunting service.


Minimise losses by acting quickly, contact us 01763 285 510 or fill in the form below for expert help without ​delay

Required fields are marked *

Our approach

  • Phase 1 - Prepare


    7Safe can assist your organisation with the preparation for a cyber occurrence. This will involve a cyber security risk assessment that comprehensively reviews your documented policies, procedures and standards to identify cyber vulnerabilities and determine your state of readiness. 

    To be effectively prepared, you should be able to determine the criticality of your key assets; analyse threats to them; and implement a set of complimentary controls to provide an appropriate level of protection. Considering the implications of people, process, technology and information; you can then update your cyber security response capability and review your state of readiness in cyber security response.


    Many organisations do not have adequate policies, processes or methodologies (if they have any at all) to help them respond to cyber security incidents effectively. They struggle to know what to do, how to do it, who to contact – and can even compromise investigations by their actions.

    To help tackle cyber security incidents in an effective and consistent manner, you should develop an appropriate strategic approach, backed up by a formal cyber security incident response process, which should include:

    • Identifying cyber security incidents
    • Investigating the situation (including triage)
    • Taking appropriate action (e.g. contain incident and eradicate cause)
    • Recovering systems, data and connectivity


    Project research revealed that the biggest IT infrastructure challenge faced by organisations when making the arrangements to help them prepare for a cyber security incident is in failing to log the right events or turn on the appropriate logging features.

    Many organisations have vastly insufficient logging, archiving, correlation and simulation capabilities. For example, when handling a cyber security incident, historical data can be very important as attacks have often been taking place over an extended period of time – but logs (if they record the right things at all) are often incomplete or do not adequately cover past events. 


    It is essential to make sure that your organisation has the information readily available that will help the cyber security incident response team (including third party experts) to respond quickly and effectively. Depending on context, the kind of information that expert suppliers typically want to know about falls into four main categories:

    • Business management (e.g. what the business does, main point(s) of contact, approach to business impact assessment)
    • IT infrastructure (e.g. network diagrams, system architecture and layout)
    • Data (e.g. what type of information is processed, where and how)
    • Event logging (e.g. what types of data and events are logged; on which systems; how and when; as well as how this data is collated and analysed).

    The amount of information required by an organisation will differ based on a number of factors, such as its size, market sector, internal capabilities and nature of the particular cyber security incident being investigated.

  • Phase 2 - Respond

    ​Identify cyber security incident

    7Safe consultants will rapidly identify if a cyber incident has taken place and if so, what the cyber security incident type is. This will then determine an appropriate response and subsequent actions.

    Cyber security incidents usually begin with one or more of the following indicators:

    • Alerts from technical monitoring systems such as anti-virus software, intrusion detection systems (IDS), data loss prevention (DLP), security information and event management (SIREM) systems, log analysers, etc.    
    • Reports of suspicious events made to the IT help desk by users, third party reports, or directly to the security team by the police, industry bodies, your vendor partners, or the government.    
    • Anomalies detected by audits, investigations or views. Note: this includes financial audits that show withdrawals that are traceable to fraudulent activity.

    As a result of our comprehensive assessment, you may find that the malware has spread widely within your network or to third party systems, compromising security beyond the point where the infection was initially detected. Our responders are used to monitoring the complete evidence trail for signs of unusual occurrences and assessing one or more trigger points.

    Analysing all the available information will often provide a different in-sight into what has actually caused the alert. Responders can then determine whether there has been a DDOS and/or malware attack, system hack, session hijack, and/or data corruption, basing their conclusions on the facts. Relying instead on the reports produced by your security monitoring software can be misleading – especially without expert help to interpret results.

    In this way, we aim to definitively confirm that you have been subjected to a cyber-attack or cyber-related data breach, removing any doubt about the possible causes. 

    Define objectives and investigate the situation

    Objectives and scope will be formulated based on identification factors and information gathered to date. These will be directed by client requirements in-line with business continuity and concerns.

    Investigation will be an on-going effort from initial identification through to containment and eradication. The main focus of investigation at this stage is to return normal operation rather than in-depth analysis and will triage by:

    • Classifying
    • Prioritising
    • Assigning

    7Safe will use cyber threat intelligence to clearly understand the tactics, techniques and procedures of the attacker/s to assist with the definition of objectives and scope and better remediate.

    Any changes to scope or objectives will be clearly discussed and agreed with the client with written authorisation where additional work is needed above or beyond the initial scope. These changes will be communicated in a timely fashion with the incident team where required.

    Take appropriate action to contain the incident

    An important step in the process is containment. That is, stopping the infection from spreading to other networks and devices both within your organisation and beyond.

    At 7Safe, we prioritise actions that are aimed at reducing the immediate impact of the cyber security incident, primarily by removing the attacker’s access to your systems. This does not always mean returning to business as usual, but to make best efforts to return to functionality as normal, while continuing to analyse the incident and plan longer term remediation.

    We will contain the incident and isolate any compromised nodes or devices to prevent further infection or lateral movement and allowing the business to resume normal functions. We will also monitor for responses in attack vector or escalation as a result of containment and ensure no further compromises to the infrastructure are made, ensuring that tools introduced to assist are verified and malware free.

    Once the incident has been contained, we will eradicate the suspect material from the network while preserving evidence to the required evidential standards for more detailed investigation and/or possible future prosecution.

    Recover systems, data and connectivity

    7Safe will ensure that systems have been restored to their normal operation and remediate vulnerabilities to prevent similar incidents occurring in the future.

    Validation of recovery is important and 7Safe can offer a vulnerability assessment (penetration test) to add additional piece of mind.

    7Safe will monitor the situation over an agreed period of time to ensure that no follow-up attack takes place and to confirm successful eradication and recovery of systems

    The final step in the Cyber Security Incident Response process is to restore your systems to normal operations, confirm that the systems affected are functioning normally, and remediate vulnerabilities to prevent similar incidents from occurring.

  • Phase 3 - Follow Up

    Investigate Incident More Thoroughly

    7Safe will perform a full and thorough cyber forensic investigation including malware reverse engineering, host and network intrusion analysis where appropriate to determine the extent of the incident or to meet any specified client objectives. This may also include the investigation into possible suspects, data egressed or motivation.

    Report Incident to Relevant Stakeholders

    7Safe will create reports that provide a full description of the incident, recovery, investigation, findings and recommendations.

    Reports will be produced in a format and style tailored to the intended audience and to ease understanding of complex topics where necessary.

    Where necessary, due to the nature of the business, recommendations for the direct reporting to relevant authorities will be included.

    Conduct a Post Incident Review

    7Safe will conduct a post incident review to determine what actions, if any, could improve the effectiveness of the company’s internal mechanisms or the investigation that took place. These will be referenced internally or discussed with the client as appropriate ensuring that any lessons to learn are documented. 

    Communicate & Build on Lessons Learnt

    7Safe will develop recommendations, highlight areas for concern and required improvement during the course and at completion of an incident response engagement.

    Main points will be highlighted in the final report and further detail can be provided during client debrief.

    The goals of building on lessons learnt are to:

    • Prevent a similar attack from happening in the future
    • Highlight any immediate areas of concern that could contribute to the success of future incidents
    • Identify any gaps or areas of general improvement

    Update Key Information, Controls & Processes

    Following on from the lessons learnt, 7Safe can assist with the implementation of recommendations to assist with remediation, cyber security policy, education and training.

    Perform Trend Analysis

    7Safe maintains a repository of incidents, IIOC (Indicators of Compromise) investigation techniques and artefacts of note to aid in the future diagnosis and remediation of attacks. This knowledge can be shared with outside bodies but no client data or identifying artefacts of any kind are stored or shared in this repository.

    7Safe may perform trend analysis on collected data to identify common factors, evaluate patterns and trends and understand the associated costs of cyber incidents.

© Copyright 7Safe 2015 - all rights reserved