Managed · Detect & Respond

Continuous monitoring and incident response on retainer. Honest about what it is and isn't.

We centralise logs, configure detection rules and keep an incident-response retainer for when something goes wrong. We don't sell a 24/7 SOC until we truly have the capacity to run one: we start here, with a clear roadmap toward it.

Continuous monitoring + alerting + IR on retainer. No 24/7 coverage promises.
Centralised logs and SIEM-lite: real visibility, not an empty dashboard.
Detection and IR playbooks mapped to MITRE ATT&CK.

Let's say it upfront, for honesty: today we do NOT offer a SOC with 24/7/365 coverage. Selling a SOC you don't have the capacity to staff is the kind of facade promise we avoid. We offer continuous monitoring, alerting and incident response on retainer, with a stated roadmap toward SOC capability as we grow.

What we mean by Detection & Response

Prevention isn't enough: sooner or later something gets past the defences. Detection & Response is the ability to notice quickly and react in an orderly way, instead of discovering the incident weeks later from a customer or a ransom note.

Concretely: we collect and centralise logs from the sources that matter (identity, endpoints, network, cloud), configure detection rules, generate useful alerts (not noise) and keep incident-response playbooks ready to contain and remediate.

The two halves of the service

Detection without response is just an alarm; response without detection is just firefighting. You need both.

Detection: continuous monitoring

Centralised log ingestion (SIEM-lite), correlation rules, alerting on relevant signals, status dashboards and periodic detection review.

Response: IR on retainer

Ready incident-response playbooks, roles and channels defined in advance, containment and remediation when an incident fires, post-mortem and lessons learned.

What's included

Centralisation of key source logs: identity/SSO, endpoint/EDR, firewall and network, critical cloud and SaaS.
SIEM-lite: log aggregation, normalisation and search, with adequate retention.
Detection rules mapped to MITRE ATT&CK: attacker techniques and tactics as the reference, not generic signatures.
Tuned alerting: thresholds and correlation to cut false positives and surface what matters.
Incident-response playbooks: procedures for typical scenarios (compromised account, ransomware, data exfiltration, anomalous access).
IR retainer: dedicated response hours, with agreed reaction times by severity (severities/SLA defined in the retainer).
Post-incident: root-cause analysis, remediation and detection updates.
Periodic reporting on events, alerts and coverage status.

Honesty about boundaries

So we don't sell you air, here's what this service is and isn't, today.

It's not a 24/7 SOC (today)

We don't staff around the clock with night shifts. Monitoring is continuous as collection and rules; human response happens within windows and reaction times agreed in the retainer. 24/7 coverage is on the roadmap, not a current claim.

It doesn't replace baseline defences

Detection & Response assumes hygiene is already done: MFA, patching, backups, hardening. If those are missing, we start there: monitoring doesn't patch structural holes.

We don't guarantee zero incidents

Nobody can. We reduce time-to-discovery and impact, but absolute security doesn't exist: be wary of anyone who promises it.

It's not courtroom forensics

We do technical analysis and containment; legal expert reports and forensic chain of custody for court are a different discipline, which we coordinate with specialists if needed.

How we get there

From visibility to response, with maturity growing over time. People tune detections and handle incidents; automation cuts the noise.

1
Source assessment
Which logs exist, which are missing, what is actually monitorable today.
2
Log centralisation
We connect key sources to a SIEM-lite, with adequate retention.
3
Detection & tuning
Rules mapped to MITRE ATT&CK and tuning to cut false positives.
4
IR playbooks
Procedures, roles and channels defined before an incident is needed.
5
Operations on retainer
Continuous monitoring, managed alerts and response within agreed times.
6
Roadmap toward SOC
We grow coverage and automation as the need and capacity grow.

Stack & methodologies

We work at the category level, integrating the sources you already have: identity/SSO providers, endpoint EDR, NGFW firewalls, cloud and SaaS logs. The SIEM-lite aggregates and correlates; we don't lock you into a single product.

Method references: MITRE ATT&CK to model techniques and detection, NIST principles for the incident-response cycle (preparation, detection, containment, eradication, recovery, lessons learned), and consistency with the logging and incident-management controls of ISO/IEC 27001:2022 Annex A.

Model and pricing

Initial setup as a project (log centralisation, detection, playbooks), then a monthly retainer for continuous monitoring and incident-response hours. The retainer defines severities and reaction times.

For complex environments and needs requiring extended coverage, the model is on request. See the pricing page for the ranges.

Frequently asked

Do you offer a 24/7 SOC?

Not today, and we don't pass it off as one. We offer continuous monitoring (log collection and detection always on) and incident response on retainer, with agreed reaction times. Staffed 24/7 coverage is on our roadmap: we tell you clearly, we don't sell it before we can deliver it.

So what does 'continuous monitoring' mean?

It means log collection, detection rules and alerting are on without interruption. The human analysis and response part happens within the windows and reaction times defined in the retainer, based on severity.

What is SIEM-lite?

Log collection and correlation sized for startups/SMBs: it centralises the sources that matter and gives you search and alerts, without the cost and complexity of an enterprise SIEM you don't need yet.

Why do you cite MITRE ATT&CK?

It's the framework cataloguing real attacker tactics and techniques. We map detections to ATT&CK to cover concrete behaviours, not just generic signatures, and to reason about coverage gaps.

What happens when an incident fires?

The playbook kicks in: containment, technical investigation, eradication and recovery, with roles and channels already defined. Afterwards we run a post-mortem with root cause and update detections so it doesn't recur.

Do you guarantee we won't be attacked?

No, and be wary of anyone who promises that. We drastically reduce time-to-discovery and the impact of an incident, but zero risk doesn't exist. That's why IR on retainer is an integral part of the service.

Related services

Zero Trust

By reducing the attack surface, Zero Trust makes monitoring more effective and alerts more meaningful.

Learn more

Device management

Endpoint EDR is one of the key monitoring sources: we configure and manage it.

Learn more

Continuous security

Detection & Response lives inside a broader retainer that keeps your posture alive over time.

Explore the retainer

Would you notice if you were attacked right now?

Tell us your need: we look at which logs and visibility you have today and tell you, honestly, where you're exposed.