High-fidelity detections. 15-min P1 SLA. No noise.

Most security operations programmes fail not because of missing tools, but because of alert fatigue, tuning debt, and analysts who cannot sustain always-on coverage. We deliver Managed Detection & Response built on your existing telemetry, custom ATT&CK-mapped detection rules, and documented playbooks — high-fidelity alerts, defined triage SLAs, and clear response guidance rather than a dashboard of unactioned noise.

MITRE ATT&CKNIST SP 800-61ISO/IEC 27035NIST CSFSigmaSTIX 2.1
DETECTION ENGINEERING

Detection rules are not static.

We treat the detection programme as a product: use-cases have owners, Sigma rules have version control, and ATT&CK coverage gaps are tracked and closed systematically.

Use-Case Lifecycle

  • Use-case backlog prioritised by threat intelligence, ATT&CK coverage gaps, and client risk profile
  • Sigma-based detection rules in version control with peer review, testing, and deployment pipeline
  • False-positive tuning with documented rationale; every suppression is auditable
  • Retirement process for stale rules that no longer map to current threat landscape

ATT&CK Coverage

  • ATT&CK technique coverage map maintained and reviewed quarterly with coverage percentage by tactic
  • Coverage gaps identified and prioritised against threat intelligence for your sector
  • Detection validation via atomic TTP tests and purple team exercises
  • Coverage map shared with client as a standing programme deliverable

Threat Intelligence Integration

  • Tactical intelligence (IOCs, TTPs) ingested in STIX 2.1 format and operationalised into detections
  • Sector-specific threat actor tracking aligned to your risk profile
  • Intelligence-driven detection prioritisation: new TTPs result in new use-cases, not just IOC lists
  • Emerging threat briefings when new campaigns target your sector or technology stack
COVERAGE

Telemetry, hunting, and continuous tuning.

Coverage & Telemetry Sources

  • Endpoint & workload EDR/XDR telemetry across workstations, servers, and cloud workloads; process, network, file, and registry events
  • Identity SSO/IdP events, directory services, MFA logs, and privileged access management audit trails
  • Network firewall, VPN, DNS, proxy, and network flow telemetry; east-west traffic analysis
  • Cloud cloud provider audit logs, activity monitoring, and cloud security posture findings
  • Application WAF, API gateway, and application security logs; custom instrumentation where needed
  • AI/LLM (paid add-on) inference endpoint monitoring, prompt-injection detection, model access logs, and RAG query analysis. Priced separately from the base SOC tier and configured against your existing AI gateway / guardrail layer

Threat Hunting

  • Monthly structured hunts one ATT&CK tactic covered in depth each month on a rolling 12-month rotation (Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command & Control → Exfiltration → Impact); every tactic re-hunted at least annually
  • Continuous hypothesis-driven hunts triggered on demand by fresh threat intelligence, detection-engineering gaps, sector-specific CTI, and emerging CVE/exploit activity — not waiting for the monthly slot
  • Behavioural analytics anomaly detection across user, entity, and network baselines, run continuously across retained telemetry to surface low-and-slow activity that evades rule-based detection
  • Hunt-to-detection feedback loop every hunt finding converts to either a new Sigma rule (when repeatable), a tuning change to an existing rule, or a use-case backlog item — closing the loop within the same engagement month
  • Hunt-hours included Essential package: 8 hunt-hours per month. Standard: 24 hunt-hours per month. Enterprise: 60+ hunt-hours per month with named hunt-team lead and weekly hunt sync
  • Hunt reporting monthly hunt summary (hypothesis, scope, queries, findings, detections shipped) delivered within 5 business days of month-end; quarterly synthesis rolled into the posture review
AUTHORITY TO ACT

You stay in control.

We triage, enrich, and advise by default. Where speed requires pre-authorised action, the boundaries are explicit, documented, and auditable.

Default Operations

  • Triage, enrich, and escalate with guidance — no containment action without client approval
  • Decision-ready notifications with recommended next steps and impact context
  • Case documentation and evidence preservation on your behalf

Pre-Authorised Actions

  • Host isolation, account suspension, and block-list updates under pre-approved playbooks
  • Each playbook defines trigger conditions, scope limits, and notification requirements
  • All actions logged with analyst identity, timestamp, and triggering alert

Incident Escalation

  • Sev1 incidents trigger immediate escalation to named client contacts via agreed channels
  • Forensics & IR handoff available for confirmed breaches requiring deep investigation
  • Break-glass procedure for incidents outside pre-approved playbook boundaries
SEVERITY TIERS & SLAs

What our analysts commit to.

End-to-end commitments — detection, acknowledgement, and containment — not just the analyst response window.

SEV1 — CRITICAL
≤ 5 min
MTTD · detect
≤ 15 min
MTTA · acknowledge
≤ 30 min
MTTC · contain

Active compromise, ransomware, live C2, mass credential theft

SEV2 — HIGH
≤ 15 min
MTTD · detect
≤ 30 min
MTTA · acknowledge
≤ 2 hr
MTTC · contain

Confirmed malicious activity, lateral movement, privileged account compromise

SEV3 — MEDIUM
≤ 1 hr
MTTD · detect
≤ 2 hr
MTTA · acknowledge
≤ 8 hr
MTTC · contain

Suspicious activity under investigation, policy violations, anomalous behaviour

SEV4 — LOW
≤ 8 hr
MTTD · detect
Next report
MTTA · acknowledge
Per remediation plan
MTTC · contain

Low-confidence alerts, hygiene findings, tuning candidates

MTTD · clock starts at the source telemetry event timestamp, not at SIEM ingest — measured against the attack timeline, not our pipeline latency.
MTTA · clock starts when the alert lands in the analyst queue and stops on first human acknowledgement.
MTTC · clock starts on analyst acknowledgement and stops on first containment action under pre-authorised playbook, or — where authority requires client approval — on client confirmation of the recommended action.
All metrics reported monthly at p50 and p90; missed SLAs trigger service-credit provisions defined per contract.
DELIVERABLES

What lands in your inbox.

Per Incident

  • Decision-ready notifications with context, impact assessment, and recommended actions
  • Case-ready evidence packs: event timelines, affected assets and users, containment steps taken
  • Post-incident summary with root cause, attack chain, and remediation recommendations

Reporting Cadence

  • Weekly — operations notes: incident metrics, active investigations, and detection tuning changes
  • Monthly — executive summary plus hunt report (hypothesis, scope, queries, findings, detections shipped) within 5 business days of month-end
  • Quarterly — posture review: ATT&CK coverage analysis, rolled-up hunt synthesis, KPI trends (MTTD/MTTA/MTTC at p50 and p90), and roadmap

Detection Programme

  • Use-case catalogue with coverage, health, and tuning history
  • ATT&CK coverage map with technique coverage percentage by tactic
  • Sigma rule library (client-owned) for portability
  • MTTD / MTTA / MTTC metrics by severity with p50/p90 trends
ONBOARDING

Day-one to steady-state.

  • Telemetry plan: source inventory, integration checklist, and data-quality validation
  • Initial use-case backlog and detection pack aligned to your risk priorities
  • Incident runbooks for your top scenarios with comms templates and escalation matrix
  • RACI definition with documented break-glass procedures
  • Expedited onboarding available: parallel workstreams across cloud, endpoint, and identity
ASSURANCE & DATA HANDLING

How we hold your telemetry.

  • ISO/IEC 27001:2022-conformant information security programme
  • Encrypted case data and evidence in transit and at rest; access controls per engagement
  • Defined data retention policy with scheduled secure disposal
  • Change control for detection rules and runbooks — all modifications auditable
  • Telemetry data processed under signed DPA; subprocessor list available on request
ACTIVE INCIDENT?