High-fidelity detections. 15-min P1 SLA. No noise.
Most security operations programmes fail not because of missing tools, but because of alert fatigue, tuning debt, and analysts who cannot sustain always-on coverage. We deliver Managed Detection & Response built on your existing telemetry, custom ATT&CK-mapped detection rules, and documented playbooks — high-fidelity alerts, defined triage SLAs, and clear response guidance rather than a dashboard of unactioned noise.
Detection rules are not static.
We treat the detection programme as a product: use-cases have owners, Sigma rules have version control, and ATT&CK coverage gaps are tracked and closed systematically.
Use-Case Lifecycle
- Use-case backlog prioritised by threat intelligence, ATT&CK coverage gaps, and client risk profile
- Sigma-based detection rules in version control with peer review, testing, and deployment pipeline
- False-positive tuning with documented rationale; every suppression is auditable
- Retirement process for stale rules that no longer map to current threat landscape
ATT&CK Coverage
- ATT&CK technique coverage map maintained and reviewed quarterly with coverage percentage by tactic
- Coverage gaps identified and prioritised against threat intelligence for your sector
- Detection validation via atomic TTP tests and purple team exercises
- Coverage map shared with client as a standing programme deliverable
Threat Intelligence Integration
- Tactical intelligence (IOCs, TTPs) ingested in STIX 2.1 format and operationalised into detections
- Sector-specific threat actor tracking aligned to your risk profile
- Intelligence-driven detection prioritisation: new TTPs result in new use-cases, not just IOC lists
- Emerging threat briefings when new campaigns target your sector or technology stack
Telemetry, hunting, and continuous tuning.
Coverage & Telemetry Sources
- Endpoint & workload — EDR/XDR telemetry across workstations, servers, and cloud workloads; process, network, file, and registry events
- Identity — SSO/IdP events, directory services, MFA logs, and privileged access management audit trails
- Network — firewall, VPN, DNS, proxy, and network flow telemetry; east-west traffic analysis
- Cloud — cloud provider audit logs, activity monitoring, and cloud security posture findings
- Application — WAF, API gateway, and application security logs; custom instrumentation where needed
- AI/LLM (paid add-on) — inference endpoint monitoring, prompt-injection detection, model access logs, and RAG query analysis. Priced separately from the base SOC tier and configured against your existing AI gateway / guardrail layer
Threat Hunting
- Monthly structured hunts — one ATT&CK tactic covered in depth each month on a rolling 12-month rotation (Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command & Control → Exfiltration → Impact); every tactic re-hunted at least annually
- Continuous hypothesis-driven hunts — triggered on demand by fresh threat intelligence, detection-engineering gaps, sector-specific CTI, and emerging CVE/exploit activity — not waiting for the monthly slot
- Behavioural analytics — anomaly detection across user, entity, and network baselines, run continuously across retained telemetry to surface low-and-slow activity that evades rule-based detection
- Hunt-to-detection feedback loop — every hunt finding converts to either a new Sigma rule (when repeatable), a tuning change to an existing rule, or a use-case backlog item — closing the loop within the same engagement month
- Hunt-hours included — Essential package: 8 hunt-hours per month. Standard: 24 hunt-hours per month. Enterprise: 60+ hunt-hours per month with named hunt-team lead and weekly hunt sync
- Hunt reporting — monthly hunt summary (hypothesis, scope, queries, findings, detections shipped) delivered within 5 business days of month-end; quarterly synthesis rolled into the posture review
You stay in control.
We triage, enrich, and advise by default. Where speed requires pre-authorised action, the boundaries are explicit, documented, and auditable.
Default Operations
- Triage, enrich, and escalate with guidance — no containment action without client approval
- Decision-ready notifications with recommended next steps and impact context
- Case documentation and evidence preservation on your behalf
Pre-Authorised Actions
- Host isolation, account suspension, and block-list updates under pre-approved playbooks
- Each playbook defines trigger conditions, scope limits, and notification requirements
- All actions logged with analyst identity, timestamp, and triggering alert
Incident Escalation
- Sev1 incidents trigger immediate escalation to named client contacts via agreed channels
- Forensics & IR handoff available for confirmed breaches requiring deep investigation
- Break-glass procedure for incidents outside pre-approved playbook boundaries
What our analysts commit to.
End-to-end commitments — detection, acknowledgement, and containment — not just the analyst response window.
Active compromise, ransomware, live C2, mass credential theft
Confirmed malicious activity, lateral movement, privileged account compromise
Suspicious activity under investigation, policy violations, anomalous behaviour
Low-confidence alerts, hygiene findings, tuning candidates
What lands in your inbox.
Per Incident
- Decision-ready notifications with context, impact assessment, and recommended actions
- Case-ready evidence packs: event timelines, affected assets and users, containment steps taken
- Post-incident summary with root cause, attack chain, and remediation recommendations
Reporting Cadence
- Weekly — operations notes: incident metrics, active investigations, and detection tuning changes
- Monthly — executive summary plus hunt report (hypothesis, scope, queries, findings, detections shipped) within 5 business days of month-end
- Quarterly — posture review: ATT&CK coverage analysis, rolled-up hunt synthesis, KPI trends (MTTD/MTTA/MTTC at p50 and p90), and roadmap
Detection Programme
- Use-case catalogue with coverage, health, and tuning history
- ATT&CK coverage map with technique coverage percentage by tactic
- Sigma rule library (client-owned) for portability
- MTTD / MTTA / MTTC metrics by severity with p50/p90 trends
Day-one to steady-state.
- ✓Telemetry plan: source inventory, integration checklist, and data-quality validation
- ✓Initial use-case backlog and detection pack aligned to your risk priorities
- ✓Incident runbooks for your top scenarios with comms templates and escalation matrix
- ✓RACI definition with documented break-glass procedures
- ✓Expedited onboarding available: parallel workstreams across cloud, endpoint, and identity
How we hold your telemetry.
- ✓ISO/IEC 27001:2022-conformant information security programme
- ✓Encrypted case data and evidence in transit and at rest; access controls per engagement
- ✓Defined data retention policy with scheduled secure disposal
- ✓Change control for detection rules and runbooks — all modifications auditable
- ✓Telemetry data processed under signed DPA; subprocessor list available on request
