Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
Incident Response Planning

Before crisis — a plan. When crisis — a path

Incident does not announce when it is coming. We build readiness — NIST IR procedures, roles, playbooks, SOC/SOAR integration. Tabletop exercises test the plan live. When things fall apart, you will be ready.

Who is it for?

  • Companies without formal incident response plan
  • Organisations with IR plan that has never been tested
  • Companies with SOC/SIEM wanting better playbook integration
  • Entities preparing for audit (NIS2, DORA, ISO 27001)
  • Business leaders wanting to know if the company is actually ready
What you get

Outcomes

Incident Response Plan (document)

Procedures written for your infrastructure — how to recognise incident, who decides, crisis contacts, escalation, internal and external communication.

Incident definitions (incident taxonomy)

What is an incident? How do we classify it? Severity levels (P1–P4), example incidents, warning signs. Every team member knows what to report and when.

Roles and responsibilities

Incident Commander, Evidence Officer, Communication Lead, Technical Lead, Legal/Compliance — everyone knows what they do and who they report to.

Playbooks (procedure templates)

Step-by-step: Data breach, Ransomware, DDoS, Insider threat, Cloud incident. Every playbook is action list, not improvisation.

SOC/SOAR integration

If you have SOC — we will integrate playbooks with your SIEM (Splunk, ELK, Wazuh). If you need SOAR (Phantom, Demisto, Tines) — we will help deploy automation.

Tabletop exercises (crisis drills)

One or more crisis drills — simulation of real incidents. Reveals gaps in procedures and builds crisis muscles in the team.

How we work

IR planning in 5 phases

  1. 01

    Assessment — where are you now?

    Current state audit — do you have IR plan? Is it tested? What is your SOC/SIEM status? What infrastructure do you have? Interview with key people.

  2. 02

    Design — what do you need?

    Plan draft — roles, procedures, playbooks, incident definitions. Based on NIST IR and SANS IR. Scaled to your processes and culture.

  3. 03

    Implementation — procedures, tools, training

    Finalise documents, implement playbooks in SOC (if present), training for IR team, establish crisis contacts.

  4. 04

    Testing — tabletop exercise

    Incident simulation — team works through procedures. We discover what works, what does not. Report with gaps and recommendations.

  5. 05

    Maintenance — review and updates

    Plan reviewed annually, updated to new threats and infrastructure changes. Annual tabletop exercises — muscles stay strong.

FAQ

Frequently asked questions

Is IR plan mandatory?
NIST, DORA, NIS2 — all require incident response capability. Exactly — not always formally "plan", but capability. We build both plan and capability.
How long does it take to build a full IR plan?
Assessment: 2 weeks. Design: 2–3 weeks. Implementation: 2–4 weeks. Total 2–3 months, depends on size and complexity.
Do we need SOC to have a good IR plan?
No. But if you have SOC — we will integrate it. If you do not — playbooks will be manual, but equally effective. SOC is optimisation, not requirement.
How often should we exercise (tabletop)?
Minimum once a year — annual tabletop. If you have high risk appetite — twice a year. After incident — always organise post-mortem.
Does IR plan change quickly?
Foundation (roles, escalation, definitions) changes rarely. Playbooks — we update annually or when infrastructure changes. Always fresh.

Start with readiness assessment

30 minutes, we assess where you are now and what we undertake first.

Book a consultation Back to incident response