Incident response, built to contain in hours, not days.
When ransomware hits, a laptop goes missing, or a user clicks the wrong link, minutes matter. Retainer-backed IR from senior, Canadian-staffed forensic analysts — with BreachGuard handling the privacy-law workflow, your SOC handling the technical containment, and one contract holding it all together.
A response that starts before the retainer call ends.
IR is the one service you hope never to use. When you do, the gap between "I think we’re breached" and "the fire is out" is the only number that matters. Here’s what we commit to.
Twelve services, three layers.
Immediate response stops the bleed. Investigation & recovery rebuilds trust. Readiness makes sure you’re never caught flat-footed again.
Immediate Response
Hours 0–7224/7 IR Hotline
One number, one team, live pickup around the clock. Retainer clients skip the queue entirely.
Incident Triage & Containment
Scope the blast radius, isolate affected systems, revoke compromised credentials. Stop the spread before it becomes a catastrophe.
Digital Forensics & Evidence Preservation
Court-admissible chain of custody. Memory, disk, and cloud artifacts captured before attackers cover tracks.
Ransomware Response
Containment, threat-actor communication protocols, decryption feasibility analysis, and informed recovery decisions. Legal counsel coordinated throughout.
Malware Analysis
Static and dynamic analysis, IOC extraction, and TTP mapping to MITRE ATT&CK. Findings feed into your SOC as detection content.
Investigation & Recovery
Days 3–30Root Cause & Scope Analysis
How did they get in. Where did they go. What did they take. Documented, evidenced, and explained in a report your board can act on.
Data Recovery & System Rebuild
Backup validation, clean-room rebuild of compromised systems, and verified restoration. No ghost backdoors left behind.
Legal & Insurance Liaison
Breach counsel coordination, cyber-insurance claim support, and evidence packaging to preserve privilege and maximize coverage.
Regulatory Notification
Federal and provincial privacy regulator filings, affected-individual notices, and timeline management — driven by BreachGuard.
Readiness & Program
Before it happensIR Retainer Programs
Pre-negotiated hours, guaranteed response SLA, and a responder already familiar with your environment. The difference between days and hours.
IR Playbook Development
Incident-class playbooks (ransomware, BEC, insider, data loss) with decision trees, contact matrices, and communication templates.
Tabletop Exercises
Executive and technical tabletop simulations run by senior incident commanders. Find the gaps in a boardroom, not a breach.
Canadian privacy law, wired into every response.
When a cyber incident touches personal information, it stops being an IT problem — it becomes a PIPEDA, Quebec Law 25, and provincial-regulator problem with strict timelines. BreachGuard is the privacy-incident workflow AlecTech built to run in parallel with the technical response: notification thresholds, regulator templates, affected-individual disclosure, and audit-ready reporting, all Canadian-hosted.
- PIPEDA Real Risk of Significant Harm (RROSH) assessment built in
- Quebec Law 25, Alberta PIPA, BC PIPA, and Ontario PHIPA mapped
- Regulator-ready notification templates with timeline tracking
- Privacy-impact assessment and affected-individual disclosure workflows
One MSSP. Every capability on the other end of the phone.
When the call comes in at 2 a.m., it lands with the same team already running your SOC, your IT, and your compliance program. Detections become evidence. Evidence becomes regulatory filings. Filings become lessons learned. All one team, one contract, one chain of accountability.
MDR & SOC
Your SOC detects it. Our IR contains it. Detections and forensic evidence flow between the same analysts.
Managed IT
The team that rebuilds your environment already knows it. No ramp-up, no knowledge-transfer delay.
GRC Advisory
Evidence preservation and filings mapped to SOC 2, ISO 27001, PHIPA, and CyberSecure Canada requirements.
Themis
AI-accelerated forensic analysis — correlates artifacts across endpoints, logs, and cloud in minutes.
From phone ringing to post-mortem in four phases.
The same disciplined playbook every engagement. No surprises on scope, timeline, or deliverables — even in the worst week of your year.
-
01Hour 0–1
Activate Hotline triage, senior responder engaged, bridge opened. ROE signed, scope established, legal counsel looped if needed.
-
02Hours 1–72
Contain Isolate, revoke, block. Preserve evidence. Stop the bleed while BreachGuard starts the regulatory clock if personal data is in scope.
-
03Days 3–14
Investigate Forensic analysis, root cause, scope determination, IOC extraction. Daily updates to your incident commander and legal counsel.
-
04Weeks 2–6
Recover Clean rebuild, monitoring uplift, lessons-learned report, regulator filings submitted, retainer detection content deployed.
Every engagement is led by a named incident commander with a senior forensic analyst and a BreachGuard advisor on the bridge from hour one. You get one point of accountability, not a rotation of ticket-takers.
Deliverables include: incident narrative, forensic timeline, IOC package (STIX/TAXII), executive summary, regulator filings, and a lessons-learned session with your leadership team.
Every finding feeds your SOC as new detection content — so the same incident never happens twice.
Three models. One chain of custody.
The best time to plan for an incident is before it happens. The second-best time is the moment the phone rings. There’s a path for both.
IR Retainer
Pre-negotiated hours, guaranteed SLA, and a responder who already knows your environment.
- 1-hour response SLA, 24/7
- Pre-paid hours at retainer rates
- Environment familiarization on day one
- Annual tabletop exercise included
- Unused hours convert to readiness work
Emergency IR
Already mid-incident with no retainer? We still pick up. Emergency rates apply; response time is best-effort.
- Live analyst on the hotline, 24/7
- Best-effort response time (typically 4–8 hours)
- Full forensic and recovery capability
- BreachGuard workflow engaged immediately
- Option to convert to retainer post-incident
IR Readiness Program
Playbook development, tabletop exercises, and IR training. Preparation, not response.
- Incident-class playbooks (ransomware, BEC, insider, data loss)
- Annual executive and technical tabletops
- IR training for internal responders
- Communication and legal-liaison templates
- Optional retainer add-on
Regulated, high-profile, or both.
Incident response for sectors where a breach triggers regulator obligations, reputational fallout, or both — and the rules that apply when it happens.
Legal Firms
Matter-privilege evidence handling, Law Society of Ontario notification obligations, and insurance-carrier coordination.
Financial Services
OSFI advance-notice obligations, FINTRAC coordination, and reputation-management aligned with regulator expectations.
Aerospace & Defense
Controlled-goods exposure assessment, government notification requirements, and cleared forensic analysts.
The call you hope you never make. Make it easier.
A 15-minute retainer discussion with a senior incident commander — not a sales rep. We’ll walk through your environment, sketch what a response would look like on your worst day, and put a plan on paper before you need it.
