Interconnekt
IR RetainerIncident Response

Incident Response

The worst time to meet your incident responder is during the incident. The first 24 hours decide how bad it gets, and businesses without a plan lose them to panic and scrambling for help. We put the plan, the playbooks, and the responders in place before anything happens - and when it does, you call one number and a documented process starts.

Book a discovery callSee pricing
Next step

Ready to scope Incident Response for your business?

Book a discovery callSee pricing
What’s included

Scope that’s actually defined.

Every inclusion below is documented, delivered, and renewable under our standard agreement. No surprise scope. No silent exclusions.

IR plan and playbooks

A documented incident response plan - roles, decision authority, escalation, and contacts - plus per-scenario playbooks for ransomware, business email compromise, lost devices, and data exfiltration.

Retainer and response SLA

Pre-signed terms, your environment documented in advance, and guaranteed responder availability - so containment starts in minutes, not after a day of paperwork. Far cheaper and faster than calling for help cold.

Containment and recovery

Rapid isolation of affected hosts and accounts, credential resets, and blocking attacker infrastructure - without destroying the evidence - then recovery from immutable, offline backups the attacker couldn't reach.

Forensics and root cause

Logs and images preserved before remediation to establish how they got in, what they reached, and whether data left - the evidence that answers the regulator's 'serious harm' question.

Regulator and insurer comms

We run the response and draft the notification, coordinating the OAIC, ReportCyber and the ACSC, your cyber insurer, and affected-party communications to a plan - though the legal duty to notify sits with you as the data holder.

Tabletop exercises

A facilitated walkthrough with your decision-makers before a real incident, so the gaps in roles, comms, and authority surface while they're cheap to fix.

What’s not included

The boundaries, stated up front.

Knowing where a service stops matters as much as knowing what it covers. Here’s what sits outside this engagement - so there are no awkward surprises later.

A promise it'll never happen

No one can guarantee zero incidents. We make them less likely, smaller when they land, and survivable - not impossible.

The legal duty to notify

We run the response and draft the breach notification, but under the Privacy Act the obligation to notify the OAIC and affected individuals sits with you as the entity that holds the data. We'll make sure it's done right and on time; we can't carry the duty for you.

Recovery from backups you never had

We recover from immutable, offline backups - which means they have to exist and be tested before the incident. If they don't, recovery is a salvage operation, and we'll be honest about the odds. This is why backups are the first thing we check.

Legal advice and policy underwriting

We coordinate with your lawyers and your insurer; we don't provide legal advice or broker the policy. Specialist legal and forensic counsel are engagements we bring in, not perform.

How we deliver

A sequence you can hold us to.

Every engagement runs the same four steps. You always know which one we’re in and what comes next.

  1. 01

    Prepare

    We document your environment, write the plan and playbooks, agree the response SLA, and run a tabletop so the first time you use the plan isn't for real.

  2. 02

    Detect and contain

    When something happens, you call one number. We identify the scope and isolate it fast - hosts, accounts, attacker infrastructure - preserving evidence as we go.

  3. 03

    Eradicate and recover

    We remove the attacker's foothold and restore from immutable backups, verifying the environment is clean before it goes back into service.

  4. 04

    Learn

    A post-incident review with root cause and the control changes that stop a repeat, fed back into your environment - and your insurer's file.

Frequently asked

The questions we get most.

We have cyber insurance - isn't that enough?
Insurance pays for the cleanup; it doesn't do the cleanup, and it won't pay if you can't show the controls you declared. A retainer is the operational side: who picks up at 2am, who contains it, who preserves the evidence your insurer and the regulator will ask for. The two work together - and most insurers now want to see an IR plan.
What's the difference between a retainer and just calling you when it happens?
Speed and cost. With a retainer we already know your environment, the terms are signed, and a responder is guaranteed - so containment starts in minutes. Calling cold mid-incident means we're learning your network while the clock runs, the forensics are already degraded because logging wasn't in place, and it's slower and more expensive. The retainer is the product; the cold call is the thing people regret.
What are we actually most likely to be hit by?
Business email compromise, by a distance - it's the single most common cyber-insurance claim type for Australian SMEs, around one in two on recent claims data. It's cheap to launch, hard to spot, and walks straight past defences aimed at malware. Ransomware is the one that makes the news, but BEC is the one that empties the account.
Do we have to report a breach, and to whom?
It depends on the breach. If personal information is involved and it's likely to cause serious harm, the Notifiable Data Breaches scheme requires you to assess it within 30 days and notify the OAIC and affected people as soon as practicable. Reporting cybercrime to ReportCyber and the ACSC is separate and additional. We'll walk you through which obligations apply and handle the drafting - the formal notification is yours to make, with us beside you.
Related reading

Go deeper on incident response

Compliance · 9 min read

Asked for CIS Controls and the Essential Eight? Here's how they actually map.

Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.

Read articleSecurity · 9 min read

The SMB buyer's guide to Managed Detection and Response

Every MDR vendor's site says the same things. Here's how to actually tell them apart: the difference between an alert and a response, who's watching at 2am, and the questions that separate real 24/7 detection from a dashboard you'll never open.

Read article
Related services

Usually bundled with incident response

Cyber Security

Managed MDR, email and endpoint security, security awareness training, and incident response - delivered through vetted partner platforms. Built for SMBs who can't afford an incident.

Learn more

Essential 8 Gap Analysis

Your maturity against all eight ACSC mitigation strategies, scored to your target level, with a roadmap to close the gaps. The Australian baseline that primes, contracts, and cyber insurers increasingly ask you to prove.

Learn more

Compliance

Roadmap, remediation, and ongoing attestation against the CIS Critical Security Controls and the Australian Essential Eight. Frameworks that actually get implemented, not just referenced.

Learn more
Ready when you are

Leave the MSP that doesn’t pick up.

Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.

Response
Within 48 hours
Format
Written quote
Discovery call
Not required
Contracts
No lock-in terms

We’ll respond within 48 business hours. No spam, ever.