Sandline — Risk Based Security
Services

Incident Response & Recovery

On-retainer or on-demand response to confirmed incidents. Containment, forensics, recovery and the regulatory notifications NIS2 and GDPR require.

How we work

Incident response is the work nobody plans for at the right level. We run two engagement modes: a retainer that gives you a guaranteed response time when an incident is confirmed, and an on-demand mode for organisations that already have a partial response capability and need surge capacity. Either way, our deliverables include the chain-of-custody-grade forensic record and the regulatory notification packages NIS2 (24-hour early warning, 72-hour notification, 1-month final report) and GDPR (72-hour breach notification) require.

Outcomes

  • Containment within agreed SLA on retainer (median < 24h)
  • Forensic timeline and root-cause analysis
  • Regulator notification packages drafted and ready to file
  • Post-incident review and a hardened control set

Deliverables

  • Retainer playbook with named handlers and on-call contact
  • Containment and eradication report
  • Forensic timeline (chain-of-custody compliant)
  • NIS2 / GDPR notification draft package
  • Post-incident review (PIR) deck

Engagement Workspace · 90 days free

Included with this engagement: a Centraleyezer SaaS deployment for 90 days where you generate reports on demand. At day 90 it either closes (your DOCX/PDF reports and attestation letter stay with you) or extends as a paid SaaS subscription if you want to keep using it.

Frequently asked

What is the SLA on retainer?

Initial response within 1 hour of incident confirmation, 24/7. Median containment for a confirmed incident is under 24 hours from engagement start. The retainer documents what counts as an incident and what counts as a question.

Do you handle the regulator notifications?

We draft them — NIS2 (24h early warning, 72h notification, 1-month final report), GDPR (72h breach notification), DORA (Article 17 timelines). The legal team or DPO files them; we are not your law firm.

What if we already have an MSSP?

We integrate. Many of our incidents are co-handled with the customer’s existing MSSP — we typically own forensic timeline, root-cause analysis and the regulator-notification draft, while the MSSP runs the detection stack.

Do you destroy data after the incident?

Yes — under a documented data-handling policy. Forensic artefacts are retained for the period agreed in the SOW (typically 12 months for chain-of-custody purposes) and then verifiably destroyed.

Book a 30-minute call

Tell us about the regulation you need to satisfy and the systems in scope. We will come back with a scoping note and a fixed-price proposal within three working days.

Book a consultation