Security Incident Detection & Response

This is a cyber security service to help an organisation detect and respond to attacks.

Our cloud platform collects relevant system data, has a set of threat use cases that analyse it, and then provides timely and understandable reports that describe the incident and provide guidance for the response.


  • Log collection and management
  • Log correlation and analysis
  • 24x7 cyber security incident detection
  • Security incident triage and investigation automation
  • Security incident dashboard and reporting
  • Security incident response guidance and support


  • Reduce time to detect cyber security incidents
  • Achieve compliance with NIS Directive Objective C
  • Achieve compliance with EU GDPR
  • Remediate incidents before they impact the business
  • Increase cyber security situational awareness
  • Increase cyber threat awareness
  • Measure effectiveness of cyber security controls


£40 to £400 per unit per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

1 6 6 7 0 1 1 5 3 2 6 6 6 3 2



Government Sales

020 7965 7596


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The service supports a standard set of logs and threat use cases. These are reviewed on a regular basis. Custom logs and threat use cases can be purchased.
System requirements
  • Service is optimised for Microsoft Office365 (but this isn't obligatory)
  • Log collection must have access to the internet

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Working days, response to request within 4 hours.
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels For service issues we provide 1st, 2nd and 3rd line support.

Security incident reports provide guidance on the recommended response. Additional support to security incidents is provided by our Cloud Support services.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide documentation to enable a client to onboard log sources into the service
We also provide documentation to help a client understand how to use the service
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Clients will be issued a complete set of their retained logs as held on the production system at the end of contract conditional on the client providing a suitable storage device.
End-of-contract process At the end of the contract we will disconnect our service from the client site. The client is responsible for removing any log collection software from their systems, and returning any log collection devices that have been provided.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Chrome
Application to install Yes
Compatible operating systems
  • IOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Differences are presentational only, with active incidents and dashboards accessible from both.
Desktop service also provides access to historical incidents.
Desktop service also provides access to client logs for additional fees.
Service interface Yes
Description of service interface Dashboard and web service interface to view current status, active incidents and trends.
Accessibility standards WCAG 2.1 A
Accessibility testing None to date
Customisation available No


Independence of resources We have adequate spare capacity to minimise the risk that one user will place a disproportionate demand that impacts on other users.


Service usage metrics Yes
Metrics types Data ingest volumes
Security incident detection rates
Security incident response times
Log source device statuses
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data is collected by our service either direct from 3rd party cloud services (e.g. Microsoft Office365) or via an agent or device installed on a client's environment.
When a security incident is detected the service will produce a report that will include relevant incident and contextual data.
For an additional fee the client may be able to query and extract elements of their data.
At the end of contract clients can request a complete export of all of their data held on production systems conditional on them providing a suitable storage device.
Data export formats
  • CSV
  • Other
Other data export formats
  • JSON
  • XML
Data import formats
  • CSV
  • Other
Other data import formats
  • JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The service availability target is 99% excluding planned downtime
Clients can claim a refund based on a pro rated service charge for each complete day that the service was unavailable in excess of the target.
Approach to resilience The architecture of our platform delivers resilience through high levels of redundancy across the both the data ingest and analytics clusters. Further information may be made available on request.
Outage reporting Outages and planned maintenance are reported on the dashboard. Major outages that may render the dashboard inaccessible will be reported by email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels The architecture is multi-tenanted by design, with strict data labelling to ensure one tenant cannot access another tenants data. Multiple user roles are provided to separate those users with management or administrative responsibilities from those who are
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 6 months and 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Cyber Essentials
Information security policies and processes We are certified Cyber Essentials and adopt cyber security accepted good practice.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have a robust configuration and change management approach. Any material changes to the system are deployed in our Development environment and tested before being deployed to the Production environment.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our platform is heavily segmented with multiple layers of defence between zones to reduce the risk that a vulnerability can be exploited. The presentation layer and portal is only accessible to authenticated users, and is vulnerability scanned on a monthly basis. Vulnerabilities that are identified are triaged, and the target is that critical vulnerabilities within the presentational layer will be addressed within one week of a fix being available.
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use the detection service to monitor the service itself for compromise, using multiple custom log sources and threat analytics. Critical incidents generate a call out event so that they are addressed at any time of the day. If a critical incident cannot be remediated quickly we may close down all or part of the service to mitigate the impact until it is addressed.
Incident management type Supplier-defined controls
Incident management approach We have high levels of automation and orchestration within the platform to ensure common events are addressed quickly and consistently. Users can generate an incident through the portal. The incident reports we provide to clients for security incidents that the platform has detected will provide incident data, contextual data, attack type descriptions, and guidance on appropriate response actions.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £40 to £400 per unit per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Onboarding of Office-365 service data and one month of monitoring services.

Service documents

Return to top ↑