Advisory & Management

We help prepare your organization for an incident - before it happens

We develop incident response plans, create playbooks, run tabletop exercises, and assess organizational readiness. We work in line with NIST SP 800-61r3 (2025) and IEC 62443-2-1, incorporating the three-stage NIS2 notification timeline: 24-hour early warning, 72-hour incident notification, and one-month final report.

Last updated:April 2026

Book a consultation

30 minutes with an expert. We'll discuss your challenge, scope the engagement, and provide a preliminary estimate.

Advisory & Management

Most organizations either lack a current incident response plan or have one that has never been tested. According to IBM's Cost of a Data Breach Report (2025), breaches detected in under 200 days cost an average of $3.61M, while those detected after 200 days cost $5.49M - a $1.88M difference driven by response time alone. NIS2 introduces a three-stage notification timeline: 24 hours for an early warning, 72 hours for a structured report with technical assessment and mitigation measures, one month for a final report with root cause analysis. Without preparation, these deadlines are unrealistic. In OT environments, the challenges multiply: you cannot reimage a PLC, forensics on legacy systems are limited, and the priority is process continuity rather than data confidentiality. Isolating an OT network segment may shut down a production line. We help build response capabilities that work under pressure - because we test them before the pressure arrives.

Want to know if this service fits your needs? Tell us about your challenge - we'll tailor the scope.

Let's talk →

Scope

Incident readiness assessment - analysis of existing procedures, detection tools, and response capabilities

Incident response plan development (IT + OT) - aligned with NIST SP 800-61r3 and CSF 2.0

Playbook creation for key scenarios: ransomware, data breach, OT/SCADA attack, insider threat, supply chain compromise

Tabletop exercises at three levels: strategic (C-level, crisis communication), tactical (SOC/IT, detection and escalation), operational (OT engineers, segment isolation and recovery)

Crisis communication plan - internal (board, employees) and external (regulator, media, customers)

Regulatory notification procedures aligned with NIS2: 24h early warning, 72h incident notification, 1-month final report. We also cover DORA and national frameworks

Post-incident review framework - root cause analysis, lessons learned, plan updates

IR plan integration with OT environments per IEC 62443-2-1 - accounting for availability priorities, limited maintenance windows, and industrial forensics constraints

Process

Readiness assessment

We analyse existing procedures, roles, tools, and detection capabilities. We verify alignment with NIS2 and IEC 62443-2-1 requirements. We identify gaps in readiness.

Plan development

We create an IR plan tailored to the organization - with clear roles, escalation paths, communication procedures, and regulatory notification timelines. We account for OT-specific requirements.

Playbooks

We prepare playbooks for the most critical threat scenarios - step by step, with checklists, assigned owners, and target response times. Separate playbooks for IT and OT incidents.

Tabletop exercises

We run incident simulations at three levels: strategic (board - decision-making and crisis communication), tactical (SOC/IT - detection, analysis, escalation), and operational (OT engineers - network segment isolation, evidence preservation, recovery). We test the plan under controlled conditions.

Review and improve

We analyse exercise results, identify areas for improvement, and update the plan. We deliver a continuous improvement framework - because an IR plan is a living document, not a one-off project.

Case study

Energy infrastructure operator

We developed an incident response plan covering IT and OT environments, with playbooks for ransomware and SCADA attack scenarios. We conducted tabletop exercises at both strategic (board) and operational (automation engineers) levels.

During the tabletop exercise, the client's team detected and escalated the simulated incident in 18 minutes. NIS2 notification procedures were tested and approved. We identified 3 gaps in IT-OT coordination that the client closed before their audit.

View project

Why SEQRED

IT + OT in one team

Most firms do either IT or OT. Our team combines both - from Active Directory pentesting to PLC firmware analysis. That's rare in the market.

We demonstrate, not just report

We deliver proof-of-concept exploits, not scanner output. Your engineering team gets actionable fixes. Your board gets a risk briefing they understand.

Compliance + security together

Our reports satisfy auditors (NIS2, DORA, IEC 62443) AND give engineers real data to improve defenses. One engagement, two outcomes.

We stand with you

We present findings to your board or supervisory board side by side with the responsible person. Or we prepare them for a solo presentation.

Who we serve

We've worked with national energy grid operators, systemically important banks, industrial automation manufacturers, renewable energy operators, and US DoD contractors. Projects anonymized at client request.

400+projects

9industries

12official CVEs

8+years

Team certifications

Technology partnerships

Sectors

Banking and finance

Banking application security, DORA and TLPT compliance, cloud environment protection.

Energy

OT network security, SCADA and AMI systems - from power grids to gas, heating and renewables.

Manufacturing and industry

OT audits in PLC, DCS and automation environments - chemicals, food, electronics, machinery.

Services

vCISO

Strategic cybersecurity management in a flexible model - without a full-time CISO.

Attack encyclopedia|Jun 2026

Karakurt - the extortion group that skips encryption

Karakurt - analysis of the cybercriminal group specializing in data exfiltration and extortion without encryption. VPN/RDP attack vectors, double extortion tactics, MITRE ATT&CK mapping.

Cybersecurity|Apr 2026

Proactive incident response for OT environments

Cross-training teams, OT baselines, practicing IR plans - how to prepare your organization for an incident in industrial infrastructure.

Cybersecurity|Apr 2026

Ransomware in OT environments - risks, detection and response strategy

OT-specific ransomware risks - IT-OT attack vectors, industrial process impact, detection and response strategy for critical infrastructure.

FAQ

How does an IR plan differ from a security policy?+

A security policy defines general principles and requirements. An IR plan is an operational document that specifies who does what and when during an incident - with concrete procedures, checklists, and assigned owners. A policy says 'incidents must be reported'. An IR plan says 'John Smith calls the CSIRT within 24 hours at number X, using form Y'.

What do tabletop exercises look like?+

Tabletop exercises are facilitated incident simulations where the client's team walks through a scenario step by step. We run them at three levels: strategic (board - decision-making and crisis communication), tactical (SOC/IT - detection, analysis, escalation), and operational (OT engineers - network segment isolation and recovery). No production systems are required.

Why does OT incident response require a different approach?+

In OT environments, you cannot simply reimage a PLC's operating system. Forensics on legacy systems (Windows XP, Modbus/DNP3 protocols) are severely limited. The priority is process continuity, not data confidentiality. Isolating an OT network segment may halt a production line. The IR plan must account for these constraints - which is why we work in accordance with IEC 62443-2-1.

What are the NIS2 incident notification deadlines?+

NIS2 introduces a three-stage timeline: 24 hours for an early warning (brief notification about the incident's nature), 72 hours for a structured report with technical assessment and mitigation measures, and one month for a final report with root cause analysis and lessons learned. If the incident is still ongoing, the final report is due one month after resolution.

What is NIST SP 800-61r3?+

It is the updated NIST incident response publication released in 2025 - the first revision since 2012. The key change is alignment with NIST Cybersecurity Framework 2.0 and its six functions: Govern, Identify, Protect, Detect, Respond, Recover. Instead of a four-phase incident lifecycle, the new model recognizes that incident preparation is an ongoing element of cybersecurity risk management.

How often should the IR plan be tested?+

We recommend tabletop exercises at least once a year and after any significant change in infrastructure or regulations. Organizations in regulated sectors (energy, finance) should consider semi-annual exercises.

How does SEQRED price its services?+

Pricing is based on an individual estimate of our consultants' time, considering the project scope and complexity. We present the offer broken down by phases - so you see exactly what you are paying for and can make decisions at each stage.

Can I speak with an expert before making a decision?+

Yes - an initial consultation is always welcome and free of charge. We help define the actual scope of your needs, which allows us to prepare a rational offer tailored to your organization.

We'll discuss scope, methodology, and timeline.