Security & Governance / Incident Response

Incident Response Command Service.

A four-phase service for organizations responding to cybersecurity incidents and the period that follows — from the first hour through standby readiness. Runbit serves as Incident Response Commander at the direction of outside breach counsel, directing technical execution, coordinating partners, and supporting counsel in defending the client's operational, regulatory, and reputational position.

Command · Contain · Recover

Runbit is not a law firm and does not provide legal advice. Legal analysis, regulatory determinations, and filings are the responsibility of the client's counsel.

Activate or scope a retainer

A single command structure across the full incident lifecycle.

Cybersecurity incidents do not run on calendar quarters. They begin without warning, escalate within hours, and shape an organization's regulatory, contractual, and reputational position for years. The Incident Response Command Service places a single, accountable Incident Commander at the center of that response — operating at the direction of outside breach counsel, directing technical and operational partners, and supporting executive decisions through the gates that determine outcomes.

The service is delivered in four sequenced phases. Phases can be engaged together or independently; in active incidents, Phase 1 is the typical entry point.

Engagement principles

01Engaged at the direction of outside breach counsel; work product is prepared at counsel's direction and protected by privilege on that basis.
02Operational authority by clause: the Incident Commander has decision rights notwithstanding the contractual hierarchy.
03Independence from technical execution partners; findings are not subject to vendor edit or veto.
04Carrier-aware billing structured to map invoices to insurance sub-limits.
05Rotation discipline: by hour 36, a defined off-shift exists; by hour 48, formal rotation.

The four phases

Phase 01

Emergency Response & Containment

T+0 through Containment Certification (≤ 30 days)

The first hours and weeks of an incident — discovery and activation, containment of the unauthorized access pathway, forensic preservation, regulatory-clock tracking, and coordination of all third parties under one command structure.

Activation and War-Room Stand-Up

Within minutes, Runbit declares severity, opens the decision register at counsel's direction, stands up out-of-band collaboration, and coordinates engagement of breach counsel, DFIR, the cyber insurer, and crisis communications under engagement letters issued by counsel.

Identity-Fabric and Network Containment

Tenant-wide credential revocation, conditional-access verification, OAuth-grant audit, ADFS hardening, network and endpoint isolation, and recovery of administrative control — executed by the technical partner under Commander direction.

Forensic Preservation Direction

Direction of the DFIR firm's evidence acquisition and chain-of-custody — endpoint memory, cloud audit logs, helpdesk and ticketing systems, mailbox audit, and any host imaged in connection with the incident — preserved to immutable off-tenant storage.

Regulatory-Clock Tracking

Counsel determines which notification regimes apply; Runbit tracks the resulting clocks and supplies the factual record counsel needs to support each filing — GDPR 72-hour, state and federal cybersecurity-event rules, OFAC pre-payment screening, HIPAA, PIPEDA, downstream-client SEC obligations.

Stakeholder Communications

Drafts and review of internal executive memos, board notifications, all-staff communications, top-tier client briefings, and media holding statements — coordinated with outside counsel and the crisis-communications partner. Regulator filings are drafted and filed by counsel; Runbit supplies factual content.

Decision Gates and Cadence

Crisis Steering Committee facilitation, sub-daily SitReps, a written decision register prepared at counsel's direction, ransom-posture decision framing under the eight-gate decision tree (final pay/no-pay determination by counsel, CEO, and Board), and the safe-to-restore certification at each system tier.

Outcome of Phase 01

Containment of the access pathway, forensic preservation completed, regulatory clocks tracked, top-tier clients pre-positioned, and an organization that has moved from crisis-acute to crisis-managed under a single, accountable command structure.

Key deliverables

•Decision register and Situation Reports prepared at the direction of counsel, on a sub-daily cadence.
•Containment certification — technical sign-off by Runbit and the DFIR firm; acknowledged by counsel.
•Regulatory-clock tracking dashboard and a factual support pack (records, timelines, IOCs, exhibits) for counsel's notification analysis and filings.
•Stakeholder-communications drafts for counsel review and finalization (internal, client, worker, media); factual input to counsel's drafting of regulator filings.

Phase 02

Forensic Investigation & Regulatory-Filing Support

Days 31 through 90

Following containment closure and through the resolution of regulatory filings, notification waves, and the early stages of litigation. Runbit directs the forensic investigation at the direction of counsel and produces the factual work product counsel needs to render legal advice and to file with regulators.

Direction of the Forensic Investigation

Runbit directs and challenges the DFIR firm's investigation — initial-access vector confirmation, lateral-movement reconstruction, exfiltration scope, threat-actor attribution. Findings are tested against alternatives before they enter counsel-directed work product.

Root-Cause and Contributing-Factor Analysis

A root-cause memo prepared at the direction of counsel identifies the technical, process, and human factors that produced the incident. Independence is preserved by clause: no party — including any technical execution partner — has the right to amend, soften, or veto findings.

Factual Support for Regulator Filings and Litigation

Factual narratives, IOC schedules, exfiltration-scope analysis, factual content for counsel's notification drafting, chain-of-custody documentation, and technical summaries to support counsel's deposition and witness preparation — prepared at the direction of counsel.

Notification-Wave Coordination

Sequenced notification of regulators, top-tier clients, the broader client roster, affected workers and data subjects, and the public — on a cadence designed by counsel and supported by Runbit's operational tracking and factual record.

Recovery Completion Oversight

Tier-by-tier recovery gating against the safe-to-restore checklist; identity, payroll, client-portal, analytics, and collaboration tiers each gated by DFIR-signed eradication evidence and Commander certification.

Independent Technical Review

Where technical execution is performed by a partner — including a partner who delivered systems implicated by the incident — Runbit conducts an independent review of containment, eradication, and remediation, free of any commercial obligation to soften findings.

Outcome of Phase 02

A factual record of the incident prepared at the direction of counsel; regulator filings substantively supported; notification waves executed in the right order; recovery completed against verified clean state; and a defensible technical story for the litigation counsel manages.

Key deliverables

•Root-cause memorandum prepared at the direction of counsel.
•Factual record and exhibits to support counsel's regulator filings.
•Recovery completion certification — technical sign-off by Runbit; acknowledged by counsel.
•Technical memoranda supporting counsel's litigation defense, including evidence-handling and chain-of-custody records, technical content for counsel-led witness preparation, and Runbit personnel availability as technical expert witnesses.

Phase 03

Remediation Advisory & Lessons Learned

Days 91 through 180

Converts an incident from a crisis the organization survived into an upgrade in posture the organization can demonstrate. Runbit develops the lessons-learned report at the direction of counsel, advises on the control-uplift roadmap, and prepares the post-incident report and presentation for the board.

Independent Control-Uplift Roadmap

A prioritized, sequenced roadmap covering identity modernization, helpdesk hardening, network segmentation, monitoring uplift, third-party risk re-papering, and backup integrity — each with a named owner, target date, and verification criterion.

Tabletop Refresh Exercise

A facilitated tabletop exercise designed around the same threat profile as the incident, with a deliberate curveball injection to test whether the uplift work has actually changed organizational behavior. Participation by the executive team and the technical partners who executed the response.

Lessons-Learned Workshop and Report

A structured retrospective conducted within 14 days of containment closure, producing a report prepared at the direction of counsel covering timeline reconstruction, dwell-time analysis, contributing factors, what worked, and what would have shortened or prevented the incident.

Post-Incident Report and Board Presentation

The artifact the board, the regulator, and (in some cases) the client roster will scrutinize for years. Runbit prepares the report and the presentation and supports executive delivery; disclosure strategy is determined by counsel with Runbit providing the technical narrative.

Independent Validation

Where post-incident work is being delivered by parties with potential conflicts — including technical execution partners with a stake in the narrative — Runbit serves as the independent voice that validates whether changes are real, sufficient, and durable.

Client and Regulator Engagement Support

Talking points and briefing decks for client executive briefings, and technical-narrative support for counsel-led regulator follow-ups and any counsel-led supervisory engagement arising from the regulatory cascade. Runbit's IR personnel are available to serve as technical expert witnesses; legal-witness preparation is performed by counsel.

Outcome of Phase 03

A demonstrable posture upgrade — written, sequenced, owned, and verifiable — with a tabletop exercise that proves the change. A post-incident report and board presentation that withstands scrutiny and supports counsel in any regulator engagement and the organization's continued license to operate.

Key deliverables

•Lessons-learned report prepared at the direction of counsel.
•Control-uplift roadmap with named owners and dates.
•Tabletop exercise package — design, facilitation, and after-action report.
•Post-incident report and board presentation; technical-narrative support to counsel for any regulator engagement.

Phase 04

Standby Retainer & Continuous Readiness

12 to 24 months following Phase 2

The optional, post-incident continuation. Runbit retains the relationship, the institutional memory, and the surge capacity to respond if another incident occurs. Annual cadence with included response-credit hours, quarterly tabletop credits, and a defined surge clause replace the cold-start risk that organizations face after a major incident.

Annual Standby Engagement

A defined annual fee secures Runbit's surge-response capacity for the period of engagement, with named lead personnel and pre-negotiated rate schedules. Cold-start friction in any future incident is removed; activation can be measured in minutes rather than hours.

Included Response-Credit Hours

A bank of advisory hours included in the retainer, drawn down for board updates, change-program reviews, technical support to counsel for any regulator follow-up, and any sub-incident technical analysis that does not rise to a full activation. Hours roll over within the annual term.

Quarterly Tabletop Credits

A facilitated tabletop exercise per quarter, with a rotating threat library — ransomware, business-email compromise, third-party breach, insider threat, public-sector incident — keeping organizational reflexes sharp without burning out the participants.

Annual Readiness Assessment

A structured review of the organization's incident-response readiness against the prior incident's lessons learned and against current-year threat-landscape evolution. Outputs include a readiness scorecard, a delta against last year, and an executive briefing.

Surge Activation Clause

Defined activation paths and response SLAs for a future incident. A pre-positioned Runbit engagement-letter template, pre-approved rate cards, and a named Commander on standby reduce activation friction to a single phone call. Counsel's engagement is separate and arranged with the client's preferred breach counsel.

Continuity of Counsel and Carrier Relationships

Runbit maintains the institutional memory of the prior engagement — counsel relationships, carrier panel positions, vendor introductions, and decision-log context — so that a future incident inherits the work already done rather than restarting from zero.

Outcome of Phase 04

An organization with surge-response capacity locked in, institutional memory preserved across personnel changes, regular reflexes maintained through tabletop discipline, and a continuously updated readiness posture that the board, regulators (via counsel), and clients can see.

Key deliverables

•Annual readiness assessment and executive briefing.
•Quarterly tabletop exercises with after-action reports.
•Pre-positioned Runbit activation pack (engagement-letter template, rate card, named Commander, response SLAs). Counsel's engagement is separate.
•Drawn-down advisory hours for board updates, change-program reviews, and technical support to counsel for regulator engagements.

In an incident, or planning for one?

For active incidents, contact the Runbit emergency line or your existing point of contact. For pre-incident retainer engagement, tabletop exercises, or readiness assessments, schedule a service call.

Start a conversation