When minutes decide the outcome, we already know the plan.
An incident is not the time to discover you don't have a responder. GMAN IT contains, investigates and recovers, with a rehearsed plan rather than an improvised one. Under 15 minutes to a senior responder, every time.
- <15 minTo a senior incident responder
- 24/7/365Emergency line answered
- EnquireEmergency response, 4-hr minimum
- 0Ransoms paid on our clients' behalf
60% of breached small businesses close within six months. The first hour decides which side you land on.
Panic costs more than the incident itself: a ransom paid to an unreliable actor, evidence deleted in a rush to 'clean up,' recovery attempted without a tested plan. Composure is a discipline. We bring the plan, so the first hour is choreography, not chaos.
The plan exists before the incident does.
Retained incident response means the rehearsal happens on a quiet Tuesday, not during the emergency.
- 01
We build the plan before you need it
A documented, rehearsed incident-response plan, tested in a tabletop exercise rather than left in a drawer.
- 02
We contain within minutes, not hours
The moment an incident is declared, affected systems are isolated and the attacker's access is cut.
- 03
We investigate without destroying evidence
Forensic preservation happens alongside containment, so we know exactly what happened and can prove it to your insurer.
- 04
We recover to a tested target
Restoration follows a rehearsed runbook with a known recovery time, not a best guess made under pressure.
6 controls. One accountable partner.
Every line below is deployed, monitored, and maintained by us — not a part-time attention split across your other vendors.
Deployed and maintained by usIncident Response — Inclusions Ledger
- Documented, rehearsed incident-response planBuilt and tabletop-tested before an incident, not drafted during one.
- 24/7/365 emergency response lineA senior responder, not a queue — see /contact/emergency for an active incident.
- Sub-15-minute engagement on a declared incidentContainment begins inside 15 minutes of an incident being declared.
- Forensic evidence preservationEvidence is preserved alongside containment, so your insurer and your board get a defensible account.
- Tested recovery runbooksRestoration follows a rehearsed process with a known recovery time, not an improvised one.
- Written post-incident report, 10 business daysWhat happened, what we did, and the remediation that closes the exact door used.
Composure, by the minute.
An incident is chaos. Our response is choreography. Here is exactly what happens, and when.
- 0 min
Detect
An incident is declared — by our monitoring, or by your call to the emergency line.
- Within 15 min
Contain
Affected systems are isolated and the attacker's access is cut before it spreads further.
- Within 4 hrs
Eradicate
The cause is removed: the compromised account, the malicious process, the persistence mechanism.
- 24–72 hrs
Recover
Systems are restored from clean, tested backups to a known-good state, not a guess.
- 10 business days
Report
A written post-incident report: what happened, what we did, and what changes next.
We don't describe the work. We show it.
Ransomware, contained before it reached the domain.
- Encryption began on a single file server at 6:40pm on a Friday.
- Monitoring flagged the mass file-rename pattern within four minutes.
- The server was isolated before the ransomware reached the domain controller or the backups.
One server was rebuilt from backup over the weekend. No ransom was considered, and the organisation operated normally by Monday morning.
Also part of Cybersecurity
The best time to plan a response is before you need one.
A Cyber Risk Assessment shows exactly where you stand, and what it takes to close it. Credited toward your first year of protection.