Skip to content
Incident Response

When minutes decide the outcome, we already know the plan.

An incident is not the time to discover you don't have a responder. GMAN IT contains, investigates and recovers, with a rehearsed plan rather than an improvised one. Under 15 minutes to a senior responder, every time.

Already living an incident? Call the emergency line →

Engagement snapshotGMAN IT
<15 minTo a senior incident responder
24/7/365Emergency line answered
EnquireEmergency response, 4-hr minimum
0Ransoms paid on our clients' behalf
The uncomfortable truth

60% of breached small businesses close within six months. The first hour decides which side you land on.

Panic costs more than the incident itself: a ransom paid to an unreliable actor, evidence deleted in a rush to 'clean up,' recovery attempted without a tested plan. Composure is a discipline. We bring the plan, so the first hour is choreography, not chaos.

How GMAN protects

The plan exists before the incident does.

Retained incident response means the rehearsal happens on a quiet Tuesday, not during the emergency.

  1. 01

    We build the plan before you need it

    A documented, rehearsed incident-response plan, tested in a tabletop exercise rather than left in a drawer.

  2. 02

    We contain within minutes, not hours

    The moment an incident is declared, affected systems are isolated and the attacker's access is cut.

  3. 03

    We investigate without destroying evidence

    Forensic preservation happens alongside containment, so we know exactly what happened and can prove it to your insurer.

  4. 04

    We recover to a tested target

    Restoration follows a rehearsed runbook with a known recovery time, not a best guess made under pressure.

What’s deployed

6 controls. One accountable partner.

Every line below is deployed, monitored, and maintained by us — not a part-time attention split across your other vendors.

Deployed and maintained by us

Incident Response — Inclusions Ledger

  1. Documented, rehearsed incident-response planBuilt and tabletop-tested before an incident, not drafted during one.
  2. 24/7/365 emergency response lineA senior responder, not a queue — see /contact/emergency for an active incident.
  3. Sub-15-minute engagement on a declared incidentContainment begins inside 15 minutes of an incident being declared.
  4. Forensic evidence preservationEvidence is preserved alongside containment, so your insurer and your board get a defensible account.
  5. Tested recovery runbooksRestoration follows a rehearsed process with a known recovery time, not an improvised one.
  6. Written post-incident report, 10 business daysWhat happened, what we did, and the remediation that closes the exact door used.
Response timeline
The signature peak

Composure, by the minute.

An incident is chaos. Our response is choreography. Here is exactly what happens, and when.

  1. 0 min

    Detect

    An incident is declared — by our monitoring, or by your call to the emergency line.

  2. Within 15 min

    Contain

    Affected systems are isolated and the attacker's access is cut before it spreads further.

  3. Within 4 hrs

    Eradicate

    The cause is removed: the compromised account, the malicious process, the persistence mechanism.

  4. 24–72 hrs

    Recover

    Systems are restored from clean, tested backups to a known-good state, not a guess.

  5. 10 business days

    Report

    A written post-incident report: what happened, what we did, and what changes next.

Operational security excellence

We don't describe the work. We show it.

Case file · Not-for-Profit · Melbourne · redacted

Ransomware, contained before it reached the domain.

  • Encryption began on a single file server at 6:40pm on a Friday.
  • Monitoring flagged the mass file-rename pattern within four minutes.
  • The server was isolated before the ransomware reached the domain controller or the backups.

One server was rebuilt from backup over the weekend. No ransom was considered, and the organisation operated normally by Monday morning.

Read the full file

The complete teardown — every gap found and closed — sent to your inbox. No call required.

One email, the file, nothing else. We don't sell lists — discretion is the work.

The best time to plan a response is before you need one.

A Cyber Risk Assessment shows exactly where you stand, and what it takes to close it. Credited toward your first year of protection.