The one thing that matters most in cybersecurity is better, quicker incident response, even when we talk about many other crucial features like wider telemetry coverage, deeper threat detection, increased automation, and reducing noise. These are all tools to achieve that goal. So, how does an MSP deliver IR that is effective?


First, let’s define “Response”:


Stage 1: See Something – Use wide attack surface coverage, deep threat intelligence, and

smart incidence correlation


Stage 2: Say Something – This is typically an escalated alert after sifted through false positives

and determining there is a true positive – a legitimate threat, a real incident


Stage 3: Do Something – Take urgent action to disarm the threat, isolate the system,

de-escalate user permission, and more. Once the immediate threat has been

addressed, conduct Digital Forensics Incident Response (DFIR), and update policies

and procedures to prevent future occurrences


Detection Before Response


Detection precedes response – can’t catch what you can’t see


WIDE coverage + DEEP threat detection


  • Process – alert monitoring, intel management, threat hunting
  • People – 24/7, know the threatscape (ATT&CK), know your network, know the tools
  • Technology – Deep Learning EDR/ SIEM/UEBA/ Threat Intel Platform/ Vuln Mgmt



Types of Response:


1.Automatic Response – Performed by tooling and is visible to IT/SecOps


  • Firewall Blocking a connection
  • Authentication rejecting login attempt
  • Endpoint protection terminating a process


2. Hybrid Response – Auto detection escalating to human response


  • Weak signal correlated by experts
  • Guided remediation involving asset owner



Incident Response Best Practices:


  1. Enlist 24/7 Managed Detection and Response Professionals
  2. Leverage Automated IR as a Force Multiplier
  3. Share the Load/ Share the Responsibility


Responsibility in the Co-managed model:


  1. You establish incident response capability by engaging CYB3R-X as a partner on behalf of your customer
  2. We come to the table with knowledge of attacker tactics
  3. We will perform the detections and if automated response is configured we will execute them
  4. We will analyze, tune, and triage events
  5. We will gather incident artifacts and escalate
  6. You, the customer, will act on guidance
  7. Lastly, we will conduct a root cause analysis, so the incident will not happen again


Enhancing Incident Response with MXDR:


  • Managed XDR for MSPs


Visibility – when you’re looking at a vendor and evaluating one, you want to partner with someone that gives you visibility across the landscape.


Cost – partner’s like CYB3R-X can get you to market quicker and get you to drive down costs


Expertise – this is a challenge but you need to find a partner who are able to deliver expert and better incident response


  • Collaboration to help you deliver better IR


  • Automated Response ( Open XDR platform) & guided remediation (24/7 SOC)
  • Custom Incident Response Playbook
  • Minimize the likelihood of IR and prevent subsequent attacks


In cybersecurity, we talk about a lot of necessary capabilities – wider telemetry coverage, deeper threat detection, increasing automation and decreasing noise, but really it’s about one thing – better, faster incident response!

Are you ready to experience better and faster incident response? Talk to us today or email us at for a demo.