Mid-market firm — Managed Detection & Response.
A UK professional services firm with circa 300 staff inherited a fragmented stack of point security tools after several years of organic growth. With an ISO 27001 certification audit on the horizon, leadership needed a single accountable partner for detection, triage and response.
- Sector
- Professional services (consulting)
- Headcount
- 250–350 staff, hybrid working
- Regulatory context
- ISO 27001 (in-progress); enterprise client assurance
- Services engaged
- Managed Detection & Response; SIEM tuning; incident runbooks
- Engagement type
- Ongoing managed service
- Duration
- Onboarding completed inside the first quarter
Published with the client's written permission. Identifying details have been generalised.
Too many tools, no single owner.
The firm operated an endpoint protection suite, a cloud-native email security product, a VPN with basic logging and a SIEM that had never been fully tuned. Alerts arrived in four different inboxes; nobody owned triage end-to-end. The IT manager was spending evenings reviewing alerts personally and still missed routine policy violations.
An incoming ISO 27001 audit required documented detection, triage and response processes with evidence of operation. Enterprise clients had also begun asking how out-of-hours alerts were handled. The firm needed one partner accountable for the whole detect-and-respond chain, not another tool.
Consolidate, tune, then run.
A fixed-fee scoping workshop produced an inventory of the existing tooling, a consolidation plan and an agreed RACI for incidents. We retained the firm's existing endpoint and email security investments and built an MDR wrap-around rather than forcing a rip-and-replace.
Onboarding ran in three phases: log source integration and SIEM tuning, runbook development with the IT team, then a live cut-over to managed triage with named analysts.
Operating model, not a dashboard.
- Centralised log collection from endpoints, identity, email and cloud workloads.
- Detection content tuned to the firm's working patterns to suppress predictable noise.
- Documented triage playbooks covering phishing, credential abuse, malware and policy violations.
- Defined escalation matrix with named contacts on both sides and clear handover criteria.
- Quarterly tabletop exercise rotating through realistic scenarios for the firm's sector.
One queue, one owner, audit-ready.
- A single, owned alert queue replacing four separate inboxes and ad-hoc triage.
- Mean time to triage of confirmed events reduced materially within the first quarter (specific figures available under NDA on request).
- ISO 27001 stage 2 audit passed, with detection and response evidence accepted without finding.
- The internal IT manager returned to focusing on service delivery rather than overnight alert triage.
Evidence the auditor and the board both use.
- Monthly operational report: alert volume, true-positive rate, triage timings, tuning changes.
- Quarterly governance pack: trend analysis, threat narrative, tabletop outcomes and recommended priorities.
- Incident records: timeline, actions, communications and lessons learned, retained for audit and client assurance.
- Full ticket lineage retained for both ISO 27001 surveillance and supplier assurance questionnaires.
Maturing toward proactive.
With reactive detection stabilised, the next phase introduces threat-led use-case development informed by the firm's sector risks, extends coverage to a recently adopted productivity suite, and aligns the incident response retainer with the firm's annual tabletop programme.
"Placeholder pull-quote from a named senior stakeholder — to be approved by the client before publication."
Security services materially reduce risk and improve detection and response, but no provider can guarantee prevention of incidents. Responsibility for compliance certification remains with the customer.
Book a fixed-fee scoping workshop.
We'll outline an engagement shaped around your sector, scale and regulatory context.