Incident response when you don't have an in-house team

Mid-market firms face the same incident-response requirements as enterprises. Cyber insurance carriers expect a documented response plan. Customer security questionnaires ask about IR capability. Regulators increasingly expect evidence of incident preparedness. The difference is that mid-market firms do not have dedicated security teams, do not have in-house forensic capability and do not have 24x7 staffed SOCs.

What they have instead is usually some combination of an MSP, an MDR provider, a cyber insurance policy and ambiguous expectations about who does what when something actually happens. The ambiguity is the problem. When an incident arrives at 3 AM on a Saturday and nobody has a clear answer about authority, scope and escalation, the response is worse than the plan looked on paper.

Here is a working model for incident response at mid-market firms without in-house security teams — what each role actually covers, how the pieces connect and how the first 4 hours of a real incident should play out.

The four-role model

Effective incident response at this scale usually involves four distinct roles with clearly-defined scope and authority.

Role 1, the MDR provider

Specialist 24x7 monitoring and containment of security events on the firm’s telemetry.

Scope:

• 24x7 triage of alerts from EDR, identity signals and cloud logs
• Initial containment actions (isolate an endpoint, disable an account, block traffic) per playbook
• Escalation to the firm and the MSP when a confirmed incident is identified
• Post-incident reporting

What MDR does NOT cover: forensic investigation, breach notification decisions, legal advice, communications, full environment rebuild.

At a mid-market firm, MDR is the frontline. Most “incidents” are actually individual alerts the MDR handles without ever escalating — a phishing click, a suspicious login, an unusual process. The ones that escalate are the ones that matter.

Role 2, the MSP

Owns the production environment, including the decisions and technical work during incident response.

Scope:

• Incident response plan ownership, testing and updates
• Technical execution of containment beyond the MDR’s automated scope
• Recovery and restoration of systems
• Evidence preservation and coordination with forensics
• Internal and external coordination during an active incident
• Post-incident remediation and hardening

The MSP is the operational lead in most mid-market incidents. The firm’s internal IT owner works alongside the MSP’s lead engineer during the response.

Role 3, the incident response firm

A specialist firm engaged for forensics, legal-qualified response and full-scope incident handling when the incident exceeds MDR + MSP capability.

Scope:

• Digital forensics (what happened, what data was accessed, what persisted)
• Ransomware negotiation and payment execution (if applicable)
• Regulatory notification preparation
• Law enforcement coordination
• Expert witness and legal-proceeding support

IR firms are usually engaged via the cyber insurance carrier’s approved panel. The firm might be Kroll, CrowdStrike, Unit 42, Mandiant, Arete, or similar. Engagement is typically on retainer pre-incident (lower cost, guaranteed response) or billed hourly during an incident (higher cost, uncertain availability).

Role 4, legal counsel

External legal handling the legal-exposure side of the incident.

Scope:

• Breach notification compliance across jurisdictions
• Regulatory interface
• Customer and contract notification obligations
• Class-action litigation defense if applicable
• Attorney-client privilege over communications (important for preserving privilege on forensic findings)

Legal counsel is usually engaged via the cyber insurance carrier, with the firm’s regular corporate counsel coordinating.

The firm’s role

With the four specialist roles defined, what does the firm itself actually do.

• Name a single incident commander. Usually the CEO, COO or CISO if one exists. This person has authority to make decisions the IR process requires (engage the IR firm, notify customers, pay ransom, notify regulators).
• Maintain the incident response plan. Not write it — the MSP writes it. Maintain it. Review quarterly. Update when staff change.
• Execute tabletop exercises. Annual at minimum. The plan only works if key people have walked through it before the actual event.
• Handle executive and board communication during an incident. The MSP runs the response. The incident commander keeps leadership informed.
• Make business decisions. Whether to pay ransom. Whether to notify customers early or late in the process. Whether to shut down operations temporarily. These are not IT decisions.

The firm’s role is lighter than enterprises’ but concentrated in decision-making authority. Four specialists cannot substitute for a named accountable decision-maker.

What the first 4 hours actually look like

A plausible Saturday morning scenario. Ransomware alert fires at 3:47 AM. Here is how the first 4 hours play out under a working model.

3:47 AM, MDR detection

MDR platform flags anomalous behavior on three workstations. Automated playbook isolates the affected endpoints. MDR SOC analyst reviews the events, confirms ransomware deployment attempt. Escalates immediately.

4:15 AM, MSP engagement

MSP on-call engineer receives MDR escalation. Logs in, reviews scope. Initial assessment: early-stage ransomware with partial spread, backup systems appear unreached. Contains the incident at network layer. Calls the firm’s incident commander.

4:45 AM, firm notification

Incident commander (usually COO at this scale) is called. MSP delivers status: isolated scope, no confirmed data exfiltration, backups intact, operations can continue with workarounds at start of business day. Commander initiates the plan.

5:30 AM, IR firm and carrier notification

Incident commander calls cyber insurance carrier’s 24/7 incident hotline. Carrier opens the claim file and connects the firm with their approved IR firm. IR firm’s on-call engineer joins the response.

6:30 AM, legal counsel engaged

External breach counsel (via carrier) joins. Claims attorney-client privilege over subsequent forensic communications. Begins preparing the regulatory notification analysis.

7:30 AM, 4-hour status update

Scope confirmed contained. Forensics begins in parallel with recovery planning. MSP begins restoring affected endpoints from known-good images. IR firm begins deeper environment review for any persistence mechanisms. Legal begins initial notification analysis.

At this point, the incident is under control. The work continues for days or weeks (forensic findings, regulatory notifications, communications) but the acute phase is over.

The same scenario without the four-role model often plays out as: detection doesn’t happen until Monday morning, containment is delayed by hours, no IR firm is engaged until mid-week, notification obligations are missed, and recovery takes weeks instead of days.

Pre-incident preparation, what matters most

Six things that make the difference between the working-model response above and a chaotic response.

1. MDR with clear response authority. The playbook specifies what the MDR can do without approval (isolate endpoints, disable accounts) and what requires escalation. The authority matrix is documented.
2. Written incident response plan, tested. Plan exists, everyone with a role has seen it, at least one tabletop exercise in the past 12 months.
3. Named incident commander. One person, with a backup. Both know they are the decision-maker. Contact information is current and reachable 24x7.
4. Cyber insurance policy with 24/7 claim hotline. The carrier’s incident response coverage includes first-call triage, IR firm access and legal counsel. Claim number is documented in the plan.
5. Immutable, tested backup. A recent documented restore test means recovery is predictable, not experimental.
6. Vendor contact list. Primary and backup contacts at MSP, MDR, carrier, IR firm, legal, regulators. Maintained current, accessible without access to the compromised email system.

Firms with all six in place respond to incidents well. Firms with even one gap have some failure mode that shows up at the worst possible moment.

The retainer question

Should a mid-market firm retain an IR firm pre-incident, or engage one only when needed.

Arguments for retainer:

• Guaranteed response time
• Lower hourly rates during incident
• The IR firm already knows the environment
• Some cyber insurance policies provide retainer coverage without extra cost

Arguments against retainer:

• Annual cost even without incidents ($15,000 to $50,000 typical)
• For firms that almost never have incidents, this is pure cost
• Some carriers provide equivalent panel access without a firm-paid retainer

Most mid-market firms at the 100+ employee level benefit from a retainer, usually provided through the cyber insurance policy rather than paid separately. Smaller firms can often rely on carrier-panel access without an explicit retainer.

Where we fit

Atticus Rowan operates in the MSP role within this model. For managed-services clients, we maintain the incident response plan, coordinate the MDR provider, lead the technical response during incidents and connect with the IR firm and carrier per the client’s coverage. The incident commander remains the client’s designated executive — we provide options and execution, not decision authority on matters that belong to the business.

The engagement model includes annual tabletop exercises, quarterly plan reviews and real-incident response as part of the managed services scope. Clients with mature programs often go years without a Severity 1 event. When one happens, the working model above runs as expected.

If your firm lacks a dedicated security team and wants a clear view of what incident response actually looks like for your operating profile, schedule a discovery call. We can walk through the current posture, identify the gaps and scope the work to close them before they matter.