Skip to main content
Skip table of contents

Incident Response

As part of our XDR+SOC solution, Armor provides Managed Detection and Response (MDR) services that include investigating and responding to incidents as they arise. Armor continuously monitors your SIEM and analytics planes for alerts, indicators of compromise, and indicators of attack.

Our team of cybersecurity experts will then analyze all of the incoming alerts and indicators to determine the validity of the alerts (checking for false positives, etc.) and then create a customized plan for mitigation, containment, remediation, and recovery. Our team of experts helps prioritize actions and provides strategic and tactical guidance for implementing such action plans.

Incident Response Process

The following section describes the incident response procedure Armor uses to ensure prompt and effective resolution of security incidents. Our Incident Response Plan and Incident Response Policy cover this topic in greater detail and are available to our customers and partners upon request.

Detection and Identification

During this phase, Armor’s systems and human analysts are monitoring for alerts and anomalies generated from the SIEM and analytics planes that have been deployed as part of the XDR solution stack. When malicious activity is detected, Armor will review the context and enrichment data to identify the attack vector and other associated indicators. At this point an incident is created and assigned a priority based on its severity and the classification of affected assets.


The incident is assigned to one or more incident responders who will conduct this phase of incident response. Many of the same tools used in threat hunting will be used in the investigation phase to gain visibility and awareness around the various events that comprise the incident. An incident may consist of a single critical event, or a series of correlated events that must be investigated.

In coordinated efforts between the customer’s incident response team and the Armor incident response team the investigation and detection process may have an iterative approach where both teams are working collaboratively to assist, guide, provide feedback, and support each other until the threat is terminated.

The goal of the investigation phase is to determine the scope and potential cause of the incident.

Containment and Mitigation

Upon determination of the attack vector(s) and probable cause(s) in the preceding steps, Armor will work with your teams to provide steps to you and your teams or vendors to implement containment and mitigation measures. Containment measures may include isolation of a host, system, or application. Mitigation measures may include the blocking of specific traffic, IPs, or disabling of processes and functionality until remediation can take place to correct the behavior or activity.

Remediation and Recovery

A remediation plan is then formulated taking care to preserve any effective containment or mitigation until the remediation is in place and has been validated. The remediation plan will require customer approval before being implemented unless approval has already been explicitly given. Upon approval and scheduling of the remediation plan provisions, the incident will be downgraded to a “Low” priority.

Remediation measures may include repair, modification, patching, upgrading, restoration of backup, or any other requirements to bring the system or asset back into functional working parameters. Recovery will include the running of playbooks or other procedures to ensure all traces of the incident are eradicated from the environment.

In instances where the remediation effort relies largely upon the customer’s team(s), Armor Security’s incident response team will be available to assist, guide, provide feedback, and support as needed.

Once remediation has been completed, a full analysis report and timeline of the incident will be created providing the root cause and any suggestions that may help further secure the environment from such incidents moving forward.


Upon conclusion of the incident, the incident will be set to a “Resolved” state and a meeting of all those who participated in and/or were affected by the incident shall agree upon a date to analyze and review the incident for procedural and plan implications, provide metrics, and identify lessons learned which will be incorporated into action items for future incident response training and goals.


There are two types of response: managed and coordinated, with the primary difference between the two being that coordinated incident response often requires input, approval, or other interactions from you and/or your team, whereas managed incident response is fully managed by Armor.

Managed Incident Response

Managed incident response refers to a response that is fully managed end-to-end without involving any external customer teams. Customers will be notified in accordance with their preferences and legal or compliance requirements. Customers that have authorized Armor to perform all incident response duties will have managed incident response unless the specific incident requires additional input or approval from the Customer.

Coordinated Incident Response

Coordinated incident response refers to a response that is unable to be fully managed end-to-end without closely collaborating with external customer teams. In certain instances, the customer may have their own incident response team with whom Armor’s incident response team will coordinate to help resolve an incident. These incident scenarios are joint efforts between Armor’s incident response team and the customer where Armor will maintain availability and provide guidance until the incident is resolved.

Collaboration Channels

For both managed and coordinated incident response methods, clear and effective communication is essential to delivering security outcomes. Armor recommends real-time collaboration tools such as Slack or Microsoft Teams. Using these tools allows for real-time, historically tracked, and open chat communications with voice and video collaboration available as well. Armor also supports integration and ChatOps automation within these platforms to allow for a single collaboration channel for all incident response activities.

All incidents are also tracked centrally within the Armor Support Center and non-incident support inquiries can be managed here as well. The Armor Support Center is the official channel for support and New support inquiries should be raised here. Issues raised outside of the official channel may not be subject to the Service Level Agreement (SLA) or a specific project deliverable agreement.

Incident Response Preparedness

As detailed in the sections above, effective response to incidents requires coordination and collaboration from all parties involved. There are a few steps that you can take to ensure that you’re prepared to satisfy the portions of incident response for which you’re responsible (as described in our Shared Responsibility Model):

Public Verification of GPG Keys

Throughout the incident response process, sensitive information is often required to be exchanged between collaborative teams. Because of the elevated alert levels during incident response, identity verification of those participating in the response to the incident is critical.

Using tools like Keybase, sharing your public key with Armor via the management console, or other forms of key exchange and verification are good ways of ensuring that the response phase isn’t delayed by identification verification processes that are sometimes significantly time consuming.

Collaboration Channel Sharing

Ensure that the appropriate members of your team have the necessary permissions to accept invitations to join collaborative channels in the chat/video/voice platforms of your choice. When incident response plans are activated, a new channel that is specific to that incident is created and an invitation is extended to the known members of your team.

Frequently other users (such as SMEs for a given set of affected devices) must be consulted to provide details about certain aspects of a system or reference architecture. Your team should have the necessary permissions to invite these additional people to the channel to participate in the response activities.

Ensure Asset Inventory is Current

It is also very important that the asset inventory and classification is as current as possible. This will aid in measuring the footprint and blast radius of a specific attack and will improve the overall response time and accuracy.

Regularly Perform Tabletop Exercises and Drills

Regularly testing this process is important to ensure that any weaknesses or gaps in the process are addressed. Armor provides guided tabletop exercises or drills during onboarding and can help facilitate these periodically throughout the subscription term.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.