When something goes wrong, who do you call — and is the plan real?
TL;DR. Incident response, disaster recovery and documented runbooks that are tested, not filed. AI-assisted preparation and triage, human-led containment and recovery. A retainer so the answer to 'who do we call' is already known.
What this is about
Most continuity plans are PDFs nobody has opened since the audit. That's not continuity — that's paperwork. We build runbooks that are tested, keep an incident-response capability on standby, and make recovery a rehearsed sequence rather than an improvisation at the worst possible moment. NIS2 wants fast, structured incident reporting; that's only possible if the process, logging and playbooks exist before the incident.
How we run it
We prepare: DR runbooks, recovery objectives (RTO/RPO), pre-authorised access, an IR playbook on file. Agents on Nova9 keep the evidence and telemetry continuous so that, when an incident hits, the timeline reconstructs itself. The standby retainer guarantees a response window; activation brings active incident handling, forensics, containment and recovery coordination — human-led, agent-supported. After, we produce the structured post-incident report regulators expect.
When it fits
KRITIS and NIS2-scope organisations with mandatory incident reporting. Companies whose DR plan has never been tested under load. Existing SOC customers who want the complete safety net — detection plus the answer to "now what".
What we don't do
We don't hand you a template and call it a plan. We don't improvise recovery. We don't leave the post-incident reporting to you when the regulator is waiting.
What you can hand off
-
Tested DR runbooks
Recovery procedures with defined RTO/RPO, rehearsed — not filed.
-
IR retainer (standby)
Guaranteed response window, pre-authorised access, IR playbook on file.
-
Incident activation
Active handling, forensics, containment, recovery coordination — human-led, agent-supported.
-
Continuous evidence
Telemetry and logging kept current so the incident timeline reconstructs itself.
-
Regulator-ready post-incident report
Root cause, actions, structured reporting to the cadence NIS2/DORA expect.
Engagement facts
| Standby | Guaranteed response SLA, pre-authorised access, playbook on file |
|---|---|
| Activation | Active incident handling, forensics, containment, recovery |
| DR testing | Runbooks rehearsed, RTO/RPO defined per system |
| Reporting | Structured post-incident report for NIS2/DORA cadence |
| Bundle | Reduced retainer for existing Security Operations customers |
Asked before the briefing
-
Is the retainer worth it if nothing happens?
The retainer guarantees a response window and keeps your runbooks tested and access pre-authorised. The value is that the worst day is rehearsed, not improvised. -
Do you do the regulatory reporting?
Yes. We produce the structured post-incident report to the cadence NIS2 and DORA expect, with root cause and actions. -
How does this connect to your SOC?
Detection and continuity are one safety net. Existing Security Operations customers get a reduced, pre-integrated retainer. -
What are RTO and RPO in practice?
We define recovery-time and recovery-point objectives per system and rehearse against them, rather than asserting a number in a document.
Make the worst day a rehearsed one.
We review your continuity plan against a real scenario and show what tested runbooks plus a standby retainer actually change.