856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Let’s Talk
Let’s Talk

Security Incident Response: Is Your IT Firm’s Plan Documented or Just a Sales Promise?

Security Incident Response: Is Your IT Firm’s Plan Documented or Just a Sales Promise?

Every IT firm you have ever spoken to claims they handle security incidents. The pitch usually goes like this: “We monitor your environment 24/7, and if anything happens, our team jumps on it immediately.” It sounds reassuring – but a credible security incident response process is verifiable long before a breach occurs. This post gives you specific procedural questions that separate firms with documented, rehearsed plans from firms that are improvising under pressure.

  1. Why Verbal Promises Fail When the Fire Starts
  2. What a Real Incident Response Plan Actually Looks Like
  3. The Specific Questions to Ask Before You Sign Anything
  4. Red Flags That Signal an Improvised Response
  5. Why Rehearsal Matters More Than Documentation Alone
  6. How to Make the Final Call on a Vendor

Why Verbal Promises Fail When the Fire Starts

A verbal promise during a sales conversation is not a process. It is a statement of intent made by someone whose job is to close the deal – not to personally contain a ransomware attack at 2 a.m. on a Saturday. The engineers and support staff who will actually respond to an incident at your company were not in that sales meeting and have never heard the promises made on their behalf.

That is not cynicism – it is organizational reality. Good intentions do not survive an unplanned crisis without a written plan to anchor them. According to the Cybersecurity and Infrastructure Security Agency (CISA), organizations without a documented incident response plan take significantly longer to contain breaches and pay materially higher costs. The difference between a rehearsed plan and none at all is measured in hours of exposure – and in your case, that translates directly to operational downtime, client notifications, and potential regulatory consequences.

If you are the CEO or COO signing a managed IT contract, you are personally accountable when something goes wrong. That means you need to ask the hard procedural questions – not let a sales deck answer them for you.

What a Real Security Incident Response Plan Actually Looks Like

security incident response - Wide shot of a server room or data center corridor with blurred racks and networking equipment, conveying the physical infrastructure at stake during an actual security incident when response plans are put into real-world action.

Before you can evaluate a vendor, you need a baseline for what “good” looks like. A genuine security incident response capability is not a single document in a folder – it is a living set of procedures that people have actually practiced.

The non-negotiable components of a credible plan include:

  • A written Incident Response Plan specific to the environments they manage – not a generic template pulled from the internet.
  • Defined roles and responsibilities: who declares an incident, who leads containment, who communicates with the client, and who handles forensic documentation.
  • A clear severity classification system – not every alert is a crisis, and a good firm triages quickly and communicates the right level of urgency to you.
  • Documented communication protocols: when you get called, who calls you, what information they provide, and at what intervals – written down, not improvised.
  • Containment and recovery playbooks for the most common attack types: ransomware, credential compromise, phishing-driven intrusions, and data exfiltration.
  • Post-incident review procedures: a formal process for analyzing what happened, how the environment was restored, and what changes were made to prevent recurrence.
  • Evidence of regular tabletop exercises or simulated incident drills – ideally at least annually, with documented outcomes.

If a vendor cannot describe most of these elements specifically and without hesitation, that is not a mature security incident response program. It may be a capable IT help desk with good intentions – but those are two different things. For a broader look at how cybersecurity preparedness fits into your overall IT strategy, visit our cybersecurity services page.

The Specific Questions to Ask Before You Sign Anything

These questions are designed to surface the difference between firms that have built a real process and firms that have built a convincing story. Ask them directly. A firm worth hiring will welcome the specificity.

1. “Can you show me your Incident Response Plan document?”

Not a summary. Not a slide. The actual document, or a redacted version of it. Any firm managing security incident response for clients should have this available for prospective clients to review. If they call it proprietary, ask them to walk you through the major sections in detail. Vagueness here is a serious warning sign.

2. “Walk me through the last real incident you handled – step by step.”

You are not asking for client names. You are asking for a timeline: when did monitoring surface the anomaly, who made the first call, what was contained and when, how was the client communicated with, and what happened in the 72 hours after containment. A firm with a real security incident response process can reconstruct that narrative from documented incident logs. A firm without one will give you a vague story.

3. “Who specifically is responsible for declaring an incident at 11 p.m. on a Sunday, and what is their personal escalation path?”

Names, roles, backup contacts. Not “our team.” If the answer is “our on-call engineer,” ask: how is that person selected, how are they notified, what authority do they have to act without waiting for a manager, and who covers them if they are unavailable? A real plan has those answers documented.

4. “When and how will I be notified if something is detected in my environment?”

The answer should include: the specific trigger threshold for client notification, the communication channel (phone call, email, text), the maximum elapsed time between detection and your first notification, and who from their team makes that call. “As soon as we know something” is not a protocol – it is an aspiration.

5. “What does your post-incident review process look like, and will I receive a written report?”

Recovery without documentation is just hoping the same thing does not happen again. A credible firm produces a written root-cause analysis after every material incident, shares it with the client, and implements documented changes. Ask to see an example (redacted). This question also surfaces whether the firm treats incidents as learning events or as fires to extinguish and forget.

6. “When did you last run a tabletop exercise or incident simulation, and what did you change as a result?”

This is the question that separates firms that have tested their security incident response plan from firms that have merely written it. If the answer is “we do them regularly,” follow up: when was the most recent one, what scenario did you simulate, who participated, and what specific procedural change came out of it? If they cannot answer that last part, the exercises either did not happen or were not taken seriously.

Red Flags That Signal an Improvised Security Incident Response

Some warning signs are subtle. Others are obvious once you know what to listen for. Watch for these patterns across sales conversations and vendor evaluations:

  • The salesperson answers every security incident response question by describing monitoring tools and technology – but never describes human procedures or escalation paths. Technology detects. People respond. If there is no “people” layer, the process is incomplete.
  • When you ask for the written plan, you are told it “varies by client situation” or that they “customize their response.” Some customization is legitimate. No documentation is not.
  • Response time claims are vague: “we respond quickly” or “our team is always available.” The only claim worth anything is a specific number with a defined starting point. For reference, our own target is a 15-minute initial response – typically a live answer – and that applies to the first acknowledgment, not just the ticket queue.
  • No mention of post-incident review, root-cause analysis, or client reporting. A vendor who does not discuss what happens after containment has not built a complete process.
  • Inability to describe a real incident without going vague or generic. Experience leaves specific memories. Firms that have handled real incidents under a documented process can describe them with detail and precision.
  • No external validation of their security practices. Any IT firm managing security for clients should be willing to describe how their own practices are audited independently. If they cannot, you are trusting their word entirely.

Why Rehearsal Matters More Than Documentation Alone

A written security incident response plan that has never been tested is a hypothesis. It describes what people expect to do under conditions they have never faced. When a real incident hits – with the pressure, the uncertainty, and the speed that real incidents carry – people default to habit and muscle memory, not to documents they read once during onboarding.

This is why tabletop exercises and simulated drills are not optional extras. They are how a written plan becomes a practiced reflex. The NIST Computer Security Incident Handling Guide (SP 800-61) explicitly identifies testing and exercises as core components of an incident response capability – not nice-to-haves.

When you are evaluating a vendor, the rehearsal question is one of the clearest signals available to you. Most firms will have written something down. Far fewer will have actually practiced it, documented the gaps they found, and updated the plan accordingly. That gap is where the real difference lives.

At Xact IT, our security incident response procedures are part of the same security framework that earned us the GTIA Cybersecurity Trustmark – assessed annually by a CREST-accredited external auditor against CIS Critical Security Controls. That external validation is not a marketing badge. It is evidence that our processes were reviewed by someone with no incentive to tell us what we want to hear.

What the Right Questions Actually Reveal About Your Vendor

There is a meaningful difference between a vendor that can describe their security incident response procedures and one that can demonstrate them. When you ask the questions in this post, you are not just gathering information – you are watching how the vendor responds to scrutiny.

A firm with a mature security incident response culture will not be rattled by procedural questions. They will have answers ready, or they will say honestly, “Let me connect you with our security lead so you get the precise details.” Both are acceptable. What is not acceptable is deflection, pivoting to product features, or answers that shift between conversations.

Also worth asking: can they provide references specifically from clients who experienced a security incident while under their management? A firm proud of its breach response will have clients willing to describe the experience. Firms that have never managed a real incident – or managed one poorly – will not produce that kind of reference. For a broader review of what a full-service IT engagement should include, visit our managed IT services page.

A documented security incident response plan checklist helps businesses evaluate IT vendors before a breach occurs.

How to Make the Final Call on a Vendor

After asking the questions above, you will have one of three outcomes. The vendor answers specifically, confidently, and with documentation to back it up. The vendor answers partially – some specifics, some gaps, genuine effort to be transparent. Or the vendor deflects, pivots to technology features, or gives answers that contradict each other under light follow-up.

The first outcome is what you are looking for. The second is a firm that may be worth continuing to evaluate if they are actively building maturity. The third is a firm that will surprise you at the worst possible moment.

One more thing worth saying directly: zero client breaches over 20 years – the record Xact IT has held since our founding – does not happen by accident. It happens because the processes that prevent breaches are documented, maintained, tested, and treated as a non-negotiable organizational commitment. You can learn more about how we approach this on our cybersecurity services page.

You are the person accountable to your board, your clients, or your stakeholders if something goes wrong. The questions in this post let you walk into that accountability with your eyes open. Ask them of every vendor you evaluate. Specific, documented, rehearsed answers will tell you everything you need to know about whether a firm’s security incident response capability is real – or just a sales promise.

Book a Free Cybersecurity Strategy Call and see exactly how our incident response process works – before you need it.

Want a Walkthrough of Your Own Setup?

Twenty minutes on the phone with our team gets you specific recommendations you can use immediately — whether you hire us or not. No pitch, no pressure, just an honest read on where your business stands.

Book a Free Strategy Call