Current Clients: 312-265-8733 | Service Hotline: 312-564-4888

Glowing digital shield protecting a row of data servers symbolizing cybersecurity and data protection in a server room.

How we manage a detected threat

December 30, 2025

Our 24/7 SOC partner immediately monitors and contains threats at the endpoint. Our internal engineers then follow a defined process to analyze the threat, remove malicious access, and work with the client to remedy the attack vector.

Framework IT's Approach

When a threat is detected, speed and precision are critical. Our layered approach ensures threats are identified, contained, and remediated quickly, minimizing damage and downtime.

Our Threat Detection & Response Process

1. Continuous Monitoring & Detection (24/7/365)

Our third-party Security Operations Center (SOC), BlackPoint Cyber, provides around-the-clock monitoring using advanced threat intelligence and behavioral analysis across:

  • Endpoint activity (SentinelOne EDR and MDR agents)
  • Network traffic (SIEM logging)
  • Cloud platforms (Microsoft 365 and Google Workspace)
  • Email security (Mimecast)
  • Dark web exposure (Dark Web ID)

2. Immediate Threat Containment

When a threat is detected, the SOC takes immediate action:

  • Isolates the affected device from the network to prevent lateral movement
  • Remotely terminates malicious processes, executables, or scripts

This containment happens within minutes of detection, often before significant damage occurs.

3. SOC Alert & Handoff to Framework IT

The SOC notifies our help desk with a detailed alert including:

  • Threat description
  • Affected devices/accounts
  • Actions taken
  • Recommended next steps

This ensures our engineers have the context needed to complete remediation.

4. Framework IT Internal Response Process

Our engineers follow a structured five-step process:

Step 1: Threat Analysis

  • Review the alert
  • Assess incident scope
  • Identify the attack vector
  • Check for signs of data exfiltration or compromised systems

Step 2: Remove Malicious Access

  • Remove malware/backdoors
  • Reset compromised passwords
  • Revoke unauthorized access
  • Restore from clean backups if necessary

Step 3: Remediate the Attack Vector

  • Close the security gap that allowed the threat (unpatched software, weak password, phishing)
  • Apply patches
  • Update security settings
  • Implement additional controls if needed

Step 4: Client Communication & Guidance

  • Notify you of the incident and actions taken
  • Provide recommendations to prevent recurrence
  • Discuss follow-up actions (user training, policy updates, insurance notification)

Step 5: Post-Incident Review

  • Document the incident and resolution
  • Review during your next Strategic Business Review
  • Identify opportunities to strengthen security posture

Important Note: Scope of Breach Remediation

While we provide immediate threat containment and analysis, remediating cybersecurity breaches (ransomware attacks, malware outbreaks, data breaches) is not covered under the managed services agreement. These incidents require specialized response protocols that fall outside standard support. Your vCIO will assess the scope and provide a separate engagement plan for full remediation services.

Insurance Coordination & Approved Vendor Requirements

If you plan to file an insurance claim for a cybersecurity incident, you should notify your cyber insurance carrier FIRST before requesting Framework IT to begin remediation work. This is a critical step that can significantly impact your coverage.

Why Notify Your Insurance Carrier First?

Many cyber insurance policies include specific requirements regarding incident response:

  • Approved Vendor Networks: Some policies require you to use the insurance carrier's panel of pre-approved incident response firms, forensics providers, or remediation vendors. Using a non-approved vendor (including Framework IT) may reduce your coverage or, in some cases, nullify it entirely.
  • Coordination with Carrier-Selected Providers: Your insurance carrier may assign their own incident response team to manage the breach, coordinate forensics, and oversee remediation. In these situations, Framework IT will work alongside the carrier's designated providers to ensure a coordinated response.
  • Pre-Authorization Requirements: Some policies require pre-authorization from the carrier before remediation work begins, particularly for large-scale incidents like ransomware attacks or data breaches.

What Happens If You Still Want Framework IT to Remediate?

If, after notifying your insurance carrier, you request Framework IT to perform incident remediation work, you should understand the following:

  • Billable Services: Incident remediation services are not covered under your managed services agreement and will be billed at Framework IT's then-current hourly rates (unless we agree to alternative terms in writing). This applies regardless of whether the incident is covered by your insurance policy.
  • Waiver of Subrogation: By requesting Framework IT to remediate an incident for which you intend to file an insurance claim, you agree to waive all rights of subrogation for that incident. This means you cannot hold Framework IT responsible if our remediation efforts negatively impact your insurance coverage or claim outcome.
  • No Liability for Coverage Impact: Framework IT and our insurance carriers are held harmless if our remediation efforts result in reduced insurance coverage, claim denial, or any other negative impact on your insurance claim. This protection is necessary because we cannot control or predict how your insurance carrier will respond to the use of non-approved vendors.

Best Practice Recommendation:

To maximize your insurance coverage and avoid complications:

  1. Immediately notify your cyber insurance carrier when a significant security incident occurs (ransomware, data breach, business email compromise, etc.)
  2. Ask your carrier whether they require use of specific approved vendors for incident response and remediation
  3. Coordinate with Framework IT to determine the most effective response strategy that aligns with your insurance requirements
  4. Document all communications with your carrier, Framework IT, and any third-party response firms to support your claim

Framework IT will continue to provide immediate threat containment, analysis, and coordination as described in the response process above, regardless of your insurance situation. However, for full-scale breach remediation (ransomware decryption, forensic analysis, data recovery, etc.), we strongly recommend following your insurance carrier's guidance to ensure maximum coverage.

Client Collaboration

We work closely with you throughout the response:

  • Coordinating with your leadership team
  • Coordinating with your insurance carrier and any carrier-designated incident response firms
  • Providing documentation and evidence to support insurance claims or compliance reporting
  • Providing guidance on internal communications
  • Helping assess whether legal counsel or forensic analysis is needed

What You Don't Have to Do

You will not interact directly with our SOC partner. All communication flows through your Framework IT account team, ensuring a seamless, coordinated response.

Why This Matters

The average cost of a data breach in 2024 is over $4.45 million, and the average time to identify and contain a breach is 277 days (IBM Security). Our layered process ensures threats are detected and contained in minutes, not months, dramatically reducing your risk of financial loss, data theft, and reputational damage.

Examples of Threats We Detect & Respond To

  • Ransomware attacks
  • Phishing-based account compromise
  • Malware infections
  • Insider threats
  • Brute-force attacks
  • Command-and-control communication attempts

Continuous Improvement

After every incident, your vCIO reviews the event during your Strategic Business Review to:

  • Assess whether additional security controls are needed
  • Update policies or training
  • Ensure your cybersecurity posture remains aligned with evolving threats

See How We Respond When a Threat Is Detected

Schedule a Cybersecurity Readiness Review to understand exactly how our team identifies, contains, and resolves potential threats—before they become business-impacting issues.

No scare tactics. No jargon. Just clear insight into how your protection actually works.

Click here or call us at 312-564-5446 to book your call.

Contact Us Today To Schedule Your Discovery Call

 

Recent Articles

Software developers working collaboratively on coding projects with multiple monitors displaying code.

What certifications and training does Framework IT's team maintain to ensure expert-level support?

 Hand interacting with futuristic digital interface displaying onboarding and user icons in blue tones

What is the managed services onboarding process?

 Person coding on a laptop with two external monitors displaying programming code in a bright office setting

6 Things Included in Managed IT Services You Might Not Know