Incident Response: Contain the Damage Fast When Something Goes Wrong
Pre-paid incident response retainer with documented run-books, guaranteed response times, and unused hours that roll into security work. Insurers prefer it. CFOs prefer it to billing surprises during a crisis.
When a cyber incident hits, ransomware encrypting files, a business email compromise draining an account, a credential breach triggering an active intrusion, the first 30 minutes determine how bad it gets. Organisations that contain quickly typically recover. Organisations that do not know who to call or what to do in the first hour watch an incident become a disaster.
North Star, based in Prince George, BC, provides pre-paid incident response retainers for businesses across British Columbia, Alberta, and Yukon. Documented runbooks before you need them. Guaranteed response times. Forensic-quality evidence output for insurance and legal. Unused hours that roll into proactive security improvements.
What Is Included
Pre-Paid Retainer
Block of hours purchased annually at a lower-than-emergency rate: 20, 40, or 80 hours depending on your organisation's size and risk profile. If a major incident consumes more than your block, hourly rate is pre-agreed and lower than emergency rates. Unused hours roll into security improvement work at year end.
SLA-Backed Response
Critical incidents acknowledged in under one hour, 24/7. Containment work starts before the contract conversation happens, we do not put you on hold while paperwork is processed. Response timelines are documented in the retainer agreement so you know exactly what to expect.
Documented Runbooks
Ransomware, business email compromise, insider threat, and supply chain incident playbooks written for your specific environment before anything happens. Decisions made in advance so panic does not drive the response. Updated annually and after any significant change to your environment.
Forensic Evidence Collection
Evidence-quality imaging and timeline reconstruction. Indicators of compromise hunted across your environment. Output suitable for cyber insurance claims, legal proceedings, and regulatory notifications. Chain-of-custody documentation maintained throughout.
Post-Incident Reporting
Written root-cause analysis, lessons learned, and remediation roadmap. Insurer-ready artifact set including incident timeline, evidence of containment actions, and recovery steps. Supports both internal review and external regulatory or legal obligations.
How It Works
Step 1, Onboard
Document your environment, key contacts, escalation paths, and decision authority for incident response. Runbooks drafted to match your specific context. Contacts loaded into our on-call rotation.
Step 2, Tabletop Exercise
Annual exercise where your leadership team walks through a realistic scenario. We identify the gaps in your runbooks, your communication plan, and your decision-making before an attacker does.
Step 3, Respond
When an incident occurs: contain, eradicate, recover, report. All steps tracked against documented SLAs. You are kept informed throughout. Nothing happens without your authorisation except immediate containment actions.
Step 4, Post-Mortem
Written root-cause analysis delivered within five business days of incident close. Lessons learned and remediation roadmap prioritised by risk. Insurer-ready artifact set provided.
Who This Is For
- BC, Alberta, or Yukon businesses that have cyber insurance but no incident response plan, and know the gap between having coverage and being prepared to use it
- Organisations required by their insurer to have documented incident response capability
- Businesses in sectors where a breach notification obligation exists, healthcare, financial services, legal, government contractors
- IT managers who need a credible escalation path for security incidents they cannot handle alone
What buyers ask before they sign
Why pre-pay rather than just call when something happens?
Emergency incident response rates, when you call without a retainer during an active incident, are significantly higher. More importantly, without a pre-existing relationship, the first conversation during an incident is about contracts, not containment. Retainer clients get an immediate response; new clients get onboarded while the incident progresses. The retainer buys you the relationship, the runbooks, and the right response time before you need them.
What if we do not use all the hours?
Unused hours roll into proactive security improvements at year end: penetration testing, policy documentation, tabletop exercises, or security awareness training. They do not expire.
What incidents are covered?
The retainer covers any cyber security incident: ransomware, business email compromise, credential breach and account takeover, insider threat, and supply chain compromise. The runbooks are written for the incident types most likely to affect your specific environment.
Can you help us notify regulators or insurers?
Yes. Post-incident documentation is written with insurer and regulator requirements in mind. North Star assists with the technical content of regulatory notifications and breach disclosures. Legal advice on notification obligations remains with your legal counsel.
What if we are in the middle of an incident right now?
Call 672-983-1174. We handle emergency response without a retainer in place, billed at emergency rates. The retainer converts the same team to contracted SLA-backed response at a lower rate for future incidents.
Why North Star
North Star is a Prince George-based cybersecurity provider serving businesses across Northern BC, BC, Alberta, and Yukon. Our incident response retainers are designed for SMBs that do not have a security operations centre, you get enterprise-level incident response capability at a price that fits your budget. Runbooks are written for your environment, not copied from a template. Evidence output meets insurance and legal standards.
Get a quote on incident response.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityFrequently asked questions
What are incident response services?
Incident response services involve a systematic approach to managing and addressing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. At North Star, we provide professional expertise to identify the source of the attack, contain the threat, and restore your systems to a secure state while preserving evidence for forensic analysis.
How fast can North Star respond to a security breach?
We offer 24/7 helpdesk support and rapid emergency response for businesses across British Columbia, Alberta, and the Yukon. For critical security incidents, our team prioritizes immediate containment to stop the spread of malware or unauthorised access. We understand that time is of the essence, so we work around the clock to ensure your operations are back online as quickly and safely as possible.
Does my SMB need a formal incident response plan?
Yes, every organisation, regardless of size, should have a formal plan. Cybercriminals often target SMBs because they assume their defences are weaker. A structured plan ensures your staff knows exactly who to call and what steps to take during a crisis, which significantly reduces the risk of data loss and long term financial damage. North Star can help you develop and test these plans to ensure readiness.
Can you help with ransomware recovery in Alberta?
Absolutely. We provide specialized ransomware recovery services for businesses in Calgary, Edmonton, Red Deer, and throughout Alberta. Our team focuses on identifying the variant of ransomware used, determining if data can be recovered from backups, and ensuring the environment is completely clean before restoration. We also implement improved security controls, such as EDR and advanced backups, to prevent a second attack from occurring.