Build and optimize your cyber defense center

The success of a cyber defense center depends on many factors. We put your planned or existing CDC on the road to success.

Efficient Cyber Defense Center

Resilience is good, Detection is a must, Response the key!

Cyber security and, in particular, detection and response are still areas that need to be - let's say - optimized at many companies. The simultaneous development of detection and response from 0 to 100 in shortest time usually fails due to competencies, resources, budget and too high expectations.

But where should the focus be? We work with you to develop a strategy for your Cyber Defense Center (CDC) and set the right priorities to make your CDC successful, step by step.

Cdc Coaching EN

Optimizing your CDC jointly

CDC strategy and organization

Everyone in the company, especially top management, should understand what your Cyber Defense Center is and is not capable of. As ISMS and management consultants, we are able to gather and harmonize management expectations as well as internal and external requirements.

We then share best practice approaches and work with you to develop a strategy and action plan for your CDC, aligned with the following areas:

  • Mission statement
  • Scope of duties and offered services and functions
  • Staff training
  • Technology stack
< >

Security incident response prozess

During a workshop, we review your current security incident handling. We adapt the ISO-based Security Incident Management Process (SIMP, see below) to your current environment, your available resources, tools, know-how and corporate culture. We also take into account supporting processes such as content engineering, threat hunting, regular lessons learned sessions or interfaces to the ITIL-driven IT organization.

And together with you, we transform these processes from pure policy documents to pragmatic, helpful guides for the daily tasks within the Cyber Defence Center.

< >

Runbooks and automation

After creating the organizational structure and the SIMP, we define categories for the various incidents that consider both ongoing events (for example, phishing) and the more serious cases (for example, compromised web servers).

For these categories, we sharpen and optimize your detection and response capabilities:

  • We check whether you can detect the selected incidents reliably and across the board at all.
  • We define severity levels and the associated prioritization and response times. We also define the investigative goals for each incident.
  • For 1st level analysts, we prepare checklists for quick and correct categorization and prioritization of new incidents.
  • For the processing of the respective incidents, we create detailed runbooks that describe all steps for immediate measures (containment), analysis, remediation and recovery.
  • And we support you in automating individual analysis steps in your SOAR (Security Orchestration, Automation, and Response).


< >

Trainings and simulations

Even though your CDC staff will receive plenty of on-the-job training with phishing and malware samples fairly quickly, it cannot replace in-depth schooling. Team members should be able to expand their expertise individually to cover more and more areas.

In addition, like any fire department, your cyber defense center should train to handle large incidents.

  • Red vs. Blue or Purple Teaming put the Cyber Defense Center in the spotlight and train CDC processes and incident handling with targeted simulations.
  • Crisis team drills train the joint response of the crisis team, the PR department, and individual specialists such as the CDC team.

From our point of view, both types of training are of great importance for effective incident processes.

< >

Continuous improvement

Forensic know-how, processes and automated runbooks do not automatically lead to a "world class" cyber defense center. It requires other factors, resources and ongoing development. These include a clear mandate, regular management reporting, clean communication of internal services, optimization of runbooks, and evaluation and implementation of new technologies, such as current endpoint detection and response tools (EDR).

In a systematic assessment, we regularly check the maturity level of your CDC in terms of organizational parameters, processes, available analyst resources and tools. In doing so, we are guided by the SIM3 model of the Open CSIRT Foundation and the Mitre Att&ck Framework.

< >

Do you want to build or optimize a cyber defense center?

Let us exchange information about your current situation in a web meeting. We will also be happy to provide you with references to "World-Class" CDCs in our customer base if required.
Yes, let's talk

The Security Incident Management Prozess (SIMP)

Plan & Prepare

Ideally, you are prepared for an emergency, know the key threats to your assets and attack scenarios, and have appropriate contingency plans, with sufficient resources and competencies, as well as supporting tools.

On demand, we support you in organization-wide readiness, starting with risk management, business continuity management, and crisis team drills. We are also happy to support your CDC, SOC or CERT through coaching as described.

Plan & Prepare

Good preparation is half the battle
< >

Detection and reporting

Once the house is in flames, you can' t avoid a total loss. Rapid detection is therefore extremely important, even in the case of cyber security incidents. On average, attackers can still spend months in other people' IT systems before they are detected. Way too long!

You need automated systems (SIEM, EDR, etc.) and sensitized employees to detect and handle attacks as quickly as possible. Of course, not every security message is an incident. The trick is to filter the flood of security messages in such a way that a manageable number remains, but without filtering too much and thus becoming blind in one eye. We train the detection with your CDC in adversary simulations.

Detection and reporting

Detection is a must
< >

Assessment and decision

If you have detected a real incident, the first thing you should do is determine the severity, because depending on the extent, complexity and urgency, different departments may or must be called in.

We work here with a field-tested quick questionnaire that gives us an initial overview. In supplementary phone calls, we collect further details and relevant information and - depending on the situation - already initiate initial containment and analysis measures.

Assessment and decision

Determine the severity and take appropriate action
< >


The actual response is structured into three parallel phases:

  • Containment (immediate measures): depending on the incident, we recommend immediate measures to limit further damage, such as isolating systems or blocking malware communication.
  • Analysis: in the analysis, we use our IT forensic experts and incident response scanners to get a picture of the situation and the underlying causes. These findings lay the foundation for Remediation.
  • Remediation: based on the analysis results, remediation measures are defined and implemented: clean up or reinstall compromised systems, regain integrity and implement improved protection measures. The Remediation phase is initiated in parallel with the other response phases.

For more details on the response phase, see Incident Response.


Giving the right response to the emergency
< >

Lessons learned

After the incident is before the next incident. Continuous improvement processes (CIP) complete the security incident management process (SIMP). In addition to classic "lessons learned" meetings (what went well in the incident response, what didn't go so well, what can we do better next time), typical key performance indicators (KPIs) are also defined and regularly reviewed, such as the number of incidents detected, the average time to detection or the time to response.

Lessons learned

Constantly getting better
< >