We're one of the original NCSC CIR providers. We're now also providing CIR Level 2 - and it's great.



  • 10/2023

There’s a heck of a lot of noise about Incident Response practise and practitioners; sometimes it’s hard to separate out the good signals from that turbine howl.

Which organizations can you rely on to help out when the chips are down and the stakes are high? One answer is to turn to Cyber Security Incident Response Teams (CSIRTs) recognised by governments as capable of handling the most serious cyber incidents.

Measurements of competence are critical when it comes to Incident Response practises: well-handled responses reduce the resolution window from months to hours or days, and cost a fraction of a poorly-handled incident: remember the average cost of a cyberattack is €180,000, with 60% of smaller companies going out of business within six months.

WithSecure is recognised by the UK’s National Cyber Security Centre (NCSC) for our ability to deal with complex incidents and attacks

WithSecure is recognised by the UK’s National Cyber Security Centre (NCSC) as well as the German BSI for our ability to deal with complex incidents and attacks from motivated, well-resourced threat actors. The NCSC was one of the first organisations of its type to recognise the value of creating a Cyber Incident Response (CIR) register in 2007, and we were there as MWR Infosecurity, a predecessor organization to WithSecure. We’re one of only nine Incident Response teams recognized by the NCSC as a Level 1 Cyber Incident Response provider, capable of handling and providing assistance in advanced incidents graded as Category 1-3 – the most severe on the planet.

So we’re quietly rather happy to be recognised – along with several of our IR peers – as a NCSC Level 2 CIR organization by the NCSC.

Wait – what? Sure Level 1 should cover everything, right? It’s one better. Level 2 is for smaller companies and less complicated incidents – right? Well, yes and no. As the last few years have shown, the big exotic attackers are still around, and still responsible for some high profile efforts – but they’ve been almost drowned out by a wave of criminal gangs using, stealing or hiring tools and access for commercial rather than intelligence gain.

The Level 2 CIR scheme was set up in August 2023 to tackle just this challenge. It helps protect most private sector organizations, as well as charities, Local Authorities and small public sector bodies. These are often teams that don’t have the means to detect and respond to threats themselves, and they may not have fully-formed incident response plans.

This is pretty much a description of many organizations we help with our Countercept Managed Detection and Response (MDR) service and Elements cybersecurity suite. Frankly, the type of incidents Level 2 tackles – ransomware gangs aiming for economies of scale by attacking multiple small organizations – is also the sort of behaviour our Incident Response and Readiness teams observe and defend against every day. At any point in time, our response team of over 50 experts collaborates with clients to resolve several incidents in complex on-premises and cloud environments.

A small number of organizations are recognized by the NCSC as both Level 1 and Level 2 providers – and that’s an indication of how difficult and demanding it can be to maintain the range to address both types of threat. Regardless of whether your attacker is a big exotic beast - or simply a common criminal – we can help.

Related content

Prepare for attacks

With the right partner and preparation, every organization can prevent incidents from becoming crises.

Read more