When the Alarm Goes Off: What’s Covered by Our IR Services (and What’s Not)

Incident Response Cybersecurity Grand Rapids Managed IT
Post Date: April 13, 2026

When the Alarm Goes Off: What’s Covered by Our IR Services (and What’s Not)

In IT security, clear roles and responsibilities matter — especially during security incidents. But sometimes, the lines between what’s “included” and what’s “extra” can feel fuzzy.

We get that, and we try to handle that fuzziness in a way that’s fair and consistent.

Let’s walk through what is and isn’t covered under your incident response (IR) services with Hungerford Technology, using an analogy that makes it easier to understand.

Think of IR Like a Fire Alarm

If your building catches fire, there’s a process that unfolds:

  1. The smoke alarm goes off
  2. The fire department arrives and puts the fire out
  3. You’re informed about what we think probably happened

That’s our job, and that part is covered under your contract.

In IR terms, here’s what that looks like:

  1. Detect: Our systems identify suspicious behavior or confirmed threats
  2. Contain: We act quickly to isolate the threat. This might include disabling accounts, quarantining machines or killing active sessions
  3. Notify: We inform you about what happened and what action we’ve already taken

These are the core offerings of our IR service. If there’s a fire, we’re the smoke alarm and the firefighters. No extra charge.

What Happens After the Fire’s Out?

The next steps in a real fire would be things like:

  1. Figuring out for sure what started the fire
  2. Dealing with the damage
  3. Rebuilding what has been lost or damaged

That’s not the firefighter’s job. It’s the job of insurance adjusters, general contractors and cleanup crews.

In IR terms, that’s when you move into:

  1. Investigate: Deep dive analysis to understand root cause, scope and timeline
  2. Remediate: Coordinated actions to fully remove the risk
  3. Recover: Getting systems and people fully back to working order

These are important steps, but they fall outside the core scope of IR coverage.

What is and isn’t covered by IR services is tricky. There is some investigative stuff that we need to do to ensure all threats are gone, but a full-on investigation into the incident is beyond our scope of services.

Where It Gets Fuzzy (and Why We Try to Be Reasonable)

Let’s say we detect a login from a suspicious location. In this scenario, we would lock the account, reset the password, check for signs of compromise and get your employee back online. We find no immediate indication of spread, no malware and no lateral movement.

That’s technically past the “notify” phase, but it still fits inside that idea of something you would expect a good firefighter to handle before leaving the scene.

We treat it that way, too. In most cases, we don’t charge you for those kinds of quick actions even though they aren’t strictly included in your contract.

But if that same incident turns into a long string of follow-ups — like multiple attempts to reach employees, hours of hands-on remediation or detective work to close the loop — then we’ll need to stop and talk about costs that fall outside the spirit of this service.

At that point, it’s not just a response; it’s a recovery effort, which comes with a cost.

We Need to Make Sure the Fire is Out

This is where things get a little complicated.

Sometimes, while we’re still actively fighting the fire (responding to a live threat), we have to take actions that look like an investigation.

For example, we might:

  • Review account activity to see whether the attacker moved laterally
  • Check system logs to ensure the attacker no longer has system or network access
  • Scan for quick indicators that something else was touched

These actions are not part of a full investigation. They aren’t focused on getting to the root cause, building a timeline or documenting a full breach report. They’re part of what it takes to make sure the fire is actually out before we pack up the hoses.

And even though they’re “investigation-style” steps, they’re still part of containment and response. In almost all cases, we consider that covered because it’s necessary and responsible.

The fuzziness comes from where to draw the line. We don’t want to start hours of post-event digging without alignment, but we also can’t declare a threat resolved without doing a basic sweep to confirm it hasn’t spread.

Our goal is to handle this in a way that’s safe, fair and predictable:

  • We do what we need to do to get the threat under control
  • We don’t charge for reasonable firefighting effort, even when it gets close to investigation territory
  • If, after the fire is out, we cross into deeper, longer-term work, we’ll talk with you before proceeding

The Short and Sweet Version

  • Covered: Detect, Contain, Notify — This is the fire alarm and the firefighters. It’s included in IR.
  • Not Covered: Investigate, Remediate, Recover — This is the cleanup and rebuild. It’s situational.
  • Quick Fixes: We’re Flexible. If it’s quick, we usually just handle it. If it’s extensive, we’ll flag it first.
  • Some Investigation Happens During Firefighting: It’s part of containment, not a separate forensic phase.
  • We Draw the Line Transparently: If the response turns into something larger, we’ll talk about it before time is spent.

IR Services Can Save Your Organization

What is and isn’t covered by IR services is tricky. There is some investigative stuff that we need to do to ensure all threats are gone, but a full-on investigation into the incident is beyond our scope of services.

If you ever want to walk through how we’d approach something in the future — or clarify how a past event was handled — reach out to us. Setting clear expectations now saves confusion later and builds trust when the alarm goes off.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.

Get Support
Subscribe To Our Newsletter

Share this post

Related Posts

Phish Alert Process Hungerford Managed IT Services West Michigan
08Apr

Phish Alert Process: Was a Threat Detected?

What happens after you push that Phish Alert Button? Rest assured,... read more

Verify a Message the Right Way Grand Rapids Managed IT
06Apr

How to Verify a Message the Right Way

The first rule of verifying a suspicious message is to... read more

Zero-day Vulnerability Grand Rapids IT
01Apr

What are Zero-day Vulnerabilities?

Imagine someone finds a spare key to your office that... read more

Deepfakes are Costing Companies Real Money Cybersecurity Grand Rapids
30Mar

Deepfakes are Costing Companies Real Money

Using AI to digitally alter images, videos and audio is... read more

JIT PAM and Password Rotation Cybersecurity Grand Rapids
25Mar

How We Enhance Your Security with JIT PAM and Password Rotation

Our clients give us the master keys to their IT... read more

Work From Home Cybersecurity Business Managed IT
23Mar

Why Work from Home Shouldn’t Be a Security Concern

Are you worried your work-from-home employees are more susceptible to... read more

Device Code Phishing Grand Rapids Cybersecurity
19Mar

What is Device Code Phishing and How to Defend Against It

You’re most likely familiar with device codes even if you’ve... read more

Video Call Issues Grand Rapids Managed IT Services
17Mar

Video Call Issues? Maybe It’s Time for a New Computer

Freezing video. Echoing audio. These video call issues are a nightmare... read more

Human Risk Management Michigan IT Services
12Mar

Human Risk Management: Data-driven Training

When you hear the word “cybersecurity,” what comes to mind? You’re... read more

How to Fact-check AI Grand Rapids Managed IT
09Mar

How to Fact-check AI

Generative AI can be an incredible time-saver, but it also... read more