It's 2:14 on a Tuesday morning. A member of your team opened what looked like a supplier invoice on Monday afternoon. Somewhere inside that PDF was a credential harvester. By 9pm their Google account was compromised. By midnight, someone had been quietly working through your Shared Drive.
You don't know any of this yet.
When you sit down at your desk at 8:45am, you'll have forty-odd emails and nothing obviously wrong. It'll be your finance lead who spots something first — a reply-all to a message they definitely didn't send. By the time you've worked out what's happened, the attacker has had almost sixteen hours in your systems.
That's the scenario most small businesses are actually living in. Not because they're reckless — because they don't have anything watching.
Why the first hour is the one that matters
In incident response there's a concept called the Golden Hour — the window in which your response determines whether a security incident becomes a manageable disruption or a serious business crisis. Detect and contain something within sixty minutes, and you're dealing with a limited, recoverable problem. Find out three days later, and you're looking at a very different situation: wider data exposure, longer recovery, potential ICO reporting obligations, and the awkward conversation with clients about why their details were in a system you weren't monitoring.
The difference between those two outcomes isn't usually the nature of the attack. It's how fast the response begins, and whether the infrastructure to respond was already in place before anything went wrong.
Minute by minute: what the first hour looks like
Minute 0 — Detection: does anyone even know?
Without the right controls
Nothing. The threat has been inside your systems for hours, and no one is watching. You'll find out when someone notices something strange — if you're lucky, that's tomorrow morning. If you're not, it's a client call next week.
With GetBulwark
Every managed device runs Huntress — a managed detection and response platform with a 24/7 Security Operations Centre. When the credential harvester executes, a Huntress analyst reviews the alert within minutes. At 2:14am, a human is already looking at it.
GetBulwark uses Huntress for managed detection and response. Their median time to respond is 8 minutes. That's not a target — it's the actual published figure. Which means the window between "something bad happened" and "someone is doing something about it" is measured in minutes, not days.
Minutes 0–15 — Containment: can you stop the spread?
Without the right controls
Even if you've spotted something, what do you actually do? Calling an IT freelancer at 2am isn't realistic. Turning a laptop off isn't containment — it's hoping the threat hasn't already moved to other accounts or devices.
With GetBulwark
The SOC can remotely isolate a compromised device from the network within minutes, cutting off lateral movement before it starts. The threat stays on one machine. Everything else keeps running.
"The difference between a manageable disruption and a full crisis usually isn't the attack itself — it's how quickly the response starts."
Minutes 15–30 — Assessment: what was actually accessed?
Without the right controls
Without audit logs, without backup visibility, without a clear picture of what existed before — you're piecing together a timeline from fragments. Did they access your client files? Your accountancy data? You genuinely don't know, and finding out will take days.
With GetBulwark
Every client has automated cloud backup running continuously, including Google Workspace data. That means we have a clear, time-stamped picture of what existed before the incident, what changed, and when. The assessment is structured and fast, not a hunt through email threads.
Minutes 30–60 — Communication: who do you tell, and what do you say?
Without the right controls
This is where bad decisions get made under pressure. Do you notify clients now, or wait until you know more? What are your ICO reporting obligations? Do you call a solicitor first? Most small businesses are working this out on the fly, while their inbox fills up.
With GetBulwark
Every engagement includes an incident response plan — a short, clear document that answers these questions before you ever need them. Who contacts clients. What you say. Reporting timelines. Decided when you're calm, not when you're panicking.
Why we don't do tiers
The most common question I get from prospective clients is why GetBulwark doesn't offer a more flexible model. A "core" package without the full stack, or security tools as optional add-ons.
The answer is straightforward: in a security incident, you can't retroactively buy the backup tier.
Every GetBulwark client — from day one — has endpoint protection with 24/7 SOC coverage, automated cloud backup, and an incident response plan. There's no version of our managed service that leaves one of those out. Not because I want to upsell you. Because in the first sixty minutes of an incident, you need all three working together, and if one is missing the whole response falls apart.
Endpoint protection without backup means you can contain the threat but you can't assess what was taken. Backup without a SOC means you find out about the incident hours after the fact and spend your first sixty minutes just trying to understand what happened. An incident response plan without either is just a document.
In a crisis, you can't wonder whether the client "opted in" to the monitoring tier. Every GetBulwark client has the full stack — not because they asked for it, but because anything less isn't actually managed security.
What would your first 60 minutes actually look like?
If you're not sure, that's worth finding out before you need to know. The free audit tells you exactly where you stand.
Book your free auditThe uncomfortable question
If something happened tonight — a compromised account, a phishing click, a device going missing — when would you find out? Not in theory. Actually.
For most small businesses I talk to, the honest answer is "probably tomorrow, maybe next week." That's not a moral failing. It's the predictable result of trying to run IT without an IT team. But it's also a fixable problem, and it doesn't need to be expensive.
The first step is knowing where you actually stand. That's what the free audit is for — a 45-minute review of your Google Workspace setup, a written report you keep regardless, and a straight answer on whether your current setup would survive the first sixty minutes. If it would, you'll know. If it wouldn't, you'll know that too.
