Service catalogue · 10 July 2026

Defensive services for every stage of your security programme

From detection engineering to full incident response retainers, CyberMotion AI delivers modular engagements that fit your maturity level and budget cycle.

Core offering

Detection engineering and SOC uplift

We audit your log sources, normalise ingestion, and build detection content mapped to MITRE ATT&CK techniques relevant to your sector. Rules ship with test cases, tuning notes, and owner assignments. Your analysts receive training on what each alert means and how to investigate it without starting from scratch every shift.

Our detection lab runs continuous purple-team exercises against staging environments that mirror production. We validate that new rules fire on simulated attacks before they reach your live queue. False positive rates are tracked weekly. When a rule drifts out of calibration, we adjust thresholds or retire it with documented rationale.

  • SIEM content development and maintenance
  • EDR policy tuning and coverage mapping
  • Threat hunting sprints with documented findings
  • Detection-as-code pipelines with version control
Detection engineering lab with multiple analyst workstations

detection_lab · rule_forge

Incident response playbook displayed on operations screen

response_ops · playbook_v4

When minutes matter

Incident response and recovery

When an incident lands, structure beats speed without direction. Our responders follow evidence-preservation protocols from the first call. We coordinate containment with your IT team, draft regulator-ready notifications, and manage third-party forensics vendors when specialist skills are required.

Retainer clients receive a dedicated hotline and pre-agreed escalation paths. We maintain runbooks tailored to your infrastructure: cloud tenancy layouts, identity provider configurations, and backup restoration procedures. After containment, we deliver a root-cause analysis with prioritised remediation items and retest windows.

Automation rail

AI-assisted triage and workflow automation

Machine learning models trained on your historical alert dispositions rank incoming events by likelihood of genuine compromise. Clustering groups related alerts into single incidents. Automated enrichment pulls asset metadata, recent patches, and user risk scores into each ticket before an analyst opens it.

We integrate with your existing ITSM platform. Closed-loop feedback from analyst verdicts continuously improves model accuracy. You retain full visibility into model decisions through explainability panels that show which features drove each score. No black-box verdicts on production alerts.

Workflow automation handles repetitive steps: isolating endpoints, disabling compromised accounts, and opening change requests. Every automated action requires configurable approval gates. Audit logs capture who approved what and when, satisfying internal control requirements.

Automation pipeline rail showing alert routing workflow

automation_rail · triage_flow

Advisory workshops are available for boards and executive teams who need fluency in cyber risk without a technical background. We explain detection metrics, incident economics, and regulatory timelines in plain Canadian English. Workshops can be delivered on-site in Toronto or remotely for distributed leadership groups.

Discuss your requirements

Engagement models

Flexible delivery to match your team

Not every organisation needs a full retainer on day one. We offer phased engagements that let you prove value before expanding scope. A typical path starts with a two-week telemetry assessment, moves into a ninety-day detection uplift, and optionally converts to ongoing managed detection support. Each phase has defined exit criteria and deliverable checklists your stakeholders can track.

Project-based

Fixed scope and timeline for defined outcomes such as SIEM migration support, rule pack delivery, or post-incident hardening. Ideal when you have a specific deadline or budget envelope.

Retainer

Monthly allocation of engineering and response hours with agreed service levels. Includes quarterly posture reviews and priority access to our on-call responders.

Co-managed

We embed alongside your internal analysts during business hours, sharing queue duties and mentoring on investigation technique. Your team builds capability while throughput improves immediately.