Detection & Response: someone has to watch the logs

Where Stages 1 and 2 left you

Foundation closed the easy doors; Identity & Access made the login hard to steal and limited what any one account can reach. What you don't have yet is the ability to notice the attack that gets through anyway - the phished session token, the vulnerability exploited the day before the patch, the contractor laptop nobody hardened. Each step below keeps the same shape - What to do, Why it matters, roughly What it costs - with the framework mapping table at the end.

Same money rule as the earlier stages: public list prices get named; everything else is a clearly-labelled rough range, order of magnitude only, current as of June 2026. This stage has the widest ranges in the guide, because managed-detection pricing is quote-driven - treat every number here as a sanity check for quotes, not a price list.

1. Turn on the visibility you already pay for

You can't detect what you don't record, and you can't investigate what you didn't keep. Most small businesses already own substantial logging - it's just not turned on, not kept long enough, or nobody has ever looked at it.

What to do. In Microsoft 365, confirm the unified audit log is enabled and know your retention (180 days on standard licensing tiers); in Google Workspace, the equivalent audit and investigation logs. Keep Entra ID / Workspace sign-in logs as long as your tier allows. Make sure your firewall or router logs denied and allowed traffic somewhere persistent. Then write down, in the Stage 1 inventory, where each log lives and how far back it goes - in an incident, the first question is always "what do we have?"

Why it matters. Logging is the prerequisite for everything else in this stage, and it's where the Essential Eight's higher maturity levels quietly go - ML2 and ML3 add event-log collection and monitoring requirements across the strategies. ISO 27001 A.8.15 requires logging; A.8.16 requires someone to actually monitor for anomalous activity. And practically: incident responders' fees climb steeply when there are no logs to reconstruct from.

Roughly what it costs. Mostly free - this is configuration of platforms you already license. Longer retention is the first real cost decision: exporting logs to cheap storage is inexpensive (cloud object storage is cents per gigabyte-month); full SIEM platforms that make logs searchable are a Stage 3-and-beyond decision that usually arrives with the provider question in step 4.

2. EDR on every endpoint - servers included

Traditional antivirus recognises known-bad files. Endpoint detection and response (EDR) watches behaviour - processes, persistence, lateral movement - and gives a responder the ability to isolate a machine remotely. It is the single most useful detection purchase a small business makes, and it's the data source nearly every managed provider in step 4 will want to stand on.

What to do. Deploy EDR to every endpoint in the Stage 1 inventory - laptops, desktops, and especially servers, which attackers prize and IT forgets. Coverage beats features: a gap in deployment is exactly where an intruder will sit. If you're on Microsoft 365 Business Premium you already own Defender for Business; turn it on everywhere, enable its automated investigation and remediation, and confirm alerts go somewhere a human sees them. Don't buy a second product before the one you own is fully deployed.

Why it matters. EDR is how modern intrusions actually get caught: hands-on-keyboard activity, living-off-the-land tooling, and ransomware staging all show up as endpoint behaviour first. NIST CSF 2.0's Detect function (DE.CM - continuous monitoring) expects exactly this telemetry, and it's a standing question on cyber-insurance forms. It's also the control that turns "we think something's wrong" into "this machine, this account, isolated in one click."

Roughly what it costs. Microsoft lists Defender for Business at about US$3 per user per month standalone, and it's included in Business Premium - so for many small businesses the licence cost is already sunk. Other reputable EDR vendors price in the same per-endpoint-per-month band, typically single-digit to low-double-digit US dollars (rough range; quote-driven). The honest cost is attention: EDR raises alerts, and an alert nobody reads is a control nobody has - which is the whole of step 4.

3. Set the cheap, high-signal alerts

Before deciding who watches everything, set the handful of alerts that catch the attacks small businesses actually get - they're nearly free, low-noise, and each one maps to a real technique.

What to do. Four alerts do disproportionate work. New mailbox inbox rules - especially forward-and-delete rules - are the classic move after a business email compromise, used to hide the attacker's correspondence. New OAuth application grants catch consent phishing, which we've covered in detail in our consent-phishing writeup - the detections there are runnable as-is. New admin-role assignments catch privilege escalation and tell you when your own Stage 2 tiering is being eroded. And impossible-travel or anomalous sign-ins from your identity provider catch stolen credentials in use. Route them somewhere with a human on the other end - a monitored mailbox or chat channel beats a dashboard nobody opens.

Why it matters. These alerts target the highest-frequency, highest-cost incidents in the small-business world: BEC and invoice fraud, account takeover, and quiet persistence. They're also the proof-of-concept for the whole stage - if nobody responds to four alerts, nobody will respond to four thousand, and that tells you the answer to step 4 before you've spent anything.

Roughly what it costs. Free to near-free: all four exist as built-in or easily-configured alerts in Microsoft 365 and Google Workspace at common business tiers. The identity risk detections are richer with Entra ID P2, but the core versions above don't wait for that. Budget an afternoon to set up and a few minutes a day to triage.

4. Decide who watches: build vs buy, honestly

This is the stage's real decision, and the one most surrounded by sales fog. Detection only works if a qualified human reads the alerts and can act on them - at 2am, on Christmas, during the week your IT person is on leave. There are two honest ways to get that, and one dishonest way to pretend you have it.

What to do. Choose deliberately between three options. Build: one or two trained people in-house who own the alert queue as part of their role. Honest version: this buys you business-hours coverage only - genuine 24/7 in-house needs four or more analysts once nights, weekends, and leave are covered, which is why almost no small business should attempt it. Buy: a managed detection and response (MDR) provider or MSSP watching your EDR and identity telemetry around the clock. Honest version: quality varies enormously - the questions that separate real MDR from an alert relay are "do you contain on our behalf (isolate hosts, disable accounts), or just notify us?", "what's your median time from alert to human triage?", "do you watch identity and cloud or only endpoints?", and "what exactly happens at 2am - walk me through it?" Pretend: buying tools with no owner and calling it covered. That's the only wrong answer. For most businesses at this stage, the right shape is a hybrid: an MDR for around-the-clock eyes, plus one named internal person who owns the relationship, the escalations, and the steps below.

Why it matters. This is the gap the Essential Eight openly leaves - it's a prevention baseline, not a monitoring program - and it's precisely what NIST CSF 2.0's Detect and Respond functions and ISO 27001's A.8.16 (monitoring) exist to cover. Insurers increasingly ask not "do you have EDR?" but "who monitors it?" The difference shows up in outcomes: intrusions caught in hours are an incident report; intrusions caught in weeks are a data breach notification.

Roughly what it costs. Rough order of magnitude only - this market is quote-driven. MDR for a small business is commonly priced per endpoint or per user per month, and small-business engagements tend to land in the hundreds to low thousands of Australian dollars per month for a few dozen endpoints, varying with scope (endpoint-only versus endpoint plus identity plus cloud) and response authority. In-house, the cost is salary: a capable security-leaning IT professional is a six-figure AUD salary, which is why the hybrid shape wins on value for most. Get at least two quotes and make providers answer the four questions above in writing.

5. Write the incident response plan before you need it

In a real incident the expensive failures are rarely technical - they're decision failures: nobody knew who could authorise shutting down the server, nobody had the insurer's hotline number, somebody wiped and reinstalled the one machine that held the evidence. A short, written plan prevents most of them.

What to do. Keep it to a few pages. Who declares an incident and who decides (a named deputy for when they're on leave). The contact card: your MDR or IT provider, your cyber insurer's 24/7 hotline (most policies require calling them early - some cover hinges on it), legal counsel, and ASD's ReportCyber / 1300 CYBER1. Severity in plain words ("one laptop is weird" versus "finance can't work" versus "data is being demanded for ransom"). First moves: isolate, don't wipe - contain machines via EDR rather than reinstalling them, and preserve logs and evidence before recovery. Out-of-band comms for when email itself is compromised. And the Stage 1 backups are your recovery path - the plan should say who restores what, in which order. Print it; an encrypted server is a bad place to keep the plan for the encrypted-server day.

Why it matters. ISO 27001 A.5.24-A.5.26 require exactly this - planned, assessed, documented response - and NIST CSF 2.0's Respond function is its strategic frame. It's also a cyber-insurance condition in practice: late notification and destroyed evidence are the classic ways claims get complicated. Mostly, though, it converts your worst day from improvisation into checklist.

Roughly what it costs. Free - a day of writing and arguing about who decides what. An incident-response retainer with a DFIR firm (pre-agreed terms and response times, often a modest annual fee credited against use) is a worthwhile upgrade as you grow, but the document costs nothing.

6. Know your reporting clock - it's measured in hours

Australian law now puts deadlines on incident reporting, and they're short enough that "we'll figure it out during the incident" is a plan to miss them. Knowing the triggers in advance is itself a control.

What to do. Put three obligations in the IR plan with their clocks. Under the Privacy Act's Notifiable Data Breaches scheme, if personal information is involved you have 30 days to assess whether serious harm is likely, and must notify the OAIC and affected people as soon as practicable if it is. Under the Cyber Security Act 2024, businesses over the turnover threshold (AU$3 million) that make a ransomware or cyber-extortion payment must report it within 72 hours - check the current rules on the Home Affairs site, and note the obligation sits on payment, which your insurer and lawyer must be part of deciding anyway. Sector add-ons: APRA-regulated entities have CPS 234's 72-hour incident notification; critical-infrastructure operators have SOCI Act timelines shorter still. Reporting to ASD's ReportCyber is good practice regardless and feeds national defence.

Why it matters. This is where Stage 3 meets the board-accountability thread running through this guide: regulators have pursued companies over cyber failures, and missed statutory deadlines are the easiest failure to prove. Pre-written notification criteria also remove the panic decision - whether something is reportable gets decided by your plan, not by 3am adrenaline.

Roughly what it costs. Free to know; expensive to not know. An hour with the OAIC and Home Affairs guidance pages, the triggers written into the IR plan, and - if you have legal counsel - a one-time review of the thresholds against your business.

7. Test it: run a tabletop exercise

A plan that has never been exercised is in the same category as a backup that has never been restored - a hope. A tabletop exercise is two hours around a table, no systems touched, walking through a scenario and finding the holes while they're free.

What to do. Twice a year, pick a scenario that matches your real risk: ransomware hits Monday 7am, or finance receives a convincing change-of-bank-details email from a known supplier and pays it. Walk the plan step by step with the actual decision-makers in the room - including the owner or CEO, because in a real incident they will absolutely be in the room. Inject complications ("the file server backups failed last night", "a journalist is calling"). Write down every gap - the missing phone number, the unclear authority, the backup nobody can locate - and fix them. ASD publishes free exercise-in-a-box style materials to base scenarios on.

Why it matters. ISO 27001 expects response plans to be tested, and CSF 2.0's Improvement category (ID.IM) is built on exactly this loop. Tabletops are also the cheapest leadership buy-in generator in security: an executive who has sat through a simulated ransomware Monday stops treating the security budget as abstract. That makes this step the natural bridge into Stage 4's governance work.

Roughly what it costs. Free - a meeting room, two hours, and honesty. Facilitated exercises run by external firms exist and add realism, at a typical one-off consulting-day cost, but don't let their absence stop you: a self-run tabletop this quarter beats a facilitated one someday.

Where this maps

Stage 3 is where the guide moves past the Essential Eight on purpose - the E8 column below gets thin because the E8 is a prevention baseline, and this stage covers the detection and response functions it explicitly leaves to other frameworks. International readers: CIS Controls v8.1 covers this stage in Controls 8 (audit logs), 13 (network monitoring), and 17 (incident response).