Loading...
  • Store
  • Security Incident RCA Report
Post-incident Documented report Compliance-ready

Documented root cause analysis per incident

Security Incident RCA Report

Monthly add-on for Grow and Manage website maintenance clients. When an incident occurs, you receive a written report covering attack timeline, vector, data exposure, and remediation - ready for your legal, compliance, or insurance team.

Security Incident RCA Report

Service Overview

Standing RCA capability for clients on the Grow or Manage website maintenance plans. When an incident hits, you receive a documented post-incident report covering attack timeline, vector, data exposure, and remediation - ready for your legal and insurance team. Billed monthly, scoped to your current maintenance tenure.

Why a documented RCA matters

When a security incident hits your website, the recovery itself is only half the work. In the days and weeks that follow, your legal team, your insurer, and often your enterprise clients will ask for a written record of what happened, how it happened, what was exposed, and what you did about it. Without that record, you are left explaining an incident verbally, months later, under pressure, and gaps in the narrative begin to look like gaps in the response.

The Security Incident RCA Report closes that gap. You get a structured document that traces the incident end to end, so your stakeholders can read a single authoritative source and walk away with a complete picture of scope, impact, and response.

What the report covers

Every RCA report includes four core sections:

  • Attack timeline: a chronological reconstruction of the incident, from the earliest indicators we can identify through the point of containment.
  • Vector identification: the entry method used by the attacker, which component was compromised, and the technical reason it was exploitable.
  • Data exposure assessment: an evaluation of which data was accessible during the incident window, so you know what you need to disclose and to whom.
  • Remediation steps: a plain record of the fixes applied, hardening changes made, and residual items still open.

Who this is for

This add-on is available to clients on our Grow or Manage website maintenance plans. The capability runs alongside your maintenance tenure on a monthly basis, so when an incident occurs the team is already engaged and the report is delivered without procurement delay. There is no per-incident cap - every security incident inside your active billing month is covered by the monthly fee. Charges are confirmed on quote, scoped to your current maintenance tenure - request a quote and we will confirm within one business day.

One Authoritative Report

A single document covering timeline, vector, exposure, and remediation per incident.

Compliance-Ready

Hand directly to legal, insurance, or regulatory counterparts - no rewriting.

Evidence-Driven

Built from server logs, access records, and database snapshots in the incident window.

What is Included

Attack timeline reconstruction
A chronological record of the incident, from earliest observable indicators through the point of containment, built from server and application logs.
Vector identification
A clear explanation of how the attacker got in, which component was exposed, and why it was exploitable.
Data exposure assessment
A structured review of what data was reachable during the incident window, so you can scope disclosures to the right parties.
Remediation log
A plain record of the fixes we applied and the hardening we added, plus any residual items still open.
Compliance-ready formatting
The report is written so it can be handed directly to your legal, insurance, or regulatory counterparties without further editing.

Checklist

Written report delivered per incident with no retainer lock-in
Attack timeline reconstructed from server and access logs
Data exposure scoped to the incident window and documented
Formatted for direct handoff to legal, insurance, or compliance teams

How It Works

1
Evidence capture

We collect and preserve server logs, access records, database snapshots, and any alerts tied to the incident window.

2
Timeline and vector analysis

Our engineer reconstructs the event chronology and identifies the exact entry method and affected component.

3
Exposure and remediation review

We assess what data was reachable and document the fixes applied, plus any residual items still open.

4
Draft review

You receive a draft for a clarification pass on scope or terminology before the report is finalised.

Final delivery

You get the finalised report, ready to hand to your legal, compliance, or insurance counterparties.

Turnaround depends on incident complexity and evidence completeness. We share an expected delivery date once we have reviewed your logs. Most reports are delivered within the SLA published on your maintenance plan.

Incident date, affected URLs, and any alerts or logs you already have. We also need access to server logs, access logs, and database snapshots for the incident window via your existing maintenance credentials.

This add-on is available to clients on the Grow and Manage plans. If you are on another plan, contact us and we will confirm eligibility or quote a one-off engagement.

Yes. The report is written so it can be handed directly to legal, insurance, or regulatory counterparties without further editing.

No. Active incident response and cleanup is a separate service. This add-on documents what happened, not the remediation work itself.

The report will document what is verifiable from the remaining evidence and explicitly flag what cannot be reconstructed. Honest gaps beat speculative narratives.

No. Regulatory filings are your counsel's responsibility. We give you the documented evidence they need to file.

Four core sections: attack timeline, vector identification, data exposure assessment, and remediation steps. Length varies by incident complexity, typically 8 to 20 pages.

Yes. The report and all supporting evidence are confidential and will not be shared with third parties without your written instruction.

A full refund is available if you cancel before analysis begins. Once the investigation has started, the deliverable is non-refundable.
  1. Eligibility: This add-on is available only to clients on the Grow or Manage website maintenance plans. If you are on another plan or your maintenance contract is inactive, this add-on cannot be initiated; a plan upgrade or reinstatement is required first.
  2. Billing and coverage: The add-on is billed monthly and remains active for the duration of your maintenance tenure. Every security incident occurring within the active billing month is covered by the monthly fee, with no per-incident cap.
  3. Per-incident deliverable: A separate written RCA report is produced for each incident. An incident is defined as a single, contiguous security event on one website; concurrent or unrelated events are documented as separate reports.
  4. Evidence dependency: The accuracy and completeness of each report depend on the availability of server logs, access logs, and database snapshots for the relevant time window. If evidence has been destroyed or overwritten before we are engaged, the report will document what is verifiable and flag what is not.
  5. Client responsibilities: You are responsible for granting us the server and CMS credentials needed to review logs, and for responding to clarification requests in a timely manner so that delivery is not blocked on your side.
  6. Confidentiality: Each report and all supporting evidence are treated as confidential. We will not share any report with third parties without your written instruction.
  7. Refunds and cancellation: Recurring add-on charges are pro-rated against your active maintenance tenure. Cancellation takes effect at the end of the current billing month; no partial-month refunds are issued. If you cancel before work on an active incident has begun, that incident's report obligation is waived.
  8. Use of the report: Each report is provided for your internal use and for sharing with your legal, compliance, insurance, or regulatory counterparties. It is not a certification, and it does not substitute legal or regulatory advice.
  9. Tenure linkage: This add-on is bound to the underlying website maintenance contract. If the maintenance contract is cancelled, paused, or lapses, the RCA add-on terminates automatically on the same date.
  10. Liability: Each report describes findings based on available evidence. It does not warrant that all traces of the incident have been identified, and it does not create any additional liability on our part beyond what is stated in the master service agreement.
Starting at
$42 /month
Tenure-based

Final price is confirmed on quote, aligned to your current maintenance tenure.

Authoritative Incident Record
Timeline, vector, exposure, and remediation in one written report per incident
Compliance & Insurance Ready
Built for direct handoff to your legal, insurance, or regulatory team
Evidence-Driven Hardening
Know exactly how the attacker got in and what was reachable
Monthly Standby Add-On
Active for the duration of your maintenance tenure - team already engaged when incidents happen
Same Team You Trust
Built by the engineers who already maintain your site, no third-party onboarding
Applicable to
  • Grow Plan
  • Manage Plan
  • WordPress sites
  • Non-WordPress sites
  • PHP applications
  • Custom CMS platforms
  • Static sites
Expertise
  • Forensic log analysis
  • Malware identification
  • Web server forensics
  • CMS security audit
  • Incident documentation
Delivery Timeline
01Add-on active
While your maintenance plan is live, the team is on standby. The flow below begins the moment an incident is reported.
02Incident reported
You get an acknowledgement email within 15 minutes of reporting an incident.
03Evidence gathering
We collect and preserve server logs, access records, and database snapshots.
04Analysis
Our engineer reconstructs the timeline, identifies the vector, and assesses exposure.
05Report draft
You receive a draft for clarification of scope or terminology.
06Final handover
You get the finalised report, ready for legal, compliance, or insurance use.

Related Services

You might also be interested in these services.

View All
WordPress Theme Upgrade Service
WordPress Theme Upgrade Service One-Time · Website Maintenance

WordPress site owners on an aging theme get a safe migration to a new or upgraded theme without losing settings or br...

WordPress WooCommerce
$119
Settings Preserved
WooCommerce Product Upload Bundle
WooCommerce Product Upload Bundle Subscription · Website Maintenance

WooCommerce stores launching or migrating a catalog get products live with full metadata, no self-serve typing. Each ...

WordPress WooCommerce New stores Platform migrations
$59 /mo
Catalog Live With Metadata
WordPress Staging Environment Creation
WordPress Staging Environment Creation One-Time · Website Maintenance

Starter and Standard clients get a dedicated staging copy of their WordPress or WooCommerce site, so you can test cha...

WordPress sites WooCommerce stores Starter plan clients Standard plan clients
$85
Test before customers see it
Core Web Vitals Deep Fix
New
Core Web Vitals Deep Fix One-Time · Website Maintenance

Targeted speed and stability fixes that recover the search rankings slow pages have cost you.

WordPress WooCommerce PHP Websites Static Sites
$229
Pass Google’s Speed Test
API Troubleshooting and Debug, per hour
API Troubleshooting and Debug, per hour One-Time · Website Maintenance

Teams facing broken third-party integrations get on-demand debugging from a senior engineer, billed by the hour. Avai...

Payment gateways CRM integrations Shipping APIs Custom webhooks
$55
Pay only for actual fix time
WordPress Security Optimisation Service
WordPress Security Optimisation Service One-Time · Website Maintenance

A focused, one-time security pass that strengthens five critical layers of your WordPress or WooCommerce site and giv...

WordPress WooCommerce
$99
Five Layers in One Pass
Starting at $42/month
Tenure-based · Security Incident RCA Report
Get a Quote

Shopping Cart

Your cart is empty