top of page

Hash: SHA512

RFC 2350

1. About this document
This document describes the incident response coordination service from CyberSafe, Lda, according to the RFC2350. CyberSafe, Lda is a MSSP including event monitoring, correlation and incident response.

1.1 Date of Last Update
This is version 3.0 published 2024/02/02.

1.2 Distribution List for Notifications
There is no existing distribution channel for notifications of updates.

1.3 Locations where this Document May Be Found
The Portuguese version of this document is available at
The English version of this document is available at

1.4 Authenticating this Document
This document is signed with Cybersafe´s PGP key, available in

2.Contact Information

2.1 Name of the Team
CyberSafe CSIRT

2.2 Address
CyberSafe - Cyber Defense Services - CSIRT
Estrada de Alfragide, 67 – Ed. H, piso 1
2610-008 Alfragide Portugal

2.3 Time Zone
Portugal/WEST (GMT+0, GMT+1 in Summer Time)

2.4 Telephone Number
+351 210 360 276 (regular response hours - 09h00 / 18h00)
+351 927 630 111 (emergency contact, outside regular response hours)

2.5 Facsimile Number

2.6 Other Telecommunication

2.7 Electronic Mail Address
Email address for incident reporting:
Email address for other business related to Cybersafe services:

2.8 Public Keys and Other Encryption Information
PGP Fingerprint: C8C7DD28BC11A09DC7F3A722A91435239CE0E579
PGP UID: CDOC CyberSafe <>
The public key is available at:

2.9 Team Members
The head of Cybersafe CSIRT is Nelson Silva.
Information about other team members is available upon request.

2.10 Other Information
General information about Cybersafe can be found at

2.11 Points of Customer Contact
CyberSafe CSIRT can be contacted by the means specified on section 2.2 and 2.4 to 2.7.

3. Charter

3.1 Mission Statement
Cybersafe CSIRT is part of CyberSafe - Cyber Defense Services that has as it´s mission to provide managed security services including event monitoring and correlation, incident response, production of alerts, security recomendations and promotion of security culture on its constituency.

3.2 Constituency
CyberSafe CSIRT operates in:
a) Cybersafe Lda.
b) Cybersafe Lda, clients in finantial, energy, industry, educational, public and other sectors;

3.3 Sponsorship and/or Affiliation
CyberSafe CSIRT is a service from CyberSafe - Cyber Defense Services, part of CyberSafe, Lda.

3.4 Authority
CyberSafe CSIRT is a service from CyberSafe - Cyber Defense Services, part of CyberSafe, Lda whom competence is defined within its clients contracts.

4. Policies

4.1 Types of Incidents and Level of Support
CyberSafe CSIRT handles every type of cybersecurity incident, namely, those that result in a security violation of the following types:
a) Malicious Code
b) Availability
c) Information Gathering
d) Intrusion Attempt
e) Intrusions
f) Information Content Security
g) Fraud
h) Abusive Content
i) Vulnerable
j) Other

The level of support offered by CyberSafe CSIRT depends on the type, severity and scope of the ongoing incident and available resources. In regular circumstances CyberSafe CSIRT has an SLO to give an initial answer betwin one hour and one business day, depending on the severity of the incident and the SLA for the Client (when applicable).

4.2 Co-operation, Interaction and Disclosure of Information
The privacy and data protection policies of CyberSafe CSIRT ensure that sensitive data is only shared with third parties on a need-to-know basis and with the previous authorization of the owner of that information.

4.3 Communication and Authentication
- From the communication means made available by CyberSafe CSIRT, telephone and clear text email are considered acceptable for non-sensitive information. For sensitive information transmission, the use of PGP encryption is required, identified in 2.8.

5. Services
Internally or whenever hired for that purpose, CyberSafe - Cyber Defense Services has the following services

5.1 Real-time Security Event Monitoring
This service includes the collection, filtering and correlation of events in real-time to identify potential security incidents.

5.2. Proactive Threath Hunting
This service consists of a set of proactive activities of evaluation of Indicators of Compromise (IOCs) and suspicious behavior in order to detect potential security incidents that were not possible to identify through event monitoring.

5.3 Security Incidents Notification
After identification of a security incident, this service consists of:
a) Initial incident triage;
b) Classification according to the defined categorization levels;
c) Collection and recording of additional context information;
d) Production of recommendations for the response to the incident and its mitigation or resolution;
e) Allocation to the appropriate resolution team/entity;
f) Follow-up of the incident until its closure;
g) Production of documentation related to the incident and lessons learned;

5.4 Security Incidents Response
Security Incidents Response includes:
a) Interaction with the client's internal teams;
b) Support in activities to contain and eradicate;
c) Articulation with the national and international entities involved, such as CSIRTs, Registrars, Cloud service providers;
d) Incident documentation with evidences;

5.5 Forensic Analysis
Forensic Analysis consists of:
a) Forensic analysis of the platforms involved in the incident;
b) Traffic analysis;
c) Malware analysis;
d) Production of documentation related to the analysis and lessons learned;

5.6 Security Alerts
Produces and disseminates security alerts to its customers, partners and community.

5.7 Qualification/Training of CSIRTs
Improve response capacity to cybersecurity incidents by creating new CSIRTs and building the capabilities of existing ones. For this purpose, CyberSafe - Cyber Defense Services develops a set of services with a view to qualify/coach its customers' CSIRTs, namely:
a) Design of specifications, supply, installation and configuration, support and maintenance of technical solutions for a CSIRT/SOC, such as SIEM solutions, Full Packet Capture and session reconstruction, analytics, automation of response to typified incidents, among others;
c) Design of processes for the operation of a CSIRT;
d) CyberSecurity exercises Blue Team / Red Team / Purple Team;
e) Cybersecurity incident response training;
f) Training in the administration of technical solutions of a CSIRT.

6. Incident Report Forms:
There are no forms defined for this purpose.

7. Safeguard of liability:
Whilst every precaution is taken in the preparation of information disclosed either on the Internet portal or via distribution lists or social media, CyberSafe - Cyber Defense Services assumes no responsibility for errors or omissions, or for damages resulting from the use of such information.




bottom of page