Breach Response and Security ENgineering


In simple terms: to establish practical highly-effective cybersecurity function.

The key goal behind BRSE is to help cybersecurity leaders build their business functions on the functional and scalable foundation while avoiding costly mistakes.

The other sophisticated intent behind BRSE as it was outlined in the introductory post:

"publishing specific criteria for BRSE-compliant service offering delivered whether by in-house SOC or by MSSP/MDR provider. This way service providers will be able to self-identify their MDR (or MBR? Managed Breach Response) or MSSP | SOC offerings either as BRSE-compliant or just as BRSE service."


Breach Response and Security Engineering (BRSE) is a doctrine which includes guiding principles, framework and a service delivery model for establishing a cybersecurity function to disrupt a cyber breach in progress.

It was formally introduced on June 19th, 2023 by its creator Ivan Fedorets in his blog post and later shared on his Linkedin profile.

ProblemS To Solve

Cybersecurity has been reinvented too many times to count. Many of these attempts have produced quite tangible advances in specific areas. The downside of such approach is that many cybersecurity functions pick one or a few doctrines, standards and personal experiences and repeat too many of the mistakes made in the past. The other downside is disconnect within cybersecurity function itself: most notably between security operations| responders and security engineering aka functions which mitigate risks. Full list can be found here

Unique BRSE Principles

One team does it all (ensures team cohesiveness during crisis aka breach).

Roles are virtual and separate from employees.

Roles are assigned and rotated through the team.

Team ideally is double-headed: Director (running it) and Manager (staff development). They don't rotate.

Strict hierarchy of objectives: Top one is breach disruption

Two subobjectives: 

There is a third level objective: to provide relevant TTPs and IT Estate context including vulnerabilities scans and hardening suggestions. This objective is done by another sub-function or BRSE function called RAP. RAP ideally is two people and will rotate with analysts for on-shift response duty. RAP engineers are re-enforcement (rather than  escalation) during crisis.

Cyber defense and protection aren't equal: defense prioritizes TTPs (provided by RAP) to be worked on by protection team.

 Fixed scope for the team: one chunk of IT estate. Ideally, the IT estate in scope covers multiple technology domains in order to cover an entire breach path.

If company is large: break down its IT Estate and create teams responsible for those chunks. The ideal IT Environment breakdown should translate into one team dealing with entire breach: its blast radius does not spill over to the IT Environment area owned by another cybersecurity team.

The use of ACCEPT approach instead of traditional People Processes Tools (PPT).


The reason for creating BRSE is to 10-100X effectiveness and efficiency increase for cybersecurity teams.

Despite the limited ability to measure the improvement precisely, we believe that gains in effectiveness are at that level.

Rights and Legal

All rights to the BRSE content belongs to Ivan Fedorets.

This website is the only authentic source of BRSE. Any modified versions of BRSE should have those modifications identified. For now the only authorized contributor to BRSE is Ivan Fedorets, however, hopefully the team will be expended soon. Please use the Contacts page to send your suggestions prior to volunteering to become a contributor.

Ivan writes on the topic of cybersecurity including BRSE in his blog here:

For now, the content shared here is free to use with the reference to Ivan Fedorets.

Nothing on this website is a legal (or any other) advice. This is thought provoking content. You are the one responsible for the outcome of your actions.