FAQ: ADQ Technologies

Traditional antivirus software operates at the signature level—it responds to known threats after they occur. SIEM solutions aggregate logs, but require an internal team of analysts to interpret them. The ADQ SOC service combines passive network traffic analysis using a proprietary probe, correlation of endpoint logs, and 24/7 analytical monitoring on the ADQ side. This means that behavioral anomalies—such as lateral movement within the network or privilege escalation—are detected at the reconnaissance stage, before an actual attack occurs.

The probe monitors traffic at the network layer (L2/L3), which allows observation of all devices connected to the network—regardless of the operating system and without the need to install an agent. This applies in particular to OT/ICS environments: PLC controllers, production machines running Windows XP/7, medical devices, and building automation. Endpoint agents are installed on workstations and servers running Windows, Linux, and macOS, and provide telemetry at the level of processes, connections, and registry changes.

After detecting an anomaly, the correlation system classifies the event according to a criticality scale. High-priority events (e.g., attempts to disable an agent, communication with C2 infrastructure, unauthorized access to resources) trigger an automatic notification to the ADQ SOC analyst. The analyst verifies the context of the event and, within 15 minutes of confirming the incident, sends the following to the designated contact on the customer's side: a description of the event, an indication of infected resources, a recommended course of action, and—in Gold and Platinum packages—performs remote isolation of the device.

The scope of response depends on the package. In the Silver package, ADQ's role is limited to detection, documentation, and notification—remedial actions remain the responsibility of the customer or their external IT provider. The Gold and Platinum packages include active containment measures: isolation of the endpoint from the network, blocking of suspicious accounts in the Microsoft 365 environment, and escalation to the manufacturer in the case of zero-day vulnerabilities. The full scope of active response is defined in each case in the SLA attached to the agreement.

Implementation does not require topology reconstruction. The probe is connected to a port mirror (SPAN) on the core switch or via a dedicated network TAP, which enables passive listening without interfering with production traffic. Integration with Microsoft 365 is implemented via the Graph API with read-only permissions. Endpoint agents are deployed via GPO or RMM tools. A full technical implementation schedule is prepared after the initial audit.

Standard onboarding consists of four stages: (1) preliminary infrastructure audit – remote or on-site, 1-2 business days; (2) probe installation and port mirror configuration – 1 day; (3) agent implementation and API integration – 3-5 business days; (4) tuning phase – 2 weeks, during which we calibrate the database of normal network behavior and eliminate false positives. The total time from signing the contract to full operation is 2-3 weeks.

ADQ processes network traffic metadata (IP addresses, ports, protocols, behavior signatures), system logs, and security events from endpoints. The content of communications (emails, documents, TLS-encrypted traffic) is not inspected or stored. Data processing is based on a data processing agreement (DPA) in accordance with Article 28 of the GDPR. Logs are stored for 12 months in infrastructure located within the European Union.

The NIS2 Directive (implemented in Poland by an amendment to the KSC) imposes an obligation on important and key entities to implement cybersecurity risk management measures, including security monitoring and incident management. The ADQ SOC service directly addresses these requirements: it provides continuous monitoring, incident logging, log storage for the required 12 months, and the documentation necessary to report incidents within the statutory 24-hour deadline. We assess full compliance with NIS2—taking into account all areas of regulation—as part of a free preliminary audit.

For significant entities, the maximum administrative fine is EUR 7 million or 1.4% of annual global turnover. For key entities, it is EUR 10 million or 2% of turnover. A significant change from the previous directive is the personal liability of managers: the management body may be held liable for failure to supervise the implementation of the required measures, including a temporary ban on performing managerial functions.

For each registered incident, we generate a structured report containing: a timeline of events with accurate timestamps, identification of the source and vector of the attack, a list of infected resources, remedial actions taken, and an assessment of the impact on the organization. The documentation meets the formal requirements for reporting to the sectoral CSIRT and the UODO (in the event of a personal data breach). Logs are stored in an unalterable form, which proves their integrity for the purposes of investigations and insurance audits.

The initial audit is free of charge and non-binding. Its scope includes: inventory of devices and network topology, assessment of current security posture (firewall configuration, network segmentation, password policies, privilege management), identification of high-risk devices (end-of-life, lack of updates), and assessment of infrastructure readiness for monitoring implementation. The audit results in a report with prioritized recommendations, regardless of whether you decide to sign a contract with ADQ.

The subscription price depends on three factors: the number of monitored devices (endpoints), the models and configurations of network devices (the complexity of the environment affects the amount of analytical work required), and the scope of selected additional packages (phishing tests, training, physical audit). The prices listed in the price list (Silver from PLN 35/endpoint, Gold from PLN 60/endpoint) are a starting point—the final price is prepared individually after a preliminary audit and presented in the form of an offer with a full specification of the scope of services.

The standard contract is concluded for 12 months with the possibility of extension. Key SLA parameters: response time to a critical incident - 15 minutes, service availability - 99.9% (24/7/365). In the event of contract termination, the customer receives a full export of logs for the entire period of service provision in the format agreed during onboarding, which guarantees continuity of documentation and no dependence on the provider. Detailed terms and conditions, including the escalation procedure and contractual penalties for non-compliance with the SLA, are negotiated individually.

Phishing tests and cybersecurity training are included in the Gold and Platinum packages. The tests are conducted periodically—simulated phishing campaigns targeting the client's employees allow us to measure the actual level of the organization's vulnerability to social engineering attacks. The results form the basis for personalizing the training program, which is carried out every 6 months. In the Silver package, tests and training are available as an additional service, priced separately.

Reporting takes place on two levels. The IT manager receives access to an operational dashboard with the current status of alerts and detected events. The management board receives a monthly executive summary report containing: the number and category of incidents, SLA implementation status, phishing test results (if applicable), NIS2 compliance status, and recommendations for the following month. The format and frequency of reporting are configurable and agreed upon during onboarding.