Description of CSIRT for Cyber360-CSIRT
-----------------------------
1. Document Information

This document describes the organization, mission, scope of activities and rules of cooperation of the Cyber360-CSIRT Computer Security Incident Response Team, run by Cyber360 sp. z o.o., a limited liability company incorporated under Polish law.

The document has been prepared in accordance with the recommendations contained in RFC 2350 – "Expectations for Computer Security Incident Response".

1.1. Date of last update

Document version: 2.00, published on 23.04.2026

1.2 Distribution List for Notifications

Information about material changes in this document is disseminated in a manner that ensures that they are available to recipients using Cyber360-CSIRT services. The current version of the document is published in the official repository or on the Cyber360-CSIRT information page.

Notifications of material changes, in particular to the scope of Cyber360-CSIRT's operations, contact details or cooperation rules, may be communicated to CyberDefender customers and partners cooperating with Cyber360-CSIRT through agreed communication channels.

Editorial, stylistic or orderly changes that do not affect the scope of activities or the way we work with Cyber360-CSIRT may not be communicated separately.

1.3 Locations where this Document May Be Found

The current version of the document describing Cyber360-CSIRT is available on the https://cyber360.pl/csirt/ page in the "Downloads" tab.

1.4 Document Attestation

The document was signed using the PGP key, which was made available on the https://cyber360.pl/csirt/ website in the "Downloads" tab.

2. Contact Information

2.1 Name of the Team

Cyber360-CSIRT Computer Security Incident Response Team

2.2 Address

Cyber360 sp. z o.o.
Cyber360-CSIRT
Władysława IV 43/414-415
81-308 Gdynia
Poland

2.3 Time zone

Cyber360-CSIRT operates in the CET (Central European Time, UTC+1) time zone, including CEST Daylight Saving Time (UTC+2), in accordance with the applicable regulations in the territory of the Republic of Poland.

2.4 Telephone number

+48 585 857 531

2.5 Facsimile Number

Not applicable

2.6 Other telecommunication

Cyber360-CSIRT provides additional communication channels used for operational, organizational contacts, and technical information exchange, in accordance with contractual arrangements with CyberDefender customers.

Other forms of telecommunications include, in particular:
1) Instant messaging channels used for ongoing operational cooperation with customers,
2) Dedicated portals or reporting systems made available to customers as part of the services provided,
3) Encrypted electronic communication channels agreed individually with the customer.

These channels are not intended for formal incident reporting, unless otherwise specified in the contract or operational procedures. All communication conducted through other telecommunication channels is subject to the confidentiality and information protection rules applicable in Cyber360-CSIRT.

2.7 Electronic Mail Address

csirt[at]cyber360[.]pl

2.8 Public Keys and Encryption Information

The PGP key used by Cyber360-CSIRT has been made available on the https://cyber360.pl/csirt/ website under the "Downloads" tab

2.9 Other Information

General information about Cyber360-CSIRT can be found at: https://cyber360.pl/csirt/

2.10 Points of Customer Contact

The preferred method of contact is email using a PGP key to ensure the integrity and confidentiality of the information.

ICT incidents should be reported to Cyber360-CSIRT by filling out the form available at:
https://cyber360.pl/csirt/ in the "Incident reporting" tab and send it to the following address: csirt@cyber360.pl.

The application can also be sent via traditional mail to the following address:

Cyber360 sp. z o.o.
Cyber360-CSIRT
Władysława IV 43/414-415
81-308 Gdynia
Poland

If you need urgent contact, please call the Cyber360-CSIRT Duty Officer at +48 585 857 531

3. Charter

3.1 Mission Statement

The Cyber360-CSIRT Computer Security Incident Response Team, led by Cyber360 sp. z o.o., performs tasks related to cybersecurity incident handling, threat analysis and support in increasing the level of security of ICT systems of customers using the CyberDefender service.

The mission of Cyber360-CSIRT is to provide professional, reliable and coordinated support in the field of identification, analysis and response to computer security incidents, as well as to support clients in mitigating risks resulting from vulnerabilities and cyber threats. The activity of Cyber360-CSIRT is conducted on the basis of concluded agreements and applicable legal regulations, in particular in an advisory, analytical and coordination capacity.

Cyber360-CSIRT performs its tasks in close cooperation with customers, CyberDefender customer affiliates and other incident response teams, including national and sectoral CSIRTs, to the extent agreed and in accordance with their competences.

In special cases, the CSIRT may perform tasks for entities related to CyberDefender customers, only to the extent resulting from contractual arrangements and applicable regulations.

In particular, the CSIRT is responsible for:
1) Receiving reports of computer security incidents involving CyberDefender customers;
2) Responding to incidents, including conducting technical analyses, coordinating corrective actions and supporting in minimizing the effects of incidents;
3) Collecting, analyzing and distributing information about vulnerabilities and cyber threats, to the extent agreed with customers;
4) Cooperation with entities related to CyberDefender customers, in particular in the field of exchanging information on good practices, vulnerabilities and current cyber threats;
5) Organization and participation in exercises, as well as support for training and educational initiatives in the field of cybersecurity;
6) Cooperation with the CSIRT MON, CSIRT NASK and CSIRT GOV as part of the incident response coordinated by these teams, in particular in the field of exchanging information on threats and the measures used to
   prevent and mitigate the effects of incidents;
7) Cooperation with other CSIRTs, national and international, in the field of exchanging information on vulnerabilities, threats and response methods.

3.2 Constituency

Cyber360-CSIRT conducts activities in the field of computer security incident handling for customers using the CyberDefender service, in accordance with the scope specified in the concluded agreements and applicable laws.

The basic area of Cyber360-CSIRT activity is the territory of the Republic of Poland. In justified cases, Cyber360-CSIRT may also carry out activities outside the country, in particular with regard to the IT systems of customers or their affiliates whose infrastructure or services are located in other countries.

The scope of Cyber360-CSIRT includes:
1) ICT systems and networks and data processing services owned by or under the control of CyberDefender customers,
2) Computer security incidents, vulnerabilities and cyber threats that may affect the confidentiality, integrity or availability of the processed information,
3) Analytical, advisory and coordination activities related to responding to incidents and mitigating their consequences.

Cyber360-CSIRT performs its tasks only in relation to entities with which it is contractually bound or to the extent agreed with the customer, including – in special cases – for the benefit of entities related to CyberDefender customers.

The area of operation of Cyber360-CSIRT does not include the implementation of the competences of the competent authorities for cybersecurity or the tasks assigned to CSIRTs at the national or sectoral level. In cases requiring the involvement of such entities, the CSIRT shall cooperate with them in the field of information exchange and coordination of activities, in accordance with the applicable rules and competences.

3.3 Sponsorship and Affiliation

Cyber360-CSIRT is a team run and financed by Cyber360 sp. z o.o., which fulfills the role of a sponsor of Cyber360-CSIRT and provides organizational, technical and human resources necessary to carry out its tasks.

Cyber360-CSIRT operates as a separate operating unit within the organizational structure of Cyber360 sp. z o.o. and carries out its activities within the framework of the services provided, in particular the CyberDefender service, on the basis of concluded agreements with customers.

Cyber360-CSIRT is not a team established by a public administration body, nor does it perform the functions of a CSIRT at national or sectoral level within the meaning of the law.  The  organizational responsibility of Cyber360-CSIRT is limited to the structure of Cyber360 sp. z o.o., while maintaining operational independence in the scope of the tasks performed.

As part of the Cyber360-CSIRT operational cooperation, it is possible to maintain working relationships with other CSIRTs, industry entities, technology partners and incident response teams, both domestic and foreign. This joint work is voluntary and based on the principles of information exchange, mutual support and respect for the competences of individual entities.

3.4 Authority

The activity of Cyber360-CSIRT is conducted on the basis of:
1) Ordinance of the President of the Management Board No. 1/07/2025 of 7 July 2025 on the establishment of a CSIRT team within the structures of Cyber360 sp. z o.o.
2) Cyber360-CSIRT Organizational Regulations
3) SOC/MDR/CSIRT service agreements concluded with clients
4) Confidentiality agreements and data entrustment agreements
5) Named Authorizations for Cyber360-CSIRT Members

4. Policies

4.1 Types of Incidents and Level of Support

Cyber360-CSIRT provides support in the field of handling computer security incidents concerning the information systems of customers using CyberDefender services, in accordance with the scope specified in the concluded agreements and applicable operational procedures.

Cyber360-CSIRT handles in particular the following types of incidents:
1) Incidents related to unauthorized access to information systems,
2) Incidents of breach of confidentiality, integrity or availability of data,
3) Malware infections, including ransomware and spyware,
4) Network attacks, including DDoS attacks, unauthorized authentication attempts (e.g. brute-force);
5) Phishing, social engineering and credential leakage incidents,
6) Incidents resulting from the use of known or newly discovered vulnerabilities,
7) Other security events that may adversely affect the functioning of customer information systems.

The scope of incidents handled may be expanded or limited depending on individual contractual arrangements with the customer.

The support provided by Cyber360-CSIRT is technical, analytical, coordinating and advisory and may include,  in particular:
1) Analysis of reported security incidents and events,
2) Support in identifying the source, vector and consequences of the incident,
3) Recommending actions to reduce the impact of the incident and corrective actions,
4) Coordination of response activities in the client's environment,
5) Support in the preparation of information and materials used for further escalation of the incident, including to other CSIRTs or relevant entities, if required.

Cyber360-CSIRT does not assume responsibility for making managerial or formal decisions on the client's side, including decisions regarding the reporting of incidents to the relevant authorities or CSIRTs at the national level. The ultimate responsibility for the implementation of the legal  obligations lies with the client.

As part of incident handling, Cyber360-CSIRT uses an internal support level model that allows the intensity of operations to be adjusted to the nature and scale of the incident, includingm.in:
1) Low-impact incidents – analytical and recommendation support,
2) Medium-impact incidents – extended technical analysis and coordination of activities,
3) High impact incidents – intensive technical and coordination support, carried out in close cooperation with the client and, where justified, with other CSIRTs.

Detailed incident classification rules and support levels are set out in Cyber360-CSIRT's internal procedures and contractual provisions.

4.2 Co-operation, Interaction and Disclosure of Information

Cyber360-CSIRT conducts its business on the basis of contracts concluded with customers and applicable provisions of generally applicable law. Cyber360-CSIRT is not a team established under the provisions of the Act of 5 July 2018 on the National Cybersecurity System, nor does it perform tasks assigned to CSIRTs at the national or sectoral level.

As part of its services, CSIRT cooperates with customers, technology partners and other incident response teams, supporting them in activities related to the identification, analysis and handling of cybersecurity incidents.

In particular, Cyber360-CSIRT can:
1) Provide support in the field of dynamic risk analysis and incident analysis, as well as take actions aimed at raising awareness of cyber threats among customers;
2) Carry out technical activities related to the analysis of cyber threats and response to computer incidents, including the analysis of logs, security events, technical artifacts and indicators of compromise 
   (IOC);
3) Coordinate incident handling within entities with which the CSIRT is bound by a contract for the provision of SOC, MDR or related services, only to the extent contractually agreed;
4) To support clients who are key entities or important entities, to the agreed extent, in the implementation of obligations arising from the provisions of the Act of 5 July 2018 on the National Cybersecurity
   System, in particular by:
     a) providing analyses and recommendations,
     b) expert support in the process of handling and classification of incidents,
     c) preparation of supporting materials and technical data necessary for the fulfilment of statutory obligations by the client;
   The responsibility for the formal performance of legal obligations, including the reporting of incidents to the competent authorities and CSIRTs at the national level, lies with the client.
5) Participate, at the request of or in agreement with the client, in communication processes with the competent authorities or CSIRTs of the national level, in particular by providing technical information,
   expert opinions and results of analyses, without assuming the statutory competences of these entities;
6) Conduct advisory and analytical activities aimed at increasing the level of security of customer information systems, in particular by:
     a) performing security assessments of information systems,
     b) identifying vulnerabilities in systems available in open ICT networks and informing the owners of these systems about detected vulnerabilities and threats, in accordance with the applicable law and the
        principles of responsible disclosure.

Cyber360-CSIRT discloses information regarding incidents, vulnerabilities and threats only to the extent agreed with the client, resulting from legal obligations or required to ensure the security of information systems. The scope, form and date of disclosure of information are subject to individual assessment each time, taking into account the confidentiality of data, the interests of the client and the applicable legal regulations.

4.3 Communication and Authentication

Cyber360-CSIRT communicates with customers, partners and other CSIRT teams in a way that ensures the confidentiality, integrity and reliability of the information provided. The communication channels and authentication methods used are adapted to the nature of the transmitted data and the level of their sensitivity.

The basic communication channels used by Cyber360-CSIRT include:
- e-mail,
- dedicated reporting systems or client portals,
- other agreed operational communication channels.

Details of the contact channels are indicated in Chapter 2 of this document. The choice of communication channel may depend on the nature of the case, the urgency of the report and contractual arrangements with the client.

Cyber360-CSIRT uses appropriate mechanisms to verify the identity of the parties to the communication, proportional to the level of risk and sensitivity of the information transmitted. In particular, the following may be used:
1) Authentication based on access data to notification systems,
2) Verification of the sender on the basis of previously agreed contact details,
3) Use of cryptographic mechanisms, including digital signatures or information encryption.

If it is not possible to unambiguously verify the identity of the reporter or recipient of the information, Cyber360-CSIRT reserves the right to limit the scope of the information provided or refuse to conduct further communication until the same is confirmed.

The information provided in the course of incident handling can be confidential or sensitive.  Cyber360-CSIRT is committed to the use of secure communication channels and recommends the use of encryption in cases requiring a higher level of information protection.

The scope of information provided as part of the communication is each time limited to the necessary minimum and adapted to the rights and role of the recipient. Detailed rules regarding the processing and protection of information are set out in the applicable procedures and provisions of contracts concluded with customers.

To ensure the confidentiality of the information you transmit, we recommend that you use PGP encryption (this standard is used by CSIRTs around the world). Software supporting PGP encryption for non-commercial purposes is available free of charge. 

To send an encrypted message, use the Cyber360-CSIRT RFC2350 Cyber360-CSIRT.txt.sig public key, which is made available on the https://cyber360.pl/csirt/ website in the "Downloads" tab.

5. Services

5.1 Proactive Activities

Cyber360-CSIRT implements preventive activities aimed at mitigating the risk of computer security incidents and minimizing their potential effects on CyberDefender customers. Preventive actions are analytical, advisory and educational in nature and are carried out in accordance with the scope specified in the concluded agreements.

As part of the preventive actions, Cyber360-CSIRT may in particular:
1) Monitor and analyze information about current vulnerabilities and cyber threats that may affect customers' information systems,
2) Provide clients with information about identified threats, vulnerabilities and recommended preventive measures,
3) Support the process of risk assessment related to cyber threats and vulnerabilities of information systems,
4) Recommend good practices in the field of securing systems, configuring IT environments and access management,
5) Support clients in planning and implementing activities aimed at increasing the level of safety, including organizational and technical activities,
6) Participate in training and educational initiatives aimed at raising awareness of cybersecurity of users and technical staff.

Preventive activities carried out by Cyber360-CSIRT are aimed at supporting customers in building the resilience of their information systems to cyber threats. Cyber360-CSIRT does not assume responsibility for the implementation of the recommended measures or for the management decisions made by the customers.

The scope and form of preventive actions may vary depending on the type of service, the level of cooperation and individual contractual arrangements with the client.

5.2 Incident Response

Cyber360-CSIRT provides computer security incident response services in relation to the information systems of CyberDefender customers, in accordance with the scope specified in the concluded agreements and the applicable operating procedures.

Incident response is aimed at identifying, analyzing, and mitigating the effects of security incidents, as well as supporting customers in restoring the proper functioning of information systems after an incident has occurred.

As part of the incident response, Cyber360-CSIRT can, in particular:
1) Receive and analyze reports of computer security incidents,
2) Identify the nature, scope and potential impact of the incident on the client's information systems,
3) Conduct technical analysis of the incident, including analysis of security events, logs and available artifacts,
4) Support clients in taking actions to limit the effects of the incident and prevent its further escalation,
5) Coordinate incident response activities in the client's environment, within the scope agreed by the contract,
6) Provide recommendations for corrective actions and measures to reduce the risk of recurrence of similar incidents,
7) Support clients in preparing information and materials used in reporting processes or further escalation of an incident, including to other CSIRT teams.

Cyber360-CSIRT implements incident response activities in  closer cooperation with the client. The responsibility   for making management decisions, implementing  technical activities and implementing formal and legal obligations rests with the client, unless otherwise agreed in the concluded agreements.

The scope, form and intensity of incident response activities may be adapted to the nature of the incident, its impact and individual contractual arrangements. Specific response rules are set forth in the internal procedures of Cyber360-CSIRT.

6. Incident Reporting Forms

Instructions for reporting an incident and the form have been made available on the https://cyber360.pl/csirt/ website in the "Downloads" tab

7. Disclaimers

This document is for informational purposes only and has been prepared to present the scope of activities, principles of cooperation and services provided by Cyber360-CSIRT. The document does not constitute a commercial offer, a legal obligation or a guarantee of a specific level of service.

Cyber360-CSIRT carries out its activities on the basis of concluded agreements and within the limits agreed with customers. The information contained herein is not a substitute for  contractual provisions or applicable procedures and cannot be construed as assuming responsibility for the information systems of the Clients.

Cyber360-CSIRT takes due diligence to ensure that the information, analyses and recommendations provided are reliable and up-to-date. Nevertheless, Cyber360-CSIRT does not guarantee the completeness, time lines or effectiveness of the information provided and is not liable for damages resulting from its use or omission to use.

Cyber360-CSIRT is not responsible for the management, organizational or technical decisions made by the Clients, including the implementation or non-implementation of the recommended security measures. The responsibility for the  fulfilment of legal and regulatory obligations, including the obligation to submit notifications, lies with the client, unless otherwise agreed in the concluded agreements.

Cyber360-CSIRT is not a team established by law, nor does it perform the functions of a competent authority for cybersecurity or a CSIRT at national or sectoral level. Any cooperation with other CSIRTs or public administration bodies shall be supportive and coordinating, in accordance with their competences.

Cyber360-CSIRT reserves the right to change the scope of services, the model of operation and the content of this document, in particular in order to adapt to organizational, technical or regulatory changes. The current version of the document is published in accordance with the rules set out in Chapter 1.