We handle issues and breaches when and as they arise. The SIEM, and other tools, analyze your environment and then, per policy, declare an incident. Once declared, policy dictates how we must proceed until resolution. We do not wait until there is a catastrophe.
Most importantly, we stop the threat actor from continuing. Once the threat or incident is neutralized, we do a forensic analysis to determine the extent of the damage and identify what further steps, if any, should be taken.