No tools for the job and not enough staff makes Johnny a frustrated IT manager

So today the same client of mine who got defaced called today freaking out with some of the same issues they were facing before the defacement (last_ack hung sessions, slow down on the web server, etc.).  Of course, they thought it was all happening again.  Now while I have no problem helping out with this issue (we are going to be doing an assessment very soon), I still need them to do some leg work before I can determine what is going on (not to mention that I was headed to the airport when they called).  I helped them get their firewall logs pointed at a syslog server when I visited them last week, and they are pulling the netstat information as well.  But this is just not enough.  So we still do not have enough info to figure out if this is an actual attack or simply a mis-configuration issue.

All this leads to the conclusion that they need tools to find out what is happening.  We have urged them to put a sniffer on the wire, and we are going to make some recommendations on some commercial tools to look at network anomalies.  But right now they just have no idea what is going on in their network.  And one of the things that led to this problem is that IT is severely understaffed at this company (they pulled their IPS and used the hardware for something else because they could not watch the logs - uhhh, what?).  And the people they do have are very inexperienced.

So the plain and short of it is that the IT manager is truly frustrated.  He is in way over his head, and is calling us to help out.  Now while we can help as much as they want, we are also not a free resource.  So if they are not willing to spend money on staff and equipment, how much are they willing to spend on outsourcing?  I guess that remains to be seen.