Only 12% of organizations ever fully recover from a breach — and for most of those, recovery takes more than 100 days (IBM Cost of a Data Breach 2024). Without a retainer, the first hours of an incident go to finding a firm, negotiating terms, and granting access — while the attacker keeps moving. Our retainer clients have senior engineers on the line within 4 hours — with documented runbooks for their specific environment.
Incident response without a retainer means paying emergency rates to a firm that has never seen your network, while the attacker continues to pivot. A retainer changes that equation entirely.
An IR retainer is not just a phone number to call. It is a documented relationship, a pre-built knowledge base of your environment, and a tested response capability — established before an incident, so execution is fast when it matters.
Phone and remote connection within 4 business hours of incident declaration. Weekend and evening coverage included for retainer clients. When your team is discovering an intrusion at 9pm on a Friday, you have someone to call — not a voicemail box.
Pre-purchased investigation, containment, and remediation hours. Unused hours roll over quarterly (up to 20 hours). Overage billed at a pre-agreed discounted rate — 20% below our standard engagement rate. We notify you before exceeding included hours.
We document your environment before an incident: network topology, key assets, administrative contact list, backup locations, and IR stakeholder contacts. Secured and stored for rapid retrieval. When an incident happens, we already know your infrastructure — no ramp-up while the attacker pivots.
One facilitated tabletop exercise per year to test your IR plan against realistic scenarios — ransomware, business email compromise, insider threat, or supply chain compromise. Includes written findings, identified gaps, and documented IR plan updates. Satisfies NYDFS § 500.16 testing requirements.
We work directly with your cyber insurance carrier's incident response panel and produce the documentation they require for claims processing. Carriers increasingly scrutinize response timelines, evidence collection, and remediation decisions — we provide the documentation that supports your claim.
Evidence preservation and chain-of-custody documentation for any matter that may become litigation or regulatory action. Digital evidence collected and preserved to forensic standards — maintaining defensibility if the incident results in regulatory inquiry or civil action.
Fixed annual retainers with no hourly billing ambiguity during a crisis. Pricing and SLAs are established in advance — so when an incident occurs, you focus on response, not negotiating rates.
Foundational IR coverage with guaranteed response SLA and pre-documented environment.
Reduced SLA, expanded capacity, and dedicated engineer assignment for time-sensitive environments.
Attackers don't pause while you find a firm, sign engagement letters, and wire a retainer. The hours spent on procurement during an active incident are hours the attacker spends moving laterally, exfiltrating data, and staging ransomware payloads.
Sophos puts the average ransomware recovery cost at $1.53M — before any ransom payment (State of Ransomware 2025). IBM puts the average attacker-disclosed extortion breach at $5.08M (Cost of a Data Breach Report 2025). The Priority Retainer at $15,000/year is less than 1% of even the lower figure — and dramatically compresses recovery time.
The best time to establish a retainer is before you need it. We will document your environment, test your response plan, and be ready when you call — at any hour, on any day.
You may also need