Incident Response

The worst day starts with the right people already in motion.

An IR retainer is the cheapest insurance policy you'll buy. Pre-negotiated SLAs, a named response team that's already learned your environment, a runbook tuned to your stack — so when minutes matter, you don't lose them to procurement.

Set up a retainer Active incident now?

SLA: 1 hour
Coverage: 24/7
Named team: Yes
Hours roll: Quarterly

What's included

What the retainer guarantees

Every retainer client gets the same operational guarantees — coverage scales with hour bucket.

1-hour response SLA, 24/7

From your call to a senior responder on the bridge in under an hour — any day, any time, including holidays.

Named response team

Same lead responder and bench every time. They've read your IR plan, walked your network diagram, and tabletop'd with your team.

Environment-tuned runbook

Your IR runbook lives in our system. Contacts, escalation paths, change-window rules, sensitive systems — pre-loaded.

Pre-authorized containment actions

Documented during onboarding: isolate hosts, disable accounts, revoke tokens, block IOCs. No 'do we have authority' questions at 3am.

Pre-positioned legal & breach coach

We're pre-positioned with your breach coach and outside counsel. Privilege workflows are pre-agreed.

Quarterly tabletop

One tabletop exercise per quarter, scenario-customized to your industry. Surfaces playbook gaps before adversaries do.

Hours roll quarter to quarter

Unused retainer hours roll forward. No use-it-or-lose-it dynamic that incentivizes wasted exercises.

Post-incident retrospective

Every engagement closes with a 90-minute retro covering root cause, control gaps, communication review, and hardening recommendations.

How it works

From retainer signing to readiness

01
Week 1
Retainer scoping
We agree on hour bucket, response SLA, on-call routing, and pre-authorized response actions. Fixed retainer fee.
02
Weeks 1–3
Environment onboarding
Asset inventory, identity map, EDR/SIEM access, change-window rules, sensitive systems. Your environment is loaded into our IR platform.
03
Week 4
First tabletop
Scenario-customized exercise with your IT, security, legal, and executive teams. Surfaces gaps in escalation, communication, and authority.
04
Ongoing
Always on, on standby
24/7/365 readiness. Quarterly tabletops, runbook updates, and contact verification keep the retainer warm.
05
When an incident hits
1-hour response
Bridge opens, named responders join, containment work begins per pre-authorized runbook. Communication continues per documented escalation.

Outcomes

What you walk away with

Confidence that the worst day has a 1-hour-to-bridge response
Pre-positioned legal and breach-coach relationships
Documented runbook that survives staff turnover
Quarterly-validated tabletop muscle memory
Audit-evidence: incident readiness for SOC 2, ISO 27001, HITRUST, CMMC
Cyber-insurance underwriting leverage (better premiums, better terms)
Pre-authorized containment, documented for audit
No procurement at 3am

Why us

What makes our engagement different

Named responders, not a queue

You get the same lead responder every time. They learn your environment once and remember it.

Hours roll forward

Unused retainer hours roll quarter to quarter. We don't incentivize waste, and you don't lose budget you didn't need to use.

Senior on every call

Every incident is led by a principal-grade responder. No tier-1 triage filtering before you get help.

Cyber insurance leverage

Retainer letters are commonly accepted by carriers for underwriting credit. We work directly with your broker if helpful.

FAQ

Common questions

Do we need a retainer to call you in an incident?

No. Our 24/7 emergency hotline accepts non-retainer callers and we'll mobilize on a time-and-materials basis. But you'll be one of several in queue, and we won't know your environment. Retained clients always get priority.

How big should our hour bucket be?

Most clients start with 40–80 hours per year. That covers quarterly tabletops, runbook maintenance, and a moderate incident. We'll right-size after a 30-min scoping call.

What if we never use it?

Most clients use a portion for tabletops, runbook updates, and the occasional 'is this a thing?' triage call. Retainer hours roll forward — there's no penalty for staying lucky.

Can our cyber insurance carrier credit this?

Yes — most carriers credit IR retainers as a control during underwriting. We provide retainer letters in the format your broker needs.

What happens if we exceed our hour bucket during an incident?

We continue working at the contracted hourly rate. The clock doesn't stop because the bucket is empty — but you have visibility into burn rate hour-by-hour during the engagement.

Managed Detection & Response

MDR + IR retainer is the standard pairing for serious programs.

Tabletop Exercises

Standalone tabletops, separate from a retainer if needed.

Ransomware Response

Specialized ransomware lifecycle handling within or outside a retainer.

Don't shop for IR during an incident.

A 30-minute call now means a 1-hour-to-bridge response the day you need it. Most retainers are signed within two weeks.

Set up a retainer Active incident — call now