How to Choose an Incident Response Retainer: 12 Questions You Must Ask

Published: 2026-03-13 · Updated: 2026-03-13 · Simon Lynge

Your organisation just bought an incident response retainer. You feel protected. You have a contract that promises 24/7 support and rapid response times.

Then ransomware hits at 2 AM on a Saturday.

You call the hotline. After 20 minutes on hold, a junior analyst answers. They're offshore, unfamiliar with UK regulatory requirements, and need to "escalate to the UK team" who won't be available until Monday. Your SLA says "4-hour response" but it turns out that means "we'll acknowledge your call within 4 hours" — not "we'll have boots on the ground."

This isn't a hypothetical. We've seen it happen to organisations that thought they were protected.

47% of organisations with IR retainers report disappointment with provider response during actual incidents, according to industry surveys. The retainer looked good on paper but failed when it mattered.

The difference between a retainer that protects you and one that fails you isn't price — it's asking the right questions before you sign. This guide covers the 12 questions that separate competent IR providers from expensive disappointments.

Why an IR Retainer Matters

Before diving into the questions, let's be clear about what's at stake.

The Cost of Not Having One

When an incident occurs without a retainer in place:

You're competing for attention. IR providers prioritise retainer clients. Non-retainer clients go to the back of the queue — sometimes waiting days for engagement.
You're paying emergency rates. Emergency IR engagements typically cost 2-3x standard rates. A £15,000 retainer can save £50,000+ in emergency fees.
You're starting from zero. With no prior relationship, the IR team knows nothing about your environment, your business criticality, or your regulatory obligations.
You're negotiating contracts under pressure. Reading through terms and conditions while your systems are encrypted is not a good position.

23 days Average ransomware downtime for organisations without pre-arranged IR support, versus 11 days for those with established retainer relationships (Coveware, 2025).

Cyber Insurance Implications

Most cyber insurance policies now require — or strongly incentivise — having an IR retainer in place. This isn't just a checkbox:

Policies may specify approved panel providers
Claims can be delayed or reduced if you engage non-approved providers
Premiums are often lower with a retainer in place
Some policies won't cover IR costs at all without pre-approval

Before selecting an IR provider, check your cyber insurance policy requirements. Your insurer may have a preferred panel, or they may allow you to pre-approve a provider of your choice.

The 4 Types of Retainer Structures

Not all retainers are structured the same way. Understanding the model matters because it affects what you're actually buying.

Type	How It Works	Pros	Cons
Hours-banked	You pre-purchase a block of hours (e.g., 40 hours/year) at a discounted rate. Hours are drawn down during incidents.	Clear cost control. Discounted hourly rate.	Hours may not cover a serious incident. May expire unused.
Subscription	Fixed monthly/annual fee for access to IR services. May include unlimited hours or capped incidents.	Predictable costs. No worry about running out of hours.	May pay for services you never use. Read the fine print on exclusions.
Hybrid	Base retainer fee for priority access and pre-incident services, plus hourly rates for actual incidents (often discounted).	Balances access with usage-based costs. Often includes proactive services.	Incident costs can still be significant.
Insurance-backed	IR services provided through your cyber insurance policy. Insurer pays directly.	Covered by insurance. May be "free" to you.	Limited provider choice. May affect claims. Provider serves insurer's interests.

💡 Key insight: The cheapest retainer structure isn't always the best value. A £10,000 hours-banked retainer that gives you 20 hours won't cover a serious ransomware incident (which typically requires 80-150 hours). You'll end up paying emergency rates for the overage anyway.

The 12 Questions You Must Ask

These are the questions that reveal whether an IR provider will actually deliver when you need them. For each question, I've included what a good answer looks like — and the red flags that should make you walk away.

Question 1: What is your average response mobilisation time?

This is different from "response time" in your SLA. Mobilisation time means: from the moment you call, how long until a qualified analyst is actively working on your incident?

"Our average mobilisation time is under 60 minutes. Within 15 minutes of your call, you'll be speaking with a senior analyst who can begin triage. For ransomware or active intrusions, we can have remote forensic collection running within the hour."

"Our SLA guarantees response within 4 hours." (This usually means acknowledgement, not action.)

Question 2: Do you have a 24/7 UK operations centre, or do calls go offshore?

This matters for regulatory knowledge, legal privilege, and simple communication during a crisis. Offshore call centres can handle initial triage, but UK-specific incidents need UK expertise.

"Our 24/7 operations centre is UK-based with UK-resident analysts on every shift. We don't offshore first-line support. The person who answers your call can start the investigation."

"We have a global SOC that handles initial calls, then escalates to regional teams during business hours."

Question 3: What does "retainer hours" actually cover?

Some providers use retainer hours only for hands-on-keyboard work. Others include scoping calls, legal coordination, evidence packaging, and report writing. The difference can be 2x the hours consumed for the same incident.

"Retainer hours cover all aspects of incident response: scoping, investigation, containment, evidence collection, and final reporting. Coordination calls with your legal team and insurer are included. We don't nickel-and-dime you during a crisis."

"Retainer hours cover active investigation time. Administrative work, reporting, and coordination are billed separately."

Question 4: Do unused hours roll over, and what happens to them at renewal?

If you're buying hours-banked, you need to know what happens if you don't use them. Some providers let hours roll over indefinitely. Others expire them and pocket the difference.

"Unused hours roll over for up to 24 months. If you don't renew, unused hours can be applied to pre-incident services like tabletop exercises or security assessments."

"Hours expire at the end of each contract year. Unused hours are not refundable."

Question 5: Who specifically will respond — named individuals or anonymous analysts?

During a crisis, you want to know who's leading your response. Some providers guarantee named senior practitioners. Others send whoever's available from a pool.

"Your retainer includes a named primary responder and backup. You'll meet both during onboarding. They'll know your environment and escalation contacts before an incident occurs."

"Response is handled by our IR team based on availability. All our analysts are qualified to handle incidents."

Question 6: What forensic tools do you deploy?

Some providers rely entirely on your existing EDR. Others bring their own tooling that can work independently or fill gaps in your coverage.

"We deploy our own forensic agents that work independently of your existing EDR. If your EDR is compromised or disabled by the attacker — which happens frequently — we're not blind. We also have licensed tools for memory analysis, log aggregation, and threat hunting."

"We leverage your existing security stack. We'll need admin access to your EDR and SIEM to investigate."

Question 7: Do you handle ransomware negotiations directly or outsource?

Ransomware negotiation is a specialist skill. Some IR providers handle it in-house. Others outsource to third parties — adding another layer of coordination and cost.

"We handle negotiations directly. Our team has negotiated with over 40 ransomware groups and completed 235+ negotiations. We don't outsource to third parties or crypto brokers."

"For ransom negotiations, we partner with a specialist firm. They'll handle the negotiation aspect while we focus on technical response."

Question 8: Can you interface with our insurer and legal team simultaneously?

Incident response doesn't happen in a vacuum. Your IR provider needs to coordinate with insurance claims adjusters, external legal counsel, internal legal, and potentially regulators — often all at once.

"We regularly work with all major UK cyber insurers and are on several panels. We can coordinate directly with your breach counsel and claims adjusters, provide documentation in formats they require, and participate in joint calls as needed. We understand legal privilege requirements."

"We focus on the technical investigation. Coordination with insurers and lawyers is your responsibility."

Question 9: Do you maintain a current threat intelligence capability, or just reactive IR?

The best IR providers don't just respond to incidents — they understand the threat landscape. This makes them faster at attribution, more accurate in scoping, and better at predicting attacker behaviour.

"We maintain an active threat intelligence team that tracks ransomware groups, monitors dark web forums, and analyses new TTPs. During your incident, we can tell you exactly which group you're dealing with, their negotiation patterns, and whether they reliably decrypt."

"We focus on incident response. For threat intelligence, we can recommend some subscription services."

Learn about threat intelligence capabilities.

Question 10: What evidence preservation methodology do you follow?

Evidence must be collected and preserved in a way that's admissible in court, acceptable to insurers, and compliant with regulatory requirements. Sloppy evidence handling can invalidate insurance claims and undermine legal proceedings.

"We follow ISO 27037 standards for evidence handling. All evidence is hashed (SHA-256), timestamped, and maintained with full chain of custody documentation. Our evidence packages are accepted by UK courts, the ICO, and all major insurers."

"We'll collect the relevant logs and artifacts for our investigation."

Read our guide on evidence preservation.

Question 11: Are you familiar with the ICO 72-hour notification requirement, and how do you support it?

UK GDPR requires notification to the ICO within 72 hours of becoming aware of a personal data breach. Your IR provider should understand this timeline and be able to support your notification decision.

"We build ICO notification support into our response process. Within the first 24 hours, we'll provide a preliminary data impact assessment to support your notification decision. We can help draft the notification, track the 72-hour clock, and support subsequent ICO inquiries."

"Regulatory notification is a legal matter — we recommend consulting with your lawyers on that."

Question 12: What does your post-incident reporting look like, and how do we use it?

The final report matters more than most organisations realise. It's used for insurance claims, regulatory inquiries, board reporting, and preventing future incidents. A good report is comprehensive but actionable.

"You'll receive a comprehensive report covering: attack timeline, root cause analysis, data impact assessment, containment and remediation actions, and prioritised recommendations. We tailor the executive summary for board presentation and provide technical appendices for your security team. We include everything insurers and regulators typically request."

"We provide a summary of our findings and actions taken."

Red Flags: When to Walk Away

Beyond the 12 questions, watch for these warning signs during the sales process:

Walk away if:

They can't provide references from similar incidents. An IR provider who can't share anonymised case studies or arrange reference calls has something to hide.
The sales team can't answer technical questions. If they need to "get back to you" on basic questions, imagine how responsive they'll be during a crisis.
Their SLA has excessive carve-outs. Watch for terms like "best efforts," "subject to availability," or "excluding force majeure." These give them escape routes.
They require long minimum engagements for incidents. Some providers mandate minimum 40-hour engagements regardless of incident size. This protects them, not you.
They won't do a scoping call to understand your environment. A provider who doesn't want to know about your business before signing isn't planning to tailor their response.
They claim to "handle everything" with no specialisations. IR, forensics, negotiation, legal, PR — no single firm does everything well. The best providers are clear about their capabilities and have established partnerships for what they don't do.
They're vague about who actually does the work. "Our team of experienced analysts" could mean anything. Push for specifics on qualifications and experience levels.

⚠️ The biggest red flag: Providers who sell on fear rather than capability. If the pitch is mostly "here's how bad it will be if you're not covered," rather than "here's what we'll do when it happens," keep looking.

What Good IR Retainer Engagement Looks Like

Here's what you should expect from a proper IR retainer relationship, from signing to activation.

Onboarding (First 30 Days)

Kick-off call to understand your environment, crown jewels, and critical systems
Documentation of escalation contacts and decision-making authority
Exchange of secure communication channels (encrypted messaging, out-of-band email)
Review of your cyber insurance policy requirements
Optional: baseline assessment or tabletop exercise to test readiness

Ongoing Relationship

Quarterly check-ins to update contact information and environment changes
Threat briefings relevant to your industry
Access to pre-incident services (tabletop exercises, security assessments)
Annual retainer review and renewal discussion

Incident Activation

Single phone call to activate response
Named responder engagement within agreed SLA
Clear handoff to incident lead within first hour
Regular status updates at agreed intervals
Coordination with your stakeholders as needed

Case Study: What a Working Retainer Looks Like

Organisation: Mid-sized UK manufacturing company (450 employees, £85M revenue)

Retainer type: Hybrid retainer with 40 pre-purchased hours, discounted incident rates, and proactive services

The incident: Ransomware attack discovered at 6:47 PM on a Friday. Production systems encrypted. Ransom demand: £1.8M.

Response timeline:

6:52 PM: IT Director calls retainer hotline
6:54 PM: Speaking with named primary responder (who already knew their environment)
7:15 PM: Remote forensic collection initiated on priority systems
7:45 PM: Initial triage complete, containment strategy confirmed
8:30 PM: Board briefed via pre-established crisis call
Saturday 9:00 AM: Full forensic analysis underway, negotiation initiated
Day 3: ICO notification submitted with impact assessment
Day 7: Negotiated settlement at £340,000 (81% reduction)
Day 12: Full production restored from clean backups

Outcome: Because of the established relationship, the organisation saved an estimated 6-8 days of downtime compared to industry average. The retainer's upfront knowledge of their environment and existing communication channels eliminated the "getting to know you" phase that delays most incident responses. Total IR costs (including negotiation and forensics) were covered by cyber insurance, with pre-approved panel status ensuring no claims delays.

How to Compare Providers

Once you've asked the 12 questions to multiple providers, use this framework to compare:

Factor	Weight	What to Compare
Mobilisation speed	High	Actual mobilisation time (not SLA acknowledgement time)
UK capability	High	24/7 UK-based response, regulatory knowledge
Ransomware expertise	High	In-house negotiation, group-specific intelligence
Insurance compatibility	High	Panel status, pre-approval with your insurer
Evidence standards	Medium	ISO compliance, chain of custody, court admissibility
Proactive services	Medium	Tabletop exercises, assessments, threat briefings included
Retainer structure	Medium	Hour rollover, what's included, overage rates
Price	Low	Total cost of ownership, not just annual fee

💡 Final advice: The cheapest retainer is rarely the best value. Calculate the true cost by considering: what happens if you need 100 hours? What's the overage rate? What's excluded? A £12,000 retainer with £250/hour overages will cost more than a £20,000 retainer with £180/hour overages if you have a serious incident.

Making Your Decision

An IR retainer is insurance you hope never to use — but when you need it, nothing else matters. The organisations that recover fastest from cyber incidents aren't necessarily the ones with the biggest security teams or the most advanced tools. They're the ones who established the right partnerships before the crisis.

Take the time to ask these 12 questions. Meet your potential responders. Run a tabletop exercise with them. The hour you invest now saves days during an actual incident.

Ready to Discuss an IR Retainer?

Binary Response offers IR retainer packages for UK organisations of all sizes. Our retainers include named responders, 24/7 UK-based support, in-house ransomware negotiation, and proactive services.

Learn About Our IR Retainer →

Or contact us to discuss your requirements