An incident response retainer is an agreement with a DFIR firm that guarantees priority access, defined response times, and pre-agreed commercial terms in the event of a cyber incident. The value of a retainer is not what it provides during normal times — it is what it prevents during the worst ones.
Organisations that invoke an IR retainer during an incident spend less time on vendor triage, start containment faster, and avoid the risk of engaging an unfamiliar firm under extreme time pressure. Those without a retainer frequently spend the first 12–24 hours of a major incident on hold with multiple vendors, negotiating emergency rates, and explaining their entire environment from scratch.
This guide covers what a retainer should actually include, what to ask before signing, and what red flags to watch for.
What a Retainer Is — and Is Not
A retainer is not a managed security service. It does not provide ongoing monitoring, detection, or prevention. It is a readiness arrangement — an agreement that when you call, you get a response, not a queue.
Good retainers typically include:
- Priority response SLA (guaranteed response time from first call)
- Pre-agreed day rates for incident response, forensics, and negotiation services
- An onboarding process that familiarises the IR firm with your environment before an incident
- Access to threat intelligence relevant to your sector
- A defined set of included pre-incident services (tabletop exercises, IR plan review, etc.)
- Incident hotline — a number that reaches a human immediately, 24/7
SLA Questions You Must Ask
SLA language in retainer agreements is frequently vague in ways that matter significantly during an incident. Push for specifics:
"What is your response time?"
The right answer is a specific time commitment — "we will have a senior analyst on a call with you within one hour of your call" — not "we aim to respond promptly." Ask what happens if that SLA is not met. Ask what your escalation path is if you call the hotline and do not hear back.
Also ask: response time from when? Some agreements measure from when you log a ticket; others from when you call the hotline; others from when the incident is formally classified. These distinctions matter at 2am on a Sunday.
"Who responds — and what is their experience level?"
You want senior practitioners responding to major incidents, not junior analysts escalating to someone else. Ask specifically about the team who would be deployed on a significant ransomware incident. Ask about their CREST IR certification status. Ask how many incidents they respond to per month — a firm doing three incidents a year has significantly less current threat actor intelligence than one doing twenty.
"What is your on-site response capability?"
Remote-first IR is increasingly effective, particularly with EDR tooling in place. But on-site capability still matters for evidence acquisition from air-gapped systems, physical environment assessment, and situations where remote access has been compromised. Ask where their nearest on-site team is, and what their on-site mobilisation time looks like for your location.
"What do you do to prepare before an incident?"
A retainer that simply puts you on a priority list has limited value over a cold engagement. Good retainer arrangements include an onboarding process: a discovery session to document your environment, your critical systems, your contact tree, your insurer details. This documentation means that when the call comes in, the responding team already knows your environment — they are not starting from zero.
Pre-Incident Services: What Should Be Included
Retainers that are purely reactive — providing response capability with no proactive element — miss much of the value available. Look for retainers that include:
- IR plan review: Assessment of your existing incident response plan against real-world scenarios, with recommendations
- Tabletop exercise: At least one facilitated exercise annually, ideally tailored to your sector and threat profile
- Threat intelligence briefings: Regular updates on threat actors targeting your sector, indicators of compromise relevant to your environment
- Retained hours: A block of analyst hours that can be used for proactive work — threat hunting, log review, dark web monitoring — rather than sitting unused until an incident
If the retainer fee buys nothing until an incident occurs, it is purely an insurance premium. Retainer fees that buy active value year-round are a better commercial proposition and a better security investment.
Red Flags in Retainer Contracts
No named contacts or guaranteed resource
If the agreement does not commit to specific individuals or a defined team, you may invoke the retainer and find that every senior practitioner is deployed on other incidents. Ask who you are retaining, not just which firm.
Unlimited scope language without commercial protections
Some retainer agreements cap pre-agreed rates only for a defined initial period (e.g., 72 hours) before moving to negotiated rates. Understand when pre-agreed commercial terms expire and what replaces them. Major incidents run for weeks — a favourable rate for the first three days and market rate thereafter may not be significantly better than no retainer at all.
Conflict with your insurance policy
If your cyber insurer requires you to use their approved panel, invoking a non-panel retainer may affect coverage. Check insurer compatibility before signing any retainer agreement. Some insurers approve non-panel vendors with pre-notification; others do not. This needs to be resolved before you have an incident, not during one.
No testing or validation process
If the firm is not willing to conduct a test call — validating that the hotline works, that your contact details are correct in their system, that the onboarding documentation is current — they are not treating the retainer seriously. Test the relationship before you need it.
Evaluating IR Firms
Beyond the contract terms, the firm you retain matters. Questions to assess:
- CREST IR accreditation: The CREST Certified Incident Response standard is the primary quality benchmark for IR firms in the UK. It is not universal — some good firms are not CREST accredited, and accreditation alone does not guarantee quality — but it is a meaningful indicator of process and capability
- Sector experience: A firm that primarily serves financial services may not have the OT/ICS expertise required for a manufacturing incident. Match the firm's experience to your risk profile
- Threat actor intelligence: Ask specifically about their intelligence capability. Do they maintain attribution databases? Do they have visibility into criminal forum activity? Do they have relationships with law enforcement that provide threat intelligence?
- Negotiation capability: If your risk profile includes ransomware — which it does for virtually all organisations — confirm that the firm conducts negotiations in-house rather than referring to a third party. Fragmented accountability in a negotiation produces worse outcomes
- Reference engagements: Ask for references from clients who have invoked the retainer during a real incident. Pre-incident references tell you about the sales process; post-incident references tell you about the actual service
The Insurer-Appointed IR Question
Many organisations assume their cyber insurer will appoint an IR firm in the event of a claim, making an independent retainer redundant. This reasoning has several weaknesses.
Insurer-appointed firms are optimised for the insurer's interests — cost efficiency and rapid claim closure — not necessarily for the best outcome for your business. They handle high volumes of incidents at compressed timelines and rates, which can mean less senior resource and shorter investigation windows than your situation warrants.
Having your own retainer — and checking its compatibility with your insurance policy — gives you more control over who responds and how the engagement is conducted. You may still need to involve the insurer's panel, but being able to direct the technical response rather than accepting whoever is appointed is a materially better position.
Binary Response offers IR retainer arrangements tailored to UK organisations of all sizes. Our retainers include genuine onboarding, tabletop exercises, and access to active threat intelligence — not just a name on a priority list. Contact us at enquiries@binary-response.com to discuss what's right for your organisation.