Every CISO knows they should have an incident response retainer. Most don't have one. The reason is usually some variation of: "We'll cross that bridge when we come to it" or "Our insurer will sort it."
Then the ransomware hits and they find out what that actually means in practice.
This piece breaks down what an IR retainer buys you, what it doesn't, and how to think about whether your organisation actually needs one. It's written from the perspective of practitioners who have responded to incidents both with and without a pre-existing retainer in place — the difference is stark.
The Call Nobody Plans For
Ransomware does not respect working hours. Across the incidents we have responded to, the plurality hit on a Friday evening or over a weekend — and that is not coincidence. Threat actors know that your IT team is reduced, your escalation paths are slower, and your leadership are harder to reach.
When the call comes — from your NOC, from an employee who can't open files, from your dark web monitoring alerting on your own domain — the clock starts. Every hour of delay in getting qualified incident responders on-site or working the problem has a measurable cost:
- Ransomware operators encrypt staging servers in batches. An hour of delay can mean the difference between 30% of your estate encrypted and 90%.
- Evidence is time-sensitive. Memory forensics, log preservation, and initial triage artefacts degrade or disappear. The faster you get DFIR practitioners working the problem, the more of your incident you can actually reconstruct.
- Negotiation posture weakens over time. Threat actors know you are panicking. Every hour without a coherent response strategy is an hour they are in the stronger position.
Without a retainer, here is what the first few hours typically look like: someone Googles for IR firms, calls a few numbers (half of which go to voicemail at 11pm), eventually reaches a firm, then spends the next two hours on commercial negotiations — rates, scope, NDAs, engagement letters — before a single practitioner has touched your environment.
We have seen organisations spend four hours on contract administration before anyone started technical work. Four hours.
What You Are Actually Buying
An IR retainer is not primarily about the hours. The hours matter, but they are the surface. What you are actually buying is five things:
1. The right to skip the queue
Good IR firms are busy. When a major ransomware campaign hits — a new LockBit variant, a widespread exploitation of a critical CVE, a large-scale RaaS campaign — every organisation that got hit is calling every IR firm simultaneously. Without a retainer, you are in that queue. With one, you are not.
Retainer clients get priority mobilisation. Named practitioners are committed to your engagement before others. That is not a marketing promise — it is a contractual obligation.
2. Zero friction at zero hour
When you are staring down an encrypted domain controller at midnight, the last thing you want is a conversation about rates, liability caps, and governing law. A retainer means that conversation has already happened — in a boardroom, calmly, over coffee. The MSA is signed, the rates are agreed, the scope is pre-cleared. When the call comes, the only conversation is: here is what we're seeing, here is your named consultant's number.
3. Practitioners who know your environment
This is the one most organisations underestimate. The first two hours of any incident response engagement are largely wasted if the practitioners have never seen your environment. Where is your AD? What does normal traffic look like? What are your backup targets? What EDR are you running and what coverage does it have? What are your critical assets?
With a retainer that includes environment pre-briefing, your named consultants have already ingested your network diagrams, asset register, and critical system map. They hit the ground running rather than spending the first two hours asking questions you barely have the capacity to answer while your business burns.
4. Pre-negotiated commercial terms under duress protection
Incident response day rates spike during high-demand periods. Firms that know you are desperate — because you called at midnight with ransomware active — know they are in a strong negotiating position. Your retainer rate is fixed regardless of market conditions or time of call. You will not pay a premium for the urgency that the situation itself creates.
This is particularly relevant for ransomware — a single large incident can consume 300-500 billable hours. The difference between a standard rate and a retainer rate across that engagement is significant.
5. A tested relationship
Trust is built before a crisis, not during one. A retainer that includes a tabletop exercise means that by the time you actually need your IR firm, you have already worked together under pressure (simulated). You know how they communicate. They know how your leadership makes decisions. The first real crisis is not the first time anyone in the room has met.
What a Retainer Does Not Get You
It is worth being honest about the limitations.
A retainer is not an insurance policy. It does not cover ransom payments, third-party liability, regulatory fines, or business interruption losses. Those are questions for your cyber insurer and legal team. A retainer ensures you have qualified responders; it does not guarantee the outcome of an incident.
A retainer is not a substitute for basic hygiene. If you have no EDR, poor backup practices, and un-patched internet-facing infrastructure, an IR retainer will not save you — it just means that when the inevitable happens, you have better responders working through the rubble faster. Retainers and security fundamentals are complementary, not interchangeable.
Hours do not roll over forever. Most retainers include banked hours with a roll-over period. Hours unused beyond that period are typically forfeited or credited against renewal. Understand your contract terms. (At Binary Response, unused hours roll over for 12 months and are credited, not forfeited, at renewal — but check any firm's terms carefully.)
Not all retainers are the same. The market has low-quality retainer products that are essentially just pre-signed MSAs with no real priority access, no banked hours, and no environment pre-briefing. Ask specifically: what is your guaranteed mobilisation SLA? How many clients does each named consultant hold a primary relationship with? What does onboarding actually include?
The Insurance Angle
Cyber insurers are increasingly asking about IR retainer status when underwriting policies — particularly for mid-market clients. A documented retainer with a credentialled firm is evidence of preparedness and can positively influence both coverage terms and premium.
There is also a practical alignment of interest: insurers want incidents to be contained quickly and managed well. A pre-existing retainer with a competent firm tends to produce better outcomes — lower costs, faster recovery, cleaner documentation for regulatory purposes. That is in everyone's interest.
If you are due for cyber insurance renewal, a retainer in place before you submit is worth discussing with your broker. Most major insurers recognise the value; some now have preferred panel arrangements with specific IR firms.
Who Actually Needs a Retainer
Not every organisation needs a retainer, and it is worth being honest about that. Here is a rough heuristic:
| Profile | Retainer? | Why |
|---|---|---|
| Mid-market, no in-house DFIR, cyber insurance held | Yes | Core use case. Fills capability gap, supports insurance posture. |
| Post-incident organisation (been through a breach) | Yes | You know what "finding responders at midnight" actually costs. Don't do it again. |
| Critical national infrastructure / regulated sector | Yes | Regulatory notification timelines (72h ICO) demand rapid response. You cannot afford queue time. |
| Enterprise with mature SOC and in-house DFIR | Maybe | Overflow capability for major incidents or specialist capabilities (negotiation, expert witness). |
| Small business, limited IT estate, minimal data risk | Probably not | Cost-benefit likely doesn't stack up. Focus on prevention and insured response instead. |
What to Ask Any IR Firm Before Signing
If you are evaluating retainer options — from us or anyone else — these are the questions worth asking:
- What is your guaranteed mobilisation SLA, and how is it measured? (Not the acknowledgement SLA — when does a qualified practitioner actually start working your incident?)
- How many active retainer clients does each named consultant hold primary responsibility for? (A consultant carrying 20+ primary retainer relationships cannot guarantee you meaningful priority.)
- What does onboarding actually include? (An MSA and a kick-off call is not an onboarded relationship.)
- What happens to unused hours? (Forfeited, rolled over, credited — and for how long?)
- Have you handled an incident in my sector in the last 12 months? (Sector-specific knowledge matters — healthcare IR is not the same as financial services IR.)
- What is your insurer panel status? (Can you provide documentation acceptable to major cyber insurers?)
- What do you do if you cannot meet the SLA? (What is the remediation process if the retainer commitment is not met?)
The Real Cost of Not Having One
The direct cost of an IR retainer is quantifiable. The cost of not having one is harder to calculate but consistently higher:
- Premium ad-hoc rates billed under duress
- Hours lost to contract negotiation at the worst possible time
- Suboptimal responders engaged because the good firms were busy
- Evidence degradation and poor initial triage from responders unfamiliar with your environment
- Weaker negotiation posture with threat actors because your response was disorganised
- Regulatory penalties amplified by delayed breach notification (the 72-hour ICO clock does not care that you were still finding responders)
We have had clients come to us after incidents where they wish they had retained us beforehand. That conversation, in the aftermath, is always the same: "We thought the retainer was expensive until we saw what not having one cost us."
If you want to understand what a retainer would look like for your organisation — what tier makes sense, what the onboarding involves, and what it would cost — contact us. There is no sales pitch attached to that conversation.
The next fortnightly long-form piece publishes 17 March. Topic: The Forensic Evidence You Destroy in the First Hour of a Ransomware Incident — and why your first instinct (disconnect everything immediately) may be making it worse.
Binary Response monitors dark web leak sites 24/7 and provides proactive incident response. For immediate support: alerts@binary-response.com