Choosing the Right Incident Response Partner
When you're facing a ransomware attack or data breach, the IR firm you choose determines the outcome. Here's how to evaluate your options.
How We Compare
| Criteria | Binary Response | Large MSSPs | US-Based IR Firms | Generalist IT Companies |
|---|---|---|---|---|
| Response Time | <1 hour | 4–24 hours | 2–8 hours (time zone dependent) | 24–72 hours |
| Certifications | CREST IR, ChCSP, PCI PFI | Varies widely | Varies | Rarely IR-specific |
| Negotiation Track Record | 235 documented cases | Not typically disclosed | Varies, rarely public | None |
| Success Fees | Never | Common | Common | N/A |
| UK Jurisdiction Expertise | ICO, FCA, PRA, SRA | Sometimes | Limited | Limited |
| Public Negotiation Archive | 235 transcripts, fully browseable | No | No | No |
| Proactive Dark Web Monitoring | Yes — we contact you first | Add-on product | Rarely | No |
| Dedicated Senior Practitioner | From first call — no junior triage | Junior analyst triage typical | Varies by firm | Generalist staff |
Key Differentiators
No Success Fees — Ever
Some IR firms charge a percentage of the ransom demand or settlement as a ‘success fee’. This creates a perverse incentive. We charge transparent day rates. Period.
CREST IR and ChCSP Certified
Our practitioners hold CREST Incident Response and Chartered Cybersecurity Professional certifications. These aren’t sales badges — they require demonstrated competence in real-world incident handling.
235 Documented Negotiations
We publish the largest public archive of ransomware negotiation transcripts. You can read them. This level of transparency is unprecedented in the IR industry.
UK-Based, UK Regulatory Experience
We know ICO notification timelines, FCA reporting requirements, PRA expectations, and SRA obligations. A US-based firm often doesn’t.
Proactive Dark Web Monitoring
We monitor dark web leak sites 24/7. When your organisation appears, we contact you before you know you’ve been breached. No subscription required for initial alert.
Frequently Asked Questions
Why not use our existing IT provider for incident response?
Your IT provider manages your day-to-day infrastructure. Incident response requires specialist forensic skills, legal-grade evidence handling, threat actor intelligence, and negotiation expertise that general IT teams don’t possess. Using your IT provider for IR is like asking your GP to perform surgery — they’re both doctors, but the specialisation matters.
Is a US-based firm OK for a UK incident?
It can work, but there are drawbacks. UK regulatory requirements (ICO 72-hour notification, FCA reporting, DPA 2018 compliance) differ from US frameworks. Time zone differences slow response during critical first hours. Evidence handling may not meet UK court standards. If you’re a UK organisation, a UK-based IR firm with UK regulatory experience is the safer choice.
What about large MSSPs for incident response?
Large MSSPs excel at managed detection and monitoring. However, their IR capability is often a bolt-on service staffed by junior analysts who triage before escalating to senior staff. In a ransomware incident, you need senior practitioners from minute one — not after a 4-hour escalation process.
How do success fees work and why should I avoid them?
A success fee is a percentage (typically 10–30%) of the ransom amount that the IR firm charges on top of their professional fees. If the ransom demand is £2M and settled at £500K, a 20% success fee adds £100K to your costs. This model creates an incentive for the firm to recommend payment rather than explore alternatives. Binary Response never charges success fees.