How to Choose an Incident Response Provider: 8 Questions to Ask

1. Do They Deploy Senior Practitioners From Day One?

This is the most important question you can ask, and the one most likely to expose a fundamental difference between providers. Many large incident response firms operate a tiered staffing model: a junior analyst takes the initial triage call, runs through a standard checklist, and only escalates to a senior practitioner once the incident is deemed sufficiently serious. By the time experienced eyes are on the problem, critical hours have been lost — hours during which a threat actor may be exfiltrating data, deploying additional persistence mechanisms, or encrypting backup systems.

The first few hours of an incident are the most consequential. Containment decisions in this window determine whether an organisation loses a single server or its entire domain. Those decisions require judgement that comes from having handled dozens — or hundreds — of real incidents, not from following a runbook. A senior practitioner will recognise the indicators, understand the threat actor's playbook, and make the right calls under pressure.

When evaluating providers, ask specifically: who will be on the phone within the first hour? What are their qualifications? How many incidents have they personally led? If the answer involves the phrase "our triage team will assess and escalate," you are not getting senior practitioners from day one. You are getting a queue. The best providers — the ones worth retaining — put their most experienced people on every engagement from the moment the call comes in, because they understand that the quality of the initial response shapes everything that follows.

2. What Is Their Guaranteed Response SLA?

A verbal assurance that someone will "get back to you quickly" is not an SLA. A genuine service level agreement is a contractual commitment with defined timelines: acknowledgement within a specified window, remote triage within another, and on-site mobilisation (if required) within a third. These numbers should be written into the retainer contract, not buried in a marketing brochure. If a provider cannot give you specific, measurable response commitments in writing, they are selling you a promise without accountability.

Response times matter because cyber incidents burn faster than most business disruptions. Ransomware operators frequently maintain active access to a network for hours or days after initial encryption, waiting to see whether backups are viable before deciding whether to escalate their demands. Every hour of delay gives the adversary more options and you fewer. A provider with a four-hour mobilisation SLA will have practitioners working on containment while a provider with vague response commitments is still trying to find someone available.

Look for providers that differentiate between acknowledgement and mobilisation. Acknowledgement — confirming receipt of the call and beginning remote assessment — should happen within one hour at most. Mobilisation — having a practitioner actively working on containment, whether remotely or on-site — should be within two to four hours depending on your retainer tier. Anything beyond that, and you are paying for a retainer that does not deliver when it counts. Ask to see the SLA in the contract, not just on the website. And ask what happens if they miss it — a provider confident in their capability will have a penalty clause or service credit. One that does not is telling you something about how seriously they take those numbers.

3. Do They Have Cross-Sector Experience?

Cyber incidents do not respect industry boundaries, but the way you respond to them must. A ransomware attack on a financial services firm triggers FCA notification obligations, potential PRA reporting requirements, and client data considerations that are fundamentally different from a ransomware attack on an NHS trust, which carries patient safety implications, Caldicott Guardian involvement, and NHS England reporting pathways. A provider who only works in one sector may be technically proficient but blind to the regulatory and operational nuances that determine whether your response is considered adequate by the bodies that matter.

Cross-sector experience also produces better practitioners. A team that has handled incidents in manufacturing, legal, healthcare, education, and financial services has encountered a wider range of threat actors, network architectures, and business constraints. They have seen how threat actors adapt their tactics to different targets. They have learned that what works in a cloud-native fintech environment requires a completely different approach in an operational technology environment running legacy SCADA systems. That breadth of experience translates directly into faster, more accurate decision-making during your incident.

When evaluating providers, ask for anonymised case studies across at least three different sectors. Ask which industries represent their largest client base and which they have entered more recently. A provider with genuine cross-sector depth will discuss the differences between sectors fluently — not because they have memorised a list of regulators, but because they have sat in the room with those regulators and understand what they actually expect.

4. Can They Handle UK Regulatory Notifications?

In the UK, a data breach involving personal data triggers a 72-hour notification window to the Information Commissioner's Office under UK GDPR. If you are in financial services, the FCA and PRA have their own notification requirements with different timelines and thresholds. Healthcare organisations face CQC and NHS England reporting obligations. These notifications are not formalities — handle them poorly, and they trigger enforcement action, fines, and reputational damage. Your incident response provider must understand these obligations intimately, not as an afterthought.

The challenge is that regulatory notifications must be filed while the investigation is still ongoing. You are making representations to a regulator about the scope, impact, and cause of a breach before you have the full picture. This requires careful, precise language — committing to what is known, clearly delineating what is still under investigation, and avoiding premature conclusions that you may need to retract later. An experienced provider will have drafted dozens of these notifications and will know exactly what the ICO expects to see, what the FCA considers material, and how to frame ongoing uncertainty without triggering unnecessary alarm.

Ask your prospective provider how many ICO notifications they have prepared. Ask whether they have experience with FCA and PRA reporting. Ask whether they have dealt with multi-regulator incidents where overlapping notification obligations create competing priorities. A provider with genuine regulatory notification experience will answer these questions with specifics, not generalities. If they defer to "your legal team will handle that," they are telling you that regulatory navigation is not part of their core capability — and during a live incident, that gap can be costly.

5. Do They Charge Success Fees on Ransomware Negotiations?

This question reveals more about a provider's ethics and incentive structure than almost any other. Some incident response firms — and many standalone negotiation specialists — charge a percentage of the final ransom payment as a "success fee." The typical structure is 10 to 20 per cent of the payment amount, framed as compensation for negotiating the demand down. On its face, this sounds reasonable. In practice, it creates a fundamental conflict of interest: the provider earns more when you pay more. Their financial incentive is not aligned with the outcome that is best for you.

A provider whose revenue depends on a ransom being paid has a structural disincentive to recommend alternatives. They may be less motivated to explore whether decryption is possible through other means, whether backups are viable, or whether the threat actor's claims about data exfiltration are genuine. They may also be less forthcoming about the risks of payment — the possibility that the decryptor will not work, that the threat actor will not delete the stolen data, or that payment may attract repeat targeting. When the person advising you on whether to pay stands to earn a six-figure fee if you do, the advice is compromised regardless of the individual's integrity.

Look for providers who charge flat-rate or time-based fees for ransomware negotiation services. Their fee should be the same whether you pay the ransom, negotiate it down by 90 per cent, or refuse to pay entirely. This ensures that every recommendation — pay, negotiate, or walk away — is driven solely by what is in your interest, not theirs. Ask the question directly: "If we end up paying a ransom, does your fee change?" The answer will tell you everything you need to know about whose interests they are serving.

6. Is Proactive Dark Web Monitoring Included?

Dark web monitoring is one of those services that some providers treat as a premium add-on, charging separately for what should be a fundamental component of any incident response relationship. If you are paying for a retainer, you are paying for readiness — and readiness means knowing when your organisation's data appears on a leak site, when your credentials are being traded in underground forums, or when a threat actor is publicly claiming to have breached your network. Discovering this from a journalist or a client rather than from your IR provider is a failure of the retainer relationship, full stop.

Effective dark web monitoring goes beyond simple keyword alerts. It requires active coverage of ransomware leak sites, initial access broker forums, credential marketplaces, paste sites, and Telegram channels where threat actors increasingly operate. It requires analysts who can contextualise what they find — distinguishing between a genuine leak of your data and a recycled credential dump from a third-party breach that happens to include some of your employees' personal email addresses. Without that context, monitoring produces noise rather than intelligence.

When evaluating providers, ask whether dark web monitoring is included in the base retainer or charged separately. Ask what sources they monitor, how frequently, and what the notification process looks like when something is found. Ask for an example of a monitoring alert they have delivered to a client. A provider that includes monitoring as standard is telling you they view it as essential to incident readiness. A provider that charges extra is telling you they view it as a revenue line. Both approaches work, but only one reflects a genuine commitment to keeping you informed before an incident escalates.

7. Do They Provide Board-Ready Executive Reporting?

The technical forensic report is necessary but not sufficient. After an incident, your board needs to understand what happened, what the business impact was, whether the threat has been contained, and what needs to change to prevent recurrence. Your cyber insurer needs a clear narrative that supports the claim. Your regulators need evidence that the response was proportionate and timely. None of these audiences want to read memory dump analysis or registry key timelines. They need an executive summary that translates technical findings into business language — clearly, accurately, and without unnecessary jargon.

Board-ready reporting is a skill that many technically excellent IR firms never develop. Producing a detailed forensic timeline is one thing; distilling it into a two-page summary that a non-technical board director can read and act upon is another. The best providers produce both as standard: a comprehensive technical report for your security team and a separate executive summary for leadership, insurers, and regulators. The executive summary should include a clear incident timeline, confirmed business impact, containment status, root cause analysis, and prioritised strategic recommendations — all in language that a finance director or general counsel can understand without a translator.

Ask to see a redacted sample of a previous executive report. Look at the structure, the language, and the level of detail. Does it read like something your board would find useful, or does it read like something written by an engineer who was asked to summarise their own technical report? The difference is significant, and it matters because the quality of post-incident reporting directly affects board confidence, insurer relationships, and regulatory outcomes. A provider that produces excellent forensic work but poor executive reporting leaves you doing the translation yourself — at the worst possible time.

8. What Happens to Unused Retainer Hours?

This question reveals whether a provider designed their retainer to serve your interests or their cash flow. Many IR retainers include a block of pre-purchased hours — typically 40 to 200 hours per year — that are consumed during an incident. The question is what happens if you are fortunate enough not to need them. Some providers operate a strict use-it-or-lose-it model: unused hours expire at the end of the contract period, and you receive no value for the investment. This effectively penalises you for not being breached, which is a perverse incentive in a service designed to improve your security posture.

The better model — and the one you should insist on — allows unused incident response hours to be redirected toward proactive security services. This might include tabletop exercises to test your incident response plan, security assessments to identify vulnerabilities before they are exploited, threat intelligence briefings to keep your leadership informed, or IR plan development and review. This approach ensures that you receive tangible value from your retainer regardless of whether an incident occurs, and it strengthens your security posture in the process — which is, after all, the entire point.

Ask your prospective provider three specific questions: Do unused hours expire? Can they be applied to proactive services? And is there a limit on rollover? A provider that allows flexible reallocation is confident that their proactive services are strong enough to stand on their own merit. A provider that relies on expiring hours to protect their margin is telling you that the retainer is structured for their benefit, not yours. The best IR retainer arrangements treat unused hours as an opportunity to invest in prevention, not as lost revenue to be written off.

Frequently Asked Questions

What should I look for in an incident response provider?

Look for senior practitioner involvement from day one, a written response SLA with defined mobilisation times, cross-sector experience, UK regulatory expertise covering the ICO, FCA, and PRA, transparent fee structures with no success fees on ransomware negotiations, proactive dark web monitoring included as standard, board-ready executive reporting, and flexible retainer terms that let you repurpose unused hours toward proactive security services.

How fast should an incident response provider respond?

A strong IR provider should offer a contractual SLA with acknowledgement within one hour and remote mobilisation within two to four hours. Anything slower than four hours for initial mobilisation significantly increases the blast radius of a cyber incident. Look for providers who commit these timelines in writing, not just in sales conversations, and who include penalty clauses or service credits if they fail to meet them.

Do incident response providers charge success fees for ransomware negotiations?

Some providers charge a percentage of the ransom payment as a success fee, typically 10 to 20 per cent. This creates a conflict of interest — the provider earns more when you pay more. Reputable providers charge flat-rate or time-based fees for negotiation services, ensuring their advice remains entirely objective regardless of whether you pay, negotiate down, or refuse to pay.

Why is cross-sector experience important for incident response?

Different sectors face different threat actors, regulatory regimes, and operational constraints. A provider with experience across financial services, healthcare, manufacturing, legal, and education will understand the nuances of each environment — from FCA reporting obligations to patient data handling — and can apply lessons learned from one sector to strengthen responses in another.

What happens to unused hours on an IR retainer?

Policies vary by provider. Some let unused hours expire at the end of the contract period. The best providers allow you to redirect unused hours toward proactive services like tabletop exercises, security assessments, threat intelligence briefings, or IR plan reviews — ensuring you always receive value from your retainer investment regardless of whether an incident occurs.

Should an IR provider handle regulatory notifications?

Absolutely. In the UK, regulatory notification is time-sensitive and evidence-dependent. Your IR provider should have direct experience preparing ICO, FCA, and PRA notifications, understand the 72-hour GDPR reporting window, and produce the forensic evidence these regulators expect. Providers without this experience may leave you exposed to enforcement action or regulatory criticism.

What is board-ready executive reporting in incident response?

Board-ready reporting translates technical forensic findings into clear, jargon-free summaries that directors, insurers, and regulators can act upon. It typically includes an executive summary with a timeline, business impact assessment, root cause analysis, containment status, and strategic recommendations — presented in a format suitable for boardroom discussion rather than a SOC analyst's screen.