// IR Retainer

Incident Response Retainer

Guaranteed response times. Pre-negotiated rates. Experienced practitioners who already know your environment — ready before you need them.

⚡ Enquire About a RetainerAll Services

All Services

IR Retainer Incident Response Digital Forensics Ransomware Negotiations Dark Web Monitoring Dark Web Data Recovery Tabletop Exercises Security Assessments Threat Intelligence Professional Speaking Expert Witness Services Breach Notification Support

The Problem With Calling Us After the Breach

When ransomware hits at 2am on a Friday, the last thing you want is to be Googling for incident responders, negotiating contracts under duress, and briefing a team who have never seen your environment. That delay — measured in hours — is where the real damage happens.

An IR retainer removes all of that friction. We are already engaged, already briefed, and already contractually committed to respond. When the call comes, we move.

What a Binary Response Retainer Gives You

  • Guaranteed SLA response times — 1-hour acknowledgement, 4-hour mobilisation (retainer tier dependent)
  • Pre-negotiated commercial terms — no rate shock mid-incident; your rates are locked at onboarding
  • Named practitioners — you deal with the same senior consultants throughout, not a triage queue
  • Environment pre-briefing — we ingest your network diagrams, asset registers, and key contacts before we are ever needed
  • Proactive dark web monitoring — included in all retainer tiers; we alert you if your organisation appears on a leak site
  • Quarterly threat briefings — sector-specific threat intelligence to keep your leadership informed
  • Annual tabletop exercise — test your plan with your named IR team before a real crisis
  • Insurance alignment — retainer documentation accepted by most major cyber insurers as evidence of preparedness

Retainer Tiers

// Tier 01

Watchful

For organisations who want the safety net without dedicated hours. Dark web monitoring included as standard.

  • 24/7 dark web monitoring
  • 4-hour mobilisation SLA
  • Pre-negotiated day rates
  • Annual tabletop exercise
  • Quarterly threat brief
Most Popular
// Tier 02

Vigilant

Pre-purchased hours, faster SLAs, and a named lead consultant who knows your environment.

  • Everything in Watchful
  • 2-hour mobilisation SLA
  • Named lead consultant
  • Pre-purchased IR hours (banked)
  • Environment pre-briefing session
  • Semi-annual tabletop exercise
// Tier 03

Guardian

Full embedded partnership. Your dedicated team is on standby with deep environment knowledge and priority access to all capabilities.

  • Everything in Vigilant
  • 1-hour mobilisation SLA
  • Dedicated two-person team
  • Unlimited IR hours (annual cap)
  • Monthly threat intelligence report
  • Quarterly board briefing option
  • Negotiation advisory included

How Onboarding Works

We keep onboarding deliberately lightweight. Most clients are fully onboarded within two weeks:

  1. Scoping call (Day 1–2) — Understand your environment, risk profile, and critical assets. Agree SLA tier and commercial terms.
  2. Technical intake (Day 3–7) — Ingest network topology, asset register, key contacts list, and existing IR plan. Identify gaps we should address pre-incident.
  3. Environment walkthrough (Day 7–14) — Remote session with your IT/security team. We map your Active Directory, EDR deployment, backup topology, and cloud footprint.
  4. Go-live — Monitoring active. Retainer card issued. You have a direct line to your named consultant.

Who This Is For

Our retainer clients typically fall into one of three categories:

  • Mid-market organisations (200–5,000 employees) without in-house DFIR capability who need enterprise-grade response without the headcount cost
  • Organisations post-incident who have already been through a breach and never want to go through the chaos of finding responders under fire again
  • Cyber insurers and brokers placing clients who need a credentialled IR firm on panel to satisfy policy requirements

Frequently Asked Questions

What happens to unused banked hours?

Unused hours roll over for 12 months. Any unused hours at contract renewal are credited against the following year's retainer fee, not forfeited.

Does the retainer cover ransomware negotiations?

Guardian tier includes negotiation advisory as standard. Watchful and Vigilant tiers can add negotiation capability at a pre-negotiated rate. We never charge success fees — our incentive is always to minimise your loss, not maximise the settlement.

Will my cyber insurer accept a Binary Response retainer?

We have existing panel arrangements or documented relationships with several major cyber insurers. We can provide documentation confirming your retainer status for inclusion with your policy submission. If your insurer requires specific qualification evidence, contact us — we will work directly with them.

How is the response SLA measured?

SLA clock starts from first contact via your dedicated retainer line. Acknowledgement is a qualified response from a named consultant — not an automated ticket. Mobilisation means a senior practitioner is actively working your incident, whether remotely or en route to site.

Can we switch tiers during the contract period?

Yes — you can upgrade at any time (effective immediately). Downgrade requests are honoured at the next annual renewal point.

Ready to Retain Before You Need Us?

Contact us to discuss retainer options and get a quote tailored to your organisation.

⚡ Enquire About a Retainer