In this article

Incident Response Retainer: Getting Your Money’s Worth


January 14, 2020
Last Updated: March 25, 2024
Share on:

When disaster strikes it’s best to be prepared. An incident response retainer is like an insurance policy—it gives you additional resources to deal with a devastating cyber attack. You can hire an outsourced incident response service provider, and have their experts on call, to help you respond to a cyber incident with a guaranteed Service Level Agreement (SLA).

Read on to understand what you should expect to get in an IR retainer, including the option of a no-cost retainer, and whether it makes sense to build an in-house incident response operation.

Need an incident response retainer?

Cynet is a trusted partner that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.

Learn more about Cynet incident response services.

Get our Ultimate Template for

Incident Response Plan

  • A comprehensive checklist of IR action items
  • A detailed roles & responsibilities matrix
  • A robust framework to customize for your needs

What is an Incident Response Retainer Service?

An Incident Response Retainer (IRR) is a service agreement that allows organizations to get external help with cybersecurity incidents.

IRRs are provided by data forensics and incident response (DFIR) specialists and service providers, and also by vendors offering incident response tools, who also have in-house incident response teams. When purchasing a service from a tool vendor, you will typically receive access to their technology as well as incident response services.

There are two main types of retainers:

  • No-cost retainer—an on-demand agreement with a vendor or service provider that specifies how they will help the organization respond to an incident, if and when an incident occurs. The agreement specifies a service level agreement (SLA), nature of services provided, a procedure for declaring incidents, and a cost per incident, which is paid only if the service provider actually renders services.
  • Prepaid retainer—an incident response agreement in which the organization pre-pays the service provider for a certain number of hours, typically per month or per quarter, which can be used to respond to cyber incidents, with an agreed SLA. If the hours are not used in full, the service provider will typically offer other valuable security services, such as penetration testing or security education for the organization’s staff.

What is Included in an Incident Response and Data Forensics Service?

A DFIR service provider or tool vendor will typically provide the following elements in an IRR service:

  • Incident response preparation—reviewing the organization’s network, IT systems and existing security tools, gaining access to data, and establishing quick procedures for investigating and triaging incidents.
  • Incident response planning—defining a plan, together with the organization’s IT or security teams, for jointly responding to common types of security incidents.
  • Incident triage and classification—having a security analyst on call at the service provider to receive details of the incident, triage it, and help determine if it is a real security incident and its severity.
  • Initial response—response will typically follow a framework like the SANS incident response process: after the incident has been identified, the service provider will perform containment, eradication of the threat, recovery of affected systems, and lessons learned.
  • SLA—the agreement will provide an agreed level of access to the service provider’s incident responders. Most services are offered 24/7, with a specified time period, ranging from minutes to several hours, allowed to transpire until the incident response process begins.

Incident Response Team: Build or Buy?

Many organizations are considering whether to build in-house incident response capabilities, or rely on external services. There are two aspects to this question:

  • People—the individuals who respond to incidents are DFIR experts, who can perform in-depth data forensics, identify and triage incidents, mitigate threats and recover systems.
  • Technology—there are multiple layers of security tools that can assist with incident response, including tools for network and traffic analysis, vulnerability scanning, security information and event management (SIEM), endpoint detection and response (EDR), and security orchestration, automation and response (SOAR).

Build vs buy is not a black-and-white decision—most organizations will choose to build some in-house incident response capability and also rely on external services, at least for severe or high-profile incidents.

We recommend, at a minimum, building the following capabilities in-house:

  • At least one DFIR expert in-house—they can help the organization prepare for incidents, and actively hunt for threats even when there is no visible sign of an attack.
  • Basic tooling for tracking and alerting on security events—you’ll need an infrastructure that can collect logs from IT systems, endpoints and security tools, and raises alerts on suspicious activity. IRR services will not build this for you.
  • Automated incident response—put in place an automated incident response system, which activate security playbooks in response to common attack scenarios. This can help respond to many day-to-day incidents without the expense and overhead of activating your external IRR service.

Cynet’s 24/7 Incident Response Team

Cynet offers a holistic security solution that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides an outsourced incident response team that can provide organizations with professional security staff who can execute a fast, effective incident response process.

The Cynet team can deploy the Cynet security platform in a matter of minutes across hundreds to thousands of endpoints. They can then scan, analyse, identify and remediate threats before damage is done. Our incident response service includes:

  • 24/7 incident response—including identification, containment, eradication and recovery
  • Deep forensic investigations—collecting data to identify the scope of an attack and who is responsible
  • Threat hunting—exploring security data to proactively discover advanced threats
  • Malware analysis—analyzing malware in a sandbox to determine its characteristics and how to remediate it

Contact us for immediate help

For emergency assistance from our security experts, call us at US 1-(347)-474-0048, International +44-203-290-9051

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: