Incident Response Retainer Services

Frequently Asked Questions

• What is an incident response retainer service?

  An incident response retainer is an agreement or contract between an organization and a third-party incident response service provider. It is designed to ensure that the organization has rapid access to expert assistance and resources in the event of a security incident or breach.

• What are the benefits of an incident response retainer?

  Ensure faster response times: Having a pre-established relationship with a DFIR provider cuts down on shopping for a provider when a breach occurs, when things are already stressful, and time is of the essence. A trustworthy IR provider will provide streamlined communication and rapidly mobilize their team to triage, remediate and eradicate the threat in your environment.

  Prepare for the worst: IR retainers give organizations peace of mind that they have an expert team on standby for any incidents. Pre-negotiated service levels in the event of a suspected incident provide assurance in a chaotic landscape.

  Access expertise: Incident responders are a rare breed of tacticians. Many organizations lack the budget or talent pool to build an in-house IR team. An IR retainer allows organizations to boast IR capabilities without the full in-house price tag.

  Tailored to you: Various retainer offerings allow organizations to tailor the policy to their needs.

  Future flexibility: Few IR firms allow for the reallocation of unused hours from the retainer for related cybersecurity services. PacketWatch's IR Retainer allows for the reallocation of unused hours for advisory services with an additional discount.

• What is included in an IR retainer?

  The specifics of an IR retainer can vary depending on the agreement between the organization and the DFIR provider. PacketWatch provides several components within its IR retainer service:

  • A set number of prepaid incident response hours at a set rate

  • Investigations of malicious activity at the request of the client

  • Established SLA (Service Level Agreement) on response times for clients reporting a covered incident

  • Reports - both at the technical and executive level

  • Post-incident briefings with the client

• What should be considered when choosing a DFIR provider?

  "With so many providers in the industry, buyers of IR retainer-based services must dig deep into the capabilities, strengths and experience of these services providers," Gartner said in its 2023 Market Guide for Digital Forensics and Incident Response Retainer Services.

  Here are some of their market recommendations:

  • Consider a third-party review of your incident response plan. If your organization is unable to respond to an incident without external help properly, consider using a retainer-based service to fill in the gaps.

  • Pairing your organization's outsourced MDR provider and IR retainer provider can ensure streamlined communications.

  • Hire an experienced DFIR provider. Experts must be able to provide an analysis of the incident and, if possible, the cause of it. Additionally, they should be able to provide remediation and eradication steps and future vulnerability management advice.

  • IR retainers have varying term lengths, ranging from 1-3 years. Make sure to review contracts carefully and right-size the term length and number of hours that best suit your organization.

  • If you have an existing cyber insurance policy, you may want to consult your carrier for an endorsement approving the retainer.