Incident Response Retainer Buyers Guide: 6 Contract Terms That Matter

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The average cost of a data breach reached $4.88 million in 2025 according to IBM's annual report. Organizations with an IR retainer in place reduced that cost by $1.49 million. Despite this, 32% of organizations discover coverage gaps in their IR retainer during an active incident: the worst possible moment to learn that the contract they purchased does not cover the scenario they are facing. The gaps are almost always contractual, not technical: a retainer that does not define when the SLA clock starts, a firm that requires separate OFAC screening that adds days to a ransomware engagement, a contract that limits the retainer to a single geographic region when the incident spans three countries. This guide covers the six contract terms that determine whether your retainer actually works when you need it, how to evaluate the three main firm tiers, what you need to do before an incident occurs to make sure the retainer is operational on day one, and what OFAC screening means in practice for ransomware engagements.
The 6 Contract Terms That Separate Adequate Retainers from Inadequate Ones
IR retainer contracts vary far more than their marketing materials suggest. Most firms offer a base retainer structure that looks similar on the surface: a number of pre-purchased hours, a named response team, and an SLA commitment. The differences that determine real-world adequacy are in the contract terms, not the marketing summary. Review each of these six terms explicitly before signing, and negotiate any that do not meet the standards below.
SLA clock start definition
The single most important term. Does the SLA clock start when you call the retainer hotline, when a case is opened in the firm's system, or when an analyst is assigned? Firms that start the clock at assignment can technically meet a '4-hour SLA' while leaving you without an analyst for 3 hours and 50 minutes. The contract must specify 'SLA begins at first human contact with a qualified IR analyst.' Anything else is ambiguous.
Hour rollover policy
Most retainers are purchased annually. Unused hours either expire, roll over fully, roll over with a cap, or convert to a reduced credit. Hours that expire represent a direct financial loss and a perverse incentive to use services you do not need. Negotiate for full rollover or a conversion credit. Confirm whether rolled-over hours carry the same SLA terms as freshly purchased hours.
Surge billing rate
When your incident exceeds your pre-purchased hours, the firm will bill at a surge rate. These rates commonly run 50 to 150% above the retainer rate per hour. Confirm the surge rate and the billing increment (many firms bill in 4-hour blocks, meaning a 90-minute call costs you 4 hours at surge pricing). Cap the surge rate in the contract or negotiate a first-right-of-refusal to purchase additional retainer hours at the standard rate.
OFAC screening process
For any ransomware incident, the firm must confirm that paying the ransom does not violate OFAC sanctions. Some firms handle screening internally in under 2 hours. Others require a referral to a separate legal team that may take 24 to 48 hours. In a ransomware incident where the adversary has set a payment deadline, a 48-hour OFAC screening process can be operationally catastrophic. Confirm the firm's screening timeline and process before signing.
Public disclosure restrictions
Some IR firm contracts include clauses that restrict the client from disclosing the firm's involvement in the incident, or that require the firm's approval before the client makes any public statement referencing the investigation. These clauses can create legal exposure when you have mandatory breach notification obligations under HIPAA, state privacy laws, or SEC disclosure rules. Have your legal counsel review these clauses explicitly.
Third-party data handling
IR engagements almost always require transferring forensic images, log files, and potentially customer data to the IR firm's infrastructure for analysis. The contract must specify where this data is processed, how long it is retained, whether it is used for threat intelligence purposes by the firm, and how it is destroyed at engagement close. Firms that aggregate client forensic data for threat intelligence research without explicit consent create legal exposure under GDPR, CCPA, and sector-specific privacy regulations.
Comparing the Three Firm Tiers
The IR market organizes into three broadly distinct tiers, each with different strengths, cost structures, and appropriate use cases. Understanding which tier fits your organization's risk profile and budget is the first step in retainer selection. Many organizations purchase the wrong tier: either overpaying for Big 4 IR services that are not operationally faster than specialist firms, or purchasing MDR-with-IR coverage that lacks the forensic depth needed for a serious regulatory breach scenario.
Big 4 and large consulting firm IR
Firms like Mandiant (Google Cloud), CrowdStrike Services, and the security practices of the major consulting firms offer brand recognition, global capacity, and deep legal and regulatory integration. They are the default choice for large enterprises with complex regulatory environments or multinational breach scenarios. They are also the most expensive tier and, in some cases, the slowest to activate because of their internal resourcing processes. Best suited for organizations where regulatory, legal, and reputational considerations equal or exceed the technical response requirements.
Specialist IR firms
Mid-tier specialist firms typically offer faster activation, more direct access to senior analysts, and lower surge billing rates than the Big 4. They frequently have sector-specific expertise in healthcare, financial services, or industrial control systems. Appropriate for organizations with technical IR requirements that do not need the full legal and regulatory overlay of a Big 4 engagement. Evaluate the firm's OFAC screening process carefully at this tier, as it varies widely.
MDR-with-IR
Managed detection and response providers that bundle IR coverage with their monitoring service offer the fastest initial activation because they are already monitoring your environment. The limitation is scope: MDR-with-IR typically covers investigation within the MDR platform's visibility rather than full forensic investigation of all environment components. Read the contract scope carefully: MDR IR coverage frequently excludes forensic disk imaging, ransomware negotiation, legal support, and regulatory notification assistance.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
What 'Hours' Actually Means in Practice
IR retainer hours are not equivalent to a simple consulting rate card. Understanding how hours are consumed in an actual engagement prevents financial surprises at the worst possible time. Billing increment is the first variable: most firms bill in minimum increments of 2 or 4 hours per call, regardless of actual duration. A 45-minute call at 2 AM during an active incident consumes 2 or 4 hours of your retainer. Multi-analyst engagements are the second variable: a large-scale incident may require 3 or 4 analysts working simultaneously, meaning your retainer burns at 3x or 4x the single-analyst rate. A 40-hour retainer can be consumed in under a week in a large incident. Travel and expense is frequently billed separately from hours, but some contracts bundle it: confirm which model applies. Deliverable preparation (forensic reports, executive briefings, regulatory notification letters) is often billed at the same hourly rate as active response work. If you need a regulatory notification letter that requires 8 hours of legal and technical review, that burns 8 hours of your retainer before any additional remediation work has been done.
Pre-Breach Activation: 3 Things to Do Before an Incident
A retainer that has never been tested is a retainer that may not work when it is needed. Thirty-two percent of organizations discover their IR coverage gaps during an active incident: meaning the first time they called the retainer hotline was during a breach. The three actions below convert a paper retainer into an operational capability. They take less than a day of combined effort and should be completed within 30 days of signing any new IR retainer contract.
Conduct a tabletop exercise with the IR firm
Most IR retainers include a pre-breach tabletop exercise in the annual hours at no additional charge. Schedule this within 60 days of contract signing. The tabletop confirms the engagement workflow, introduces your team to the named IR analysts, and surfaces any process gaps before they appear during an actual incident. Document the named analyst roster and update it annually.
Confirm the evidence collection toolkit is pre-positioned
IR firms use specific collection tools for memory capture, disk imaging, and log acquisition. Confirm whether the firm's toolkit is pre-deployed in your environment or requires deployment at the start of an engagement. Pre-deployment reduces engagement start time by 4 to 8 hours in a large environment. If the toolkit requires IT change management approval to deploy, start that process before an incident.
Test the retainer hotline and communication chain
Call the retainer hotline with a low-urgency test inquiry to confirm it reaches a human analyst, verify the SLA clock starts correctly, and confirm the escalation path to your CISO and legal counsel. Update the retainer contact information in your incident response plan. Many organizations store retainer contact details in a document on the same network the attacker has encrypted: maintain an offline or out-of-band copy.
OFAC Screening in Ransomware Engagements
The U.S. Treasury's Office of Foreign Assets Control published ransomware payment guidance that creates legal risk for organizations that pay ransoms to sanctioned threat actors: including ransomware groups on the SDN (Specially Designated Nationals) list. Coveware's ransomware market reports document that OFAC screening is now a standard step in most professional ransomware negotiations, but the implementation varies significantly between IR firms. The core issue is timing: OFAC screening is not instantaneous. Identifying whether a ransomware actor falls under OFAC sanctions requires attributing the attack to a specific threat actor, cross-referencing against the SDN list, and in ambiguous cases obtaining legal guidance. This process can take anywhere from 2 hours (if attribution is clear and the firm has in-house OFAC counsel) to 48 hours or more (if the firm requires outside legal referral). In a ransomware scenario where the attacker has set a 72-hour payment deadline, a 48-hour OFAC screening process leaves a dangerously narrow operational window. Before signing a retainer, ask the firm specifically: who conducts OFAC screening, what is the typical turnaround time, and what is the process if the screening is inconclusive. If the firm's answer involves referral to outside counsel without a defined turnaround SLA, treat this as a contract negotiation point.
Legal Counsel vs. IR Firm: Who Engages First?
One of the most consequential decisions at the start of an incident is whether to engage your IR firm directly or to route the engagement through legal counsel to establish attorney-client privilege over the investigation. The answer depends on your organization's regulatory environment and the nature of the incident, but the default posture for most organizations should be to engage legal counsel first or simultaneously. Attorney-client privilege extends to IR work product when the investigation is conducted at the direction of legal counsel: meaning forensic reports, analyst notes, and investigation findings may be protected from discovery in litigation. Without privilege protection, those same documents are potentially discoverable in regulatory investigations, class action lawsuits, and government enforcement actions. The practical implementation is that legal counsel engages the IR firm on your behalf, with the retainer agreement structured to make the IR firm a legal subcontractor. This structure adds minimal time to engagement start: typically 30 to 60 minutes to loop in legal: and provides significant litigation protection. Confirm with your legal team before an incident which IR engagements require privilege protection and which do not. A phishing simulation that went wrong typically does not require privilege protection. A ransomware incident with potential regulatory notification obligations almost certainly does.
IR Retainer Pricing Ranges: What to Budget by Firm Tier
IR retainer pricing is rarely published, but market data from Coveware, Mandiant, and broker networks provides reliable ranges for budget planning. The figures below reflect annual retainer agreements with named response teams, not break-fix hourly engagements, which run 30 to 50 percent higher per hour.
Big 4 and major consulting firm retainers: $75K to $250K per year
Firms like Mandiant (Google Cloud), CrowdStrike Services, and the security practices of the major consulting firms charge $350 to $500 per hour at surge rates, with annual retainer packages running $75,000 to $250,000 depending on pre-purchased hours, geographic coverage, and included deliverables. These retainers typically include one tabletop exercise per year, a dedicated named analyst team, and global response capability. Best suited for organizations where a large breach would involve significant regulatory, legal, and reputational complexity. Total annual cost including surge hours and deliverables in a medium-complexity incident often runs $150,000 to $400,000.
Specialist IR firm retainers: $25K to $75K per year
Mid-tier specialist firms (Kivu, Coveware, GroupSense, Secureworks, Kroll) charge $250 to $350 per hour at surge rates, with annual retainer packages running $25,000 to $75,000. Activation is often faster than Big 4 firms because named analysts are directly accessible without internal resourcing queues. OFAC screening capability varies significantly at this tier. Most appropriate for organizations with 200 to 5,000 employees that need technical forensic depth without the full legal-regulatory overlay. Total cost in a ransomware engagement typically runs $50,000 to $150,000 depending on scope.
MDR-with-IR bundled coverage: included in MDR contract ($50K to $150K per year)
MDR providers that bundle IR coverage (Arctic Wolf, Expel, Huntress) include incident response within the MDR subscription, typically $50,000 to $150,000 per year for a mid-sized organization. The embedded hourly rate equivalent is $100 to $200 per hour, but it is not billed separately. The coverage limitation is scope: MDR IR typically covers investigation within the MDR platform's telemetry and excludes full forensic disk imaging, ransomware negotiation, legal support, and multi-cloud investigations that require credentials and tooling outside the MDR environment. Read the contract scope carefully.
Per-incident break-fix pricing (no retainer): $350 to $600 per hour
Organizations without a retainer that experience an incident will pay 30 to 50 percent premium above retainer rates for break-fix engagement. Response also competes against existing retainer clients who receive priority access. Average per-incident cost for a ransomware investigation without a retainer runs $150,000 to $500,000 for a mid-market organization, compared to $50,000 to $150,000 for a retainer client at the same firm. The retainer premium pays for itself in the first incident where it activates.
The bottom line
An IR retainer is only as valuable as its contract terms and your pre-breach preparation. The $1.49 million average breach cost reduction for organizations with retainers in place assumes the retainer actually activates correctly when needed. The 6 contract terms in this guide represent the difference between a retainer that works as a financial instrument and one that works as an operational capability. Read the SLA definition, confirm the OFAC screening process, negotiate the surge rate, and test the hotline before you need it.
Frequently asked questions
How many IR retainer hours should we purchase annually?
The right number depends on your organization's size, incident history, and the scope of coverage you are purchasing. A practical baseline for mid-market organizations is 40 to 80 hours annually for a specialist IR retainer covering a single geographic region. Larger enterprises with complex environments or prior breach history should model based on actual incident data: review how many hours past tabletop exercises and real incidents consumed, multiply by 1.5x for surge capacity, and add 8 to 16 hours for proactive services like threat hunting and the annual tabletop. Confirm the rollover policy before anchoring on a number: if unused hours expire, there is a financial incentive to purchase the minimum and buy surge hours as needed, which typically costs more per hour but avoids waste. If hours roll over fully, purchasing a larger block at the negotiated retainer rate is usually the better financial structure.
What is the difference between an IR retainer and MDR with IR coverage?
An IR retainer is a pre-purchased block of hours from a specialized incident response firm that you activate when an incident occurs. The firm has no ongoing visibility into your environment before the engagement starts. MDR with IR bundles detection and response together: the MDR provider is already monitoring your environment and can initiate a response without a separate activation step. MDR IR is faster to start because the provider already has your log data, network topology, and endpoint visibility. The limitation is scope: most MDR IR coverage is explicitly restricted to investigation within the MDR platform's data, and does not cover forensic disk imaging, systems outside the MDR agent footprint, legal support, or regulatory notification. For incidents that stay within the MDR footprint, MDR IR is faster and often more cost-effective. For complex incidents involving encrypted systems, supply chain compromise, or regulatory notification requirements, a specialist IR retainer with broader scope is necessary.
What does OFAC screening mean for our organization during a ransomware incident?
OFAC sanctions law makes it a legal violation to make payments to designated entities, which includes several ransomware groups. Before paying any ransom, your IR firm and legal counsel must determine whether the threat actor is on the OFAC Specially Designated Nationals list. If the actor is sanctioned, paying the ransom creates federal legal exposure regardless of whether the organization is a victim. In practice, OFAC screening involves attributing the attack to a specific ransomware group based on malware samples, tactics, and negotiation patterns, then cross-referencing against current OFAC designations. Your IR firm should handle the technical attribution and your legal counsel should handle the legal assessment. Do not make any payment, including a test payment, before OFAC screening is complete. Document the screening process and its conclusions in writing as evidence of compliance.
Should the IR retainer be in the security team's budget or the legal department's budget?
The most operationally effective structure is for the retainer contract to flow through legal counsel even if the security team funds it, because routing the engagement through legal is necessary to preserve attorney-client privilege over investigation findings. In practice, many organizations split the cost between security and legal budgets to reflect shared ownership. From a procurement standpoint, legal counsel should review and sign off on the retainer contract regardless of which budget line funds it: the disclosure restriction clauses, third-party data handling terms, and privilege structure require legal review that a security team cannot provide independently. The annual tabletop exercise and technical pre-positioning decisions can be owned entirely by the security team.
How quickly can a retainer firm actually have an analyst working on our incident?
The median IR engagement activates 18 hours after incident discovery, but that number includes significant variance. Firms with pre-deployed collection toolkits and 24/7 staffed hotlines can have an analyst reviewing your initial log data within 2 to 4 hours of the first call. Firms that staff the hotline with intake coordinators rather than analysts, or that require internal case assignment processes before work begins, may take 8 to 12 hours to reach active analyst engagement even with a stated '4-hour SLA.' The pre-breach tabletop exercise is the most reliable way to measure actual activation time: time the call from first contact to first analyst action, and use that empirical data when comparing firms and evaluating whether the stated SLA reflects operational reality.
What happens if our incident exceeds our pre-purchased retainer hours?
When retainer hours are exhausted, the firm will continue billing at the surge rate specified in the contract, which commonly runs 50 to 150% above the retainer hourly rate. Depending on your contract, surge billing may be in 4-hour increments, meaning partial hours still cost full increment rates. Some firms offer a first-right-of-refusal to purchase additional retainer hours at the standard rate rather than surge pricing during an active incident: this is worth negotiating into the contract if the firm offers it. You are not legally required to continue with the same firm once retainer hours are exhausted, but switching firms mid-incident creates significant continuity risk and is rarely advisable in practice. Budget conservatively: plan for at least 2x your annual retainer hours as the potential cost of a major incident, and confirm with your CFO that an emergency authorization process exists for surge charges above a defined threshold.
What should be in our offline incident response documentation?
Offline documentation is the information you need when your primary systems are unavailable or untrusted: specifically during a ransomware incident. At minimum, maintain a printed or offline-stored document containing the IR firm's retainer hotline number and case opening procedure, the CISO and legal counsel emergency contact numbers, your cyber insurance carrier's breach notification hotline, the contact information for your primary law enforcement liaison at FBI and CISA, the network architecture diagram showing your most critical systems, and the location of offline system credentials for your most critical infrastructure. This document should be physically printed and stored in a secure location accessible to at least three people, and reviewed and updated quarterly. The most common IR activation failure we hear about is organizations who could not reach their IR firm because the retainer contract was in an email account on the encrypted mail server.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
