Incident response.

Overview

The IR retainer establishes the relationship before it's needed: a signed master services agreement, an executed NDA, network architecture documented in advance, and a written runbook for the most likely incident classes (ransomware, business email compromise, insider misuse, cloud account takeover). When the alert fires, response begins on the call. There's no procurement, no scoping delay.

What's included

• Pre-incident readiness: tabletop exercises, runbook authorship, evidence collection plan
• Triage and severity classification
• Containment and eradication coordination with internal IT or MSP
• Digital forensics and root-cause analysis
• Indicator-of-compromise development and threat intelligence enrichment
• Breach notification support in coordination with breach counsel
• Post-incident hardening recommendations

What you get

• Runbook. Authored at retainer onboarding, reviewed annually.
• Tabletop exercise. One per year, scenario tailored to the business.
• Live response leadership. Incident commander on every material event.
• Final incident report. Timeline, IOCs, root cause, recommended hardening, formatted for breach counsel and audit.

Retainer tiers

• Standby. Pre-incident relationship, runbook, tabletop. Response within 4 business hours.
• Active. Standby plus quarterly tabletop and warm IOC feed. Response within 1 hour, 24×7.
• 24×7. Active plus dedicated incident commander, monthly threat brief, on-site readiness. Response within 1 hour, 24×7.

Common questions

Next step