Product Focus: Incident Response Retainers

When a cyber incident strikes, speed is everything. The difference between a contained security event and a full-scale business crisis is measured in hours and sometimes minutes. Yet many organisations still approach incident response reactively, scrambling to identify expertise only after critical systems are already compromised. In today’s threat (and regulatory) landscape, that delay is no longer survivable.

CrowdStrike’s Global Threat Report illustrates just how fast modern adversaries operate. In 2024, the average breakout time and the point at which an attacker begins moving laterally was just 62 minutes, with some cases observed in under five minutes. Once that window is missed, containment becomes exponentially harder, recovery costs increase, and business disruption escalates. Incident response is no longer about technical excellence; it is about speed of action.

An Incident Response (IR) Retainer addresses this reality. It is a proactive agreement that guarantees priority access to experienced responders, defined SLAs, and critically a response playbook that has already been aligned to your environment. There is no contract negotiation, no knowledge transfer under pressure, and no uncertainty about escalation paths. When the call is made, response begins.

Despite these clear benefits, industry research indicates that only around 55% of organisations globally maintain a documented incident response plan, and many fail to test or update those plans regularly. From a defender’s perspective, this is not a tooling issue, it is an operational one. Retainers reduce this risk by converting response from an ad-hoc activity into a rehearsed capability. Pre-incident activities such as tabletop exercises, log readiness reviews, and stakeholder alignment significantly reduce confusion and decision paralysis during live incidents.

Real-world incidents demonstrate the cost of hesitation. The 2023 Capita breach resulted in the compromise of personal data belonging to millions of individuals, with remediation and recovery costs estimated at over £25 million, excluding regulatory fines and reputational impact. Prolonged disruption and delayed containment were widely cited as contributing factors.

An Incident Response Retainer also supports predictable budgeting, avoiding emergency pricing spikes and enabling organisations to use pre-purchased hours for readiness activities such as tabletop exercises, threat modelling, and playbook development. In a threat environment defined by speed, automation, and attacker confidence, retainers shift organisations from reactive to resilient.

For security leaders and practitioners alike, the message is clear: you cannot out-react an attacker who is already inside your environment. But you can be ready for them. The priority action for IT and security leaders is to treat incident response as an operational capability, not an emergency procedure. Incident Response Retainers are not an admission of failure, they are a recognition of reality, and a hallmark of cyber defence maturity.