What To Look For in an Incident Response Retainer Service

An Incident Response Retainer is an important service provided by an external security partner that offers organizations both proactive and reactive solutions related to  security incidents. An Incident Response (IR) Retainer lowers the cost of recovery and business downtime by guaranteeing quick access to a best-in-class security incident recovery team at the time of an incident.

IR Retainers can play an important role in your organization's fight to keep threat actors at bay and reduce the impact of a security incident, but it can be hard to know what type of retainer you need and how to find a trusted security partner to support it. Keep reading to learn more about what services to look for in an IR retainer and what questions you should ask when considering  a new security partner.  

What types of IR Retainers are there?

There are two main types of retainers:

No-cost retainer: An on-demand agreement with a security partner about how they will assist your organization with a potential security incident. The agreement includes a service level agreement (SLA), nature of services provided, a procedure for declaring incidents, and a cost per incident, which is paid only if the service provider renders services. Additional costs at time signing may be included as a part of onboarding.  

Prepaid retainer: A pre-paid agreement usually includes a block of hours, usually per month or per quarter, which can be used to respond to cyber incidents or perform proactive services, like security assessments, based on an agreed SLA. Services such as penetration testing or cybersecurity training are commonly offered in exchange for hours not used in full.  

At Entara, if the full retainer is not used for a reactive service, like to address a security incident, a portion of the retainer can instead be used for proactive services. This includes:  

Proactive services:

• Tabletop Exercises
• Disaster Recover and Business Continuity planning
• Incident Response planning  
• Infrastructure Hardening and IR Readiness Assessment Offensive Security Assessment  
• Security IT Maturity Assessment
• IR Readiness Assessment  
• CIS/NIST/ISO Framework Alignment Assessment
• BCDR Assessment and Plan Creation
• IR Ransomware Assessment and Plan Creation  
• Tabletop Exercises  
• Infrastructure Hardening

Reactive services:

• Incident Response and Management
• Infrastructure Recovery
• Digital Forensics  
• Threat Actor Negotiation
• Breach Notification

A large benefit of having an IR retainer rather than working with a security partner like Entara on a project basis is that, at the time of an incident, our retainer clients have already been onboarded, effectively cutting out the first two days of a breach engagement.  

Top 5 Features You Should Look for In an IR Retainer

• Incident Response Plan and Management: The security partner will examine an organizations’ existing IT and security tools to ensure the necessary solutions are in place to accurately protect and respond to cyber threats. During this time, the vendor will meet with an organization’s internal team to establish a plan for how to respond to security incidents in the future.
• Digital Forensics: Experts will help recover data when a cyber-attack has occurred and work to identify the bad actor.
• Threat Actor Negotiation: Experts will negotiate and discuss lowering the demands of a ransomware attack on behalf of the business.  
• Infrastructure Hardening and Recovery: Experts will work to increase the security posture of all components within the infrastructure, including devices, software, network services, and facilities.  

• Disaster Recovery and Business Continuity Planning: The security partner will establish a plan that prioritizes both business continuity and disaster recovery so they can keep the business operational during a disaster, while also restoring the organization’s data access and IT infrastructure.

What to Look for in a Security Partner

Choosing the right partner that understands your specific business and security needs is important. You shouldn’t leave your cybersecurity protection up to just anyone. Here are some questions you should ask when considering a security partner’s IR retainer service.

• What is your business’ experience in providing incident response services?  
• How many incident response projects has your team handled?

• What industries does your business work with?
• How many years of experience does your team have in offering Incident Response Services?  
• Does your organization offer proactive services, and can this retainer be used to implement them?
• What is the onboarding process like for new IR Retainer clients?

Get Peace of Mind With Entara’s Incident Response Retainer Service

Over the past three years, Entara has executed over 100,000 hours of professional service hours across 200 incident response projects. With a specialization in infrastructure recovery, Entara is the go-to resource for organizations that need experts in the field who can efficiently fast track containment of a breach. We handle the recovery efforts so you can focus on what you do best – running your business. 

Connect with us if you’re ready to strengthen your cybersecurity stance and want to prepare for the unpredictable with a comprehensive Incident Response Retainer or other proactive services. Learn more about Entara’s IR Retainer service here.  

‍