Despite growing investments and advances in cybersecurity, incidents and data breaches continue to increase year over year. From the continuous uptick of vulnerabilities to the rapidly expanding human attack surface, it’s clear that as new risk points appear, threat actors are right there, ready to take action.
This realization has led to a shift in both strategy and investment for organizations who are now not only investing in preventative cybersecurity measures, but also working to ensure that, if or when an incident occurs, there is a ready-to-deploy response playbook in place to minimize business disruption and potential security or systems impact.
More frequently, this emphasis on incident preparedness has taken the form of incident response (IR) retainers.
What is an Incident Response Retainer?
An incident response (IR) retainer is a service agreement between an organization and a cybersecurity (or incident response-specific) vendor, consultant, or service provider, that allows the organization to receive agreed-upon IR services if an incident occurs. If an incident happens at an organization, having an IR retainer in place can facilitate a faster response time by the IR team, more extensive IR services, IR process certainty, and assist in managing the cost of an incident.
IR retainers are also becoming ubiquitous among organizations. According to The State of Cybersecurity: 2025 Trends Report, 88% of organizations have purchased an active IR retainer, and 69% of organizations that utilized their retainer funds over the past 12 months did so when they “experienced an incident and needed additional support.”
Considering that IR retainers are both growing in popularity and having their IR clauses enacted with such frequency, it’s important for organizations to understand how they work and what benefits they can bring.
Types of IR Retainers
The details of a given IR retainer depend on the vendor or provider it originates from. IR retainer terms can vary from vendor to vendor, from the broad terms to the cost to even the IR services included within the retainer. The kind of retainer an organization can obtain may also depend on their industry, security maturity, and internal budget. IR retainer specifics can be highly variable.
However, there are two main types of IR retainers that are most common in the marketplace:
- Prepaid retainers allow the organization to prepurchase “hours” of promised IR service, usually over a defined time, such as 12 months.
- No-cost retainers, also called zero-dollar retainers, allow the client organization to establish a predetermined hourly rate with the IR firm (or cybersecurity provider), as well as define the full terms of the retainer and scope of future incident response, all without having to pre-purchase blocks of hours.
While both types of retainers commonly provide organizations with IR planning services, access to incident response teams, and other incident-related services, the two types vary when it comes to both the terms and potential effectiveness.
Prepaid retainers can offer financial predictability (establishing a known, set cost every year), and allow organizations to use prepaid hours for specific security and IR planning needs. But companies may struggle to purchase the number of hours they realistically need and properly balance using those hours on IR planning activities versus needed incident response services during a cyber attack.
For example, let’s say an organization purchases 100 hours of service with a prepaid IR retainer (a common purchase amount), and then is hit by a ransomware attack. Ransomware usually takes at least 150 hours of incident response time to be fully remediated and resolved, meaning the organization in question would quickly burn through the purchased hours and need to pay more to receive the full scope of IR services needed to resolve the incident. Additionally, if an organization buys a set number of hours and needs to use a large chunk on IR planning due to their security maturity level, they may not have enough hours to use if an incident occurs. The opposite can also be true, where an organization realizes, at the end of the IR retainer term, too many hours are left unused and the organization will lose money as a result.
No-cost retainers operate without the need to purchase blocks of hours. Instead, these retainers offer organizations a set scope of services and a service- level agreement (SLA), which details how the organization will utilize the IR firms’ services if an incident occurs. While no-cost retainers can be a better option for organizations from a cost perspective, the scope of services promised can be limited, so it’s critical that an organization understand if a no-cost IR retainer fits its risk profile and expected response during an incident.
Both types of retainers, depending on the vendor, often offer “add-ons” to their coverage, which can provide more robust services, swifter response times, and access to more hours or IR planning and readiness activities, often at an increased cost.
IR Retainers vs. Cyber Insurance
An IR retainer is not the same as cyber insurance and should not be treated as such. While both can work to transfer an organization’s risk if the worst should occur, cyber insurance generally offsets the financial burden of responding to an incident, while IR retainers are there to obtain fast response to an incident at a pre-determined price. Both offer benefits, but in different realms. However, many cyber insurance carriers now see IR retainers as a vital security control. According to Gartner®, in its Market Guide for Digital Forensics and Incident Response, “…cyber insurance policies typically require organizations to have a DFIR retainer to ensure a minimum level of readiness and to minimize potential loss.”
According to the Arctic Wolf Cyber Insurance Outlook 2024, 32% of cyber insurance carriers required an IR plan or IR retainer in order to provide coverage, and almost half of the organizations that implemented a comprehensive IR retainer saw premium savings of 10% or more.
Benefits of Utilizing an IR Retainer
No matter which type of IR retainer an organization chooses to implement or the terms they opt for, every organization has the same expectation: if an incident occurs, experts are there to help. An IR retainer ensures that when an incident happens, the organization in question will have access to the teams, tools, and processes that will both assist with the remediation and swift resolution of the threat with minimal business disruption.
However, obtaining an IR retainer contains other benefits, including:
- Access to IR planning activities, documents, and procedures (including, but not limited to, tabletop exercises, plan templates, incident run books, and planning advice from experienced IR professionals)
- Access to security experts to consult on security posture hardening measures
- Rapid incident analysis and containment, based on a predefined approach and provided by experts that are familiar with the specifics of the organization
- Cost efficiency and/or certainty through having the terms and hourly rate of the IR services engagement decided beforehand
- Increased insurability, as an IR retainer is one of the data points that insurers may look for to validate insurability
- Compliance with certain regulations (depending on the organization’s industry or location)
Five Key Components of An Effective IR Retainer
While having access to incident response services is the primary reason an organization opts for an IR retainer, there are other factors that need to be scrutinized, as all IR retainers are not created equal.
If your organization is evaluating an IR retainer, here are some considerations to take into account and some key components that make an IR retainer effective.
1. Clear service-level agreement (SLA). As mentioned above, one of the main reasons IR retainers exist is to provide fast, thorough IR in case of an incident. The services the IR firm will be able to provide, the cost (or how the purchased hours can be allocated in case of a prepaid retainer), as well as the capabilities of the IR firm regarding their services need to be explained clearly and be thoroughly documented.
2. Available 24×7. Threat actors don’t stick to standard office hours, so being able to reach your IR firm with questions, concerns, or a request to respond to a potential incident at any time can make a major difference. Organizations need to confirm the firm will respond at any time, and what their SLA is for response times at time of an incident .
3. Tailored IR services that fit your risk profile. If your organization is in a sector that may be more prone to certain kind of attacks, knowing the IR firm has the capabilities to handle a given situation (e.g. has ransomware negotiators in-house or is adept at stopping business email compromise attacks), is vital to incident response outcomes. It’s important to question IR firms or retainer providers on their capabilities, understand which capabilities and services are offered within the retainer, and whether or not that aligns with your organization’s risk profile and threat level.
4. Access to, and assistance with, IR planning and IR readiness. This component is especially important for organizations that may be less security mature and therefore lacking in key IR planning capabilities. According to Arctic Wolf research, only 59% of organizations that have an IR plan have reviewed and updated it in the last 12 months. An IR retainer can provide key planning and readiness services to help your organization prepare ahead of a potential incident.
5. Can offer security posture hardening guidance. If your organization has a higher risk profile or is less security mature, it’s statistically more likely to suffer from some kind of cyber incident. IR retainers are often tied not just to IR firms, but to broader cybersecurity companies and, as such, these companies should be able to offer security posture hardening guidance or measures as part of the retainer structure. This should reduce the likelihood that your organization will have a severe incident and potentially reduce the downtime or impact of an incident if one occurs. For smaller organizations, this can make IR retainers a desirable investment both to reduce and transfer risk.
Arctic Wolf® Incident360 Retainer
Arctic Wolf understands the struggle organizations face having to purchase pre-paid incident response hours and then struggle to allocate them in a way that doesn’t inhibit their ability to respond to an incident.
We believe every organization should be covered for an incident, which is why we’ve introduced the Incident360 Retainer. It allows, depending on the IR retainer tier purchased, for organizations to receive end-to-end incident coverage, no matter the incident type. Additionally, this retainer offers a discounted, flat hourly rate for incident coverage, access to an insurance-approved IR firm, response times for scoping calls at time of incident, and access to and use of IR planning and readiness tools.
Learn more about Arctic Wolf’s Incident360 Retainer and incident response capabilities.
Explore IR retainers in-depth with the 2024 Gartner® Market Guide for Digital Forensics and Incident Response Retainer Services.
