When Ransomware Fires at 2 AM, Who Do You Call?
A retainer means your named UK incident response team is mobilised within 30 minutes, not 4 hours. Pre-negotiated rates 20-30% below emergency pricing. Quarterly readiness testing included. CREST triple accredited. From £8,500/year.
It is 11 PM on a Friday. Your monitoring platform fires a critical alert. What happens next depends on whether you have a retainer.
- Spend 45 minutes searching for a firm that can help tonight.
- Sign NDAs. Explain your network architecture from scratch.
- Pay £2,500/day emergency rates under time pressure.
- By the time response begins, ransomware has encrypted your file server.
- Call one number. Your named incident commander is ready and pre-briefed on your environment.
- They know your environment: backup locations, AD structure, critical systems.
- Containment starts immediately at pre-negotiated rates.
- The first 60 minutes are used for containment, not onboarding.
The first 60 minutes determine the scope of a breach. A retainer is what buys you those 60 minutes. It is also the thing that means you can truthfully tell the board: we had professional incident response services on standby.
Speak With Our IR TeamPre-scoped team, not finding a firm
£1,800/day retainer vs £2,500/day emergency
0.35% of average UK breach cost (£3.4M)
What You Get on Day One, and at 2 AM
Comprehensive incident response preparedness combined with guaranteed priority access during a real breach. Every element of the retainer delivers value from the moment you sign.
Priority Response (Under 30 Minutes)
Retainer clients receive priority escalation. When you call our emergency hotline, your named incident response team is mobilised immediately, typically within 15-30 minutes, guaranteed 24/7/365. Your named incident commander picks up, already familiar with your environment.
Pre-Negotiated Rates and SLAs
Fixed hourly rates negotiated in advance, typically 20-30% below emergency on-call rates. Clear service level agreements for response time, containment, and recovery objectives. Retainer clients pay £1,800/day versus the £2,500/day emergency rate, a saving of £7,000 on a single 10-day breach.
Named Dedicated Response Team
Your retainer includes a named incident response lead who knows your environment, critical assets, and key contacts. No need to explain your infrastructure during a crisis. The same senior analyst who onboards you will lead your response if a breach occurs, not a rotating analyst pool.
Quarterly Readiness Assessments
We test your incident response readiness quarterly: validating backup restore procedures, testing disaster recovery plans, reviewing playbooks, and conducting tabletop exercises. Each assessment produces written documentation, serving as audit evidence for ISO 27001 Annex A.5.26, DORA Article 17, NHS DSPT, and cyber insurance requirements.
Unlimited Consultation
Retainer clients get unlimited phone and email consultation for security incidents, threat intelligence briefings, and advice on potential compromises, without consuming retainer hours. Whether or not you ever face a breach, your retainer covers quarterly testing, unlimited consultation, and guaranteed priority access.
The Maths: Retainer Cost vs Breach Without One
The average UK mid-market breach costs £3.4 million. A retainer costs 0.35% of that figure annually and reduces what a breach costs when it happens.
A single 10-day incident saves £7,000 in IR fees alone, before accounting for faster recovery.
Get Retainer PricingFrom First Call to Active Protection
How the retainer works, from onboarding to incident response.
Onboarding and Environment Familiarisation
We conduct a detailed discovery of your environment: network architecture, critical assets, backup locations, key contacts, and existing security tools. This pre-work enables us to respond faster during an actual incident. Your named team will know your AD structure and backup locations before the call comes in.
Incident Response Planning
We develop customised incident response playbooks for ransomware, data breaches, and DDoS attacks. These playbooks define clear escalation paths, containment procedures, and communication protocols for your organisation. Within the first quarter, you have documented IR capability, a concrete answer for any auditor.
Quarterly Readiness Testing
Simulated breach scenarios (tabletop exercises) to test your incident response procedures. We validate that backups are restorable, disaster recovery plans work, and your team knows their roles during a crisis. Each test produces a written report: scenarios run, gaps identified, actions taken. Direct audit evidence.
Priority Incident Response
When a real incident occurs, your dedicated team is mobilised immediately. Retainer hours are consumed during active incident response. If you exhaust your hours, you purchase additional time at your pre-negotiated rate, not emergency pricing. The first 60 minutes determine the scope of a breach. A retainer buys you those 60 minutes.
Related Incident Response Services
Your retainer provides priority access to our full incident response capability. Explore the specific services available to retainer clients.
Continuous Threat Detection
Pair your retainer with our managed detection and response service. Our SOC monitors your environment 24/7 and can trigger retainer response automatically, closing the loop between detection and containment.
Explore MDRFull Services Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Ready to Stop Hoping You Never Get Breached?
Book a scoping call with our IR team. We will assess your environment, recommend a retainer tier, and deliver a proposal within 48 hours. No obligation.
Incident Response Retainer: Common Questions
Pricing, hours, readiness testing, and how a retainer compares to ad-hoc emergency response.
Incident response retainers typically range from £8,500 to £25,000+ annually depending on organisation size, included hours, and support level. Small organisation retainer (40 hours/year): £8,500-£12,000, including quarterly readiness testing, priority response, and 20-30% discounted hourly rates (£1,800/day versus £2,500/day emergency rate). Mid-sized organisation retainer (80 hours/year): £15,000-£18,000. Large enterprise retainer (120+ hours/year): £22,000-£30,000. Retainer value: emergency ad-hoc response costs £2,500/day times 10 days equals £25,000. Retainer clients pay £1,800/day times 10 days equals £18,000, saving £7,000 on a single incident while also receiving quarterly testing, priority response, and unlimited consultation. The average UK mid-market breach costs £3.4 million. A retainer costs 0.35% of that figure annually.
Yes. The retainer provides value whether or not you are ever breached. Quarterly readiness testing identifies security gaps proactively: backup validation, disaster recovery testing, incident response playbook development. Unlimited consultation provides ongoing security advice that prevents incidents from escalating. Many UK insurers offer 10-20% premium discounts for organisations with active IR retainers, often £2,000-£5,000 annually, offsetting retainer cost. ISO 27001, SOC 2, and cyber insurance increasingly mandate documented incident response capabilities. And if a breach does occur, organisations with retainers recover 2-3 times faster, significantly reducing downtime costs. The retainer is not insurance against a breach. It is the mechanism that limits what a breach costs when it happens.
Cyber insurance and incident response retainers serve different but complementary purposes. Cyber insurance is financial protection: it reimburses breach costs after the incident occurs. An IR retainer is operational protection: it minimises damage in the first place through faster response, better containment, and shorter recovery times. Insurance does not respond to incidents; insurers pay claims. Without a retainer, you are still scrambling to find available incident responders during a crisis when response time determines breach severity. Many cyber insurance policies require or strongly incentivise IR retainers, offering premium discounts and better coverage terms for organisations with documented incident response capability. Optimal approach: cyber insurance for financial protection, IR retainer for operational protection, working together.
An incident response retainer is a pre-paid agreement with a cyber security firm that guarantees priority access to a dedicated response team during a breach. For UK organisations, retainers typically cost from £8,500 per year and include pre-negotiated hourly rates (20-30% below emergency pricing), quarterly readiness assessments, custom incident response playbooks, and a named response team that can mobilise within 30 minutes. The retainer is active 24/7/365 and covers ransomware, data breaches, and supply chain incidents.
Typical retainers range from 40-120 hours annually. A simple ransomware incident consumes 20-40 hours; complex breaches requiring full forensics can consume 80-120 hours. We help you estimate based on your organisation size and risk profile during the initial scoping call.
Unused hours do not roll over, but your retainer covers quarterly testing, unlimited consultation, and guaranteed priority access, whether you ever face a breach or not. The value is in preparedness, pre-negotiated rates, and named team familiarity, not in the hours themselves.
Retainer clients receive priority escalation: initial response within 15-30 minutes (phone call with your named incident commander), remote access established within 30 minutes, on-site presence within 1-4 hours for UK locations. The first 60 minutes determine the scope of a breach. Retainer clients use those minutes for containment, not for finding a firm.
Yes. You can purchase additional hours at the pre-negotiated retainer rate, not higher emergency rates. Most clients purchase additional hours mid-incident if the breach is more complex than anticipated. Your pre-negotiated rate applies throughout.
Yes. We provide incident reports formatted for cyber insurance claims, work with insurance assessors, and ensure our invoicing matches insurer requirements. Many UK cyber insurance policies require or incentivise having an IR retainer in place. Having a pre-existing retainer relationship can reduce premiums by 10-20% annually, as insurers recognise that faster professional response reduces claim value.
Quarterly assessments include: backup restore testing, disaster recovery plan validation, incident response playbook review, tabletop exercises simulating ransomware and breach scenarios, and recommendations for improving your security posture. Each assessment produces a written report that serves as audit evidence for ISO 27001 Annex A.5.26, DORA Article 17, NHS DSPT, and cyber insurance policy conditions.
Evaluate six criteria: (1) CREST accreditation: confirms technical competence assessed by an independent body, (2) UK-based response team: on-site presence in hours, not days, matters for complex breaches, (3) Published pricing: providers who publish prices tend to deliver more consistent scope, (4) Named team versus rotating analysts: a named incident lead who knows your environment responds faster, (5) Proactive services included: quarterly readiness testing, tabletop exercises, and playbook development add value whether or not you face a breach, (6) Cyber insurance alignment: confirm the provider produces reports in formats accepted by your insurer.
Many UK cyber insurers require or incentivise documented IR capability as a policy condition. Some policies mandate that policyholders use the insurer's nominated response firm during a breach. Check your policy terms before selecting a retainer provider to ensure there is no conflict. Where policies allow free choice, having a pre-existing retainer relationship can reduce premiums by 10-20% annually, as insurers recognise that faster, professional response reduces claim value.
The Bill does not mandate retainer agreements specifically, but it does introduce new incident reporting obligations and enhanced duties for operators of essential services and digital service providers. Organisations subject to the Bill must demonstrate tested incident response procedures. A retainer that includes quarterly tabletop exercises and documented playbooks provides direct compliance evidence. If your organisation falls under the Bill's scope, an IR retainer is a practical component of meeting those obligations.
Global enterprise vendors offer significant scale and platform integration. For UK mid-market organisations, the trade-off is typically response time, pricing transparency, and team familiarity. Precursor operates from a UK SOC, deploys UK-based responders, and publishes pricing from £8,500/year, which large vendors rarely do. Retainer clients work with a named incident lead throughout the contract, not a rotating analyst pool. If your organisation operates critical infrastructure or requires on-site response within hours rather than days, the proximity and team-continuity model matters. The right choice depends on your scale, existing technology stack, and whether your primary need is tool-platform depth or fast, expert, UK-local response.