What an IR retainer buys
A standard incident-response retainer agreement covers four things. A pre-negotiated rate for incident-response work, typically discounted from the firm’s on-call hourly rate. A guaranteed response SLA, typically one to four hours from declaration to senior responder engaged. Pre-staged tooling and credentials at the IR firm’s side, so they can begin collection within minutes rather than negotiating access mid-incident. One or two tabletop exercises per year, plus sometimes a credit toward proactive threat hunting.
The retainer is distinct from EDR’s built-in response capability. EDR’s response is preventive and containment-oriented (kill the process, isolate the host). IR retainer is for the post-detection investigation and remediation phase: forensic acquisition, root-cause analysis, scope determination, recovery planning, and incident-report production for legal and regulatory purposes.
Three retainer pricing models
Annual flat fee
How it works: Pay annual fee. Engage IR firm at any time within scope at no additional charge up to a usage cap. Above cap, prepaid-hour rate or discounted hourly applies.
Rewards: Highest SLA priority. Predictable budget line. Insurance underwriters view favourably.
Penalises: Highest absolute cost. Wasteful in low-incident years. Sometimes locks you to one firm.
Committed-hours retainer
How it works: Prepay a block of hours at discounted rate. Hours bank against actual incidents. Unused hours often roll over one year, then expire.
Rewards: Pay-for-what-you-use shape. Discounted versus on-call rate. Lower commitment than flat fee.
Penalises: Lower SLA priority than flat-fee customers in capacity-constrained periods. Hour-bank can be exhausted mid-incident.
Warm retainer (zero-on-shelf)
How it works: Master services agreement signed in advance with no annual fee. Pay full hourly when an incident occurs. Sometimes nominal fee for tabletops.
Rewards: No fixed cost. Useful if your incident probability is genuinely low. MSA-only relationship preserves IR firm option.
Penalises: No SLA priority. During regional ransomware waves you may not get a responder for days. Insurance underwriters view unfavourably.
On-call hourly rates without retainer
Established IR firms (Mandiant, CrowdStrike Services, Unit 42, Kroll, Stroz Friedberg, Charles River, Arete) charge $400 to $800 per hour for senior incident responders engaged without retainer. Premium responders on short SLAs charge above that. Junior staff on offshore-augmented teams may be quoted $250 to $400.
A typical SMB ransomware incident consumes 60 to 120 hours of senior-responder time over 5 to 14 days. That is $24,000 to $96,000 of IR work at on-call rates. A typical mid-market incident is 200 to 400 hours, or $80,000 to $320,000. These figures are independent of EDR licence cost; they are the post-detection response phase.
The breakeven math
Whether a retainer pays for itself depends on incident probability, average incident size, and the value of SLA priority during constrained periods.
Worked example: 200-endpoint SMB. Assume 5 percent annual incident probability (consistent with SMB segments in Verizon DBIR 2025), average 80-hour incident at $500/hour on-call. Expected IR work per year: 0.05 × 80 × $500 = $2,000. A $20,000 to $40,000 annual flat-fee retainer at this scale is hard to justify on expected value alone. The justification is the SLA value during a regional wave when on-call capacity is exhausted. SMBs with cyber insurance commonly buy a retainer regardless because the underwriter requires demonstrable IR partnership.
Worked example: 1,500-endpoint mid-market. Assume 8 percent annual incident probability and 250-hour average incident. Expected IR work: 0.08 × 250 × $500 = $10,000. A $75,000 annual flat-fee retainer covers expected value plus the SLA premium plus tabletop exercises. The breakeven gets cleaner at this scale. By 5,000 endpoints, retainers are essentially mandatory by both insurance underwriting and operational necessity.
EDR-vendor-bundled vs independent IR
Most EDR vendors offer their own IR retainer or partner program. CrowdStrike Services, SentinelOne Vigilance, Palo Alto Unit 42, and Microsoft Detection and Response Team all sell IR retainers tied to their respective EDR products.
The convenience case for vendor-bundled IR: same console, same telemetry access, no integration friction, often discounted as a bundle. The independence case for third-party IR: an IR firm reporting to a customer on whether the EDR product missed a detection is unconflicted only if the IR firm has no commercial relationship with the EDR vendor. For breaches that may attract litigation, regulatory investigation, or insurance dispute, independent IR is generally preferred for the cleaner audit trail and more credible report.
A common middle path is an independent retainer for the formal investigation and report production, plus EDR-vendor-bundled threat hunting and detection-tuning services for routine work. This separates the adversarial-review function from the detection-improvement function.
Or: contract MDR instead
For organisations whose primary IR concern is the “we cannot read alerts ourselves” problem, MDR (managed detection and response) is the alternative to EDR-plus-retainer. MDR bundles 24-hour monitoring with response capabilities and effectively covers the routine-incident workload in the monthly fee. A separate IR retainer is typically still recommended for the major-incident investigation phase because MDR providers focus on detection and containment, not full post-incident forensic and legal report production.
Cross-link mdrcost.com for the full MDR cost model, and incidentcostcalculator.com for the underlying breach-cost framing that drives the retainer ROI argument.