Essentials Retainer — £2,500 / year ex VAT
Ideal for small organisations or those beginning their IR readiness journey. Includes 10 IR hours, standard response times, 24/7 emergency contact routes, and pre-authorised onboarding.
Incident Response Retainer Pricing
When an incident occurs, the last thing you want is uncertainty. Our retainers provide guaranteed response times, pre-agreed terms, and immediate access to Cyber Defence’s Disrupt team.
Be ready before the incident happens
The worst time to negotiate terms, legal approvals, or onboarding requirements is during an active incident. A Cyber Defence Incident Response Retainer ensures you have guaranteed access to highly skilled responders whenever you need them, under clear commercial and operational terms.
Our retainers are designed for organisations that cannot tolerate prolonged outage, investigative delay, or uncertainty. They provide the fastest route to qualified assistance during a crisis, saving time, money, and reducing operational and reputational damage.
Plans
Choose a retainer that matches your risk profile
Each retainer provides guaranteed response times, agreed communication channels, and a pre-purchased block of Incident Response hours that can be used for triage, analysis, containment, forensics, and post-incident review.
All retainers can be customised for regulated or complex environments.
Standard Retainer — £7,500 / year ex VAT
Our most popular option. Includes 30 IR hours, faster response targets, priority access to Disrupt team analysts, proactive onboarding workshop, and annual tabletop exercise.
Enhanced Retainer — from £15,000 / year ex VAT
Designed for regulated, multi-site, or high-risk organisations. Includes 60+ IR hours, the fastest response targets, quarterly readiness reviews, extended forensics support, and deep integration with SOC365 and TI data.
Compare IR Retainer tiers
A quick comparison of the differences between the Essentials, Standard, and Enhanced Incident Response Retainers.
| Feature | Detect | Defend | Disrupt |
|---|---|---|---|
| Guaranteed P1 response time | 8 hours | 4 hours | 2 hours |
| Guaranteed P2 response time | 24 hours | 12 hours | 4 hours |
| Pre-purchased IR hours | 10 hours | 30 hours | 60+ hours |
| 24/7 emergency activation | ✓ | ✓ | ✓ |
| Priority access to Disrupt team | – | ✓ | ✓ |
| Forensic acquisition & analysis support | Limited | Standard | Extended |
| Annual tabletop exercise | – | ✓ | 2 per year |
| Quarterly readiness review | – | – | ✓ |
| Custom escalation paths & comms plans | – | ✓ | ✓ |
| SOC365 & TI integration | – | Light | Full |
What your retainer includes
All retainers include:
• Contractually guaranteed response times
• Pre-agreed commercial terms and NDAs
• Onboarding of your environment and key contacts
• 24/7 hotline for emergency activation
• Access to senior responders, forensics specialists, and threat analysts
• Transparent usage tracking of included IR hours
Retainer hours can be used for triage, containment support, investigation, forensics, recovery guidance, or post-incident improvements.
Purchase a retainer online
Many customers already know the level of cover they require. You can purchase an IR Retainer directly through our online process.
We will contact you immediately after purchase to complete onboarding and provide 24/7 activation details.
Incident Response Retainer – FAQs
Can we use retainer hours for proactive work?
Yes. Hours can be allocated to tabletop exercises, IR readiness reviews, threat hunting, forensic readiness, or configuration hardening as agreed.
What happens if we exceed our included hours?
We continue supporting you based on pre-agreed overage rates. We can also scale your retainer level after the incident to better match your operational needs.
Do you work with insurers and regulators?
Yes. Our reporting can be used directly with cyber insurers, regulators, auditors, and legal counsel. We can support notification and disclosure workflows.
Do we need a retainer to call you during an incident?
No – but response time, cost, and onboarding are significantly better under a retainer. Without one, activation depends on availability and ad-hoc contract approval.
Can the retainer support MSSPs or group-level organisations?
Yes. Enhanced retainers can cover multiple entities, business units, or geographic regions under one agreement.
The fastest route to expert help during an incident
Cyber Defence’s Disrupt team includes senior incident responders, penetration testers, threat analysts, and forensics specialists who work together to contain incidents quickly and safely.
A retainer ensures you have contract-backed access to real expertise when you need it most – without delay, uncertainty, or negotiation.