Incident Response Retainer

Reduce your incident response time and minimize breach impact with UnderDefense on speed dial

UnderDefense Incident Response Retainer (IRR) gives your organization the ability to quickly identify malicious activity and receive contextual intelligence on attacks — enabling faster and more effective response to cyber incidents.

What are your business and security requirements?

Retainer agreements can be packaged in different ways to match your needs. Consider these factors.

  • Budget. Confirm the number of prepaid hours and the hourly rate for additional hours.
  • Unused hours. Ask what happens if you don’t use your prepaid hours during the contract term.
  • Response Time. Get service level agreement (SLA) details for remote and onsite consulting. 2 or 4 hour SLAs are available.
  • Terms. Confirm the length of retainer—most are 12 months—and payment terms, such as whether you need to pay up-front.
  • Cyber insurance. Consider how your cyber insurance policy reimburses for incident response (IR) expenses and ask your insurer about lower premiums if you can show a proactive approach to cyber security.

Ramp up response readiness

Get access to elite UnderDefense security experts and technologies

Improve your current incident preparedness and response capabilities with industry-leading expertise and technology.

  • HaveUnderDefense IR experts on standby to help when you need it
  • Take advantage of leading-edge advances in cybersecurity

Accelerate incident response speed

React faster and minimize impact with a team of experienced first-responders that will spring into action as soon as a breach is suspected.

  • Get expert response within hours, not days or weeks
  • Have a dedicated malware team on-call

Pre-negotiate terms and conditions

Establish contractual terms before an incident occurs for rapid incident response when it matters most.

  • Eliminate paperwork-related response delays when every minute matters
  • Ensure your first call focuses on action

    Declaration process

    Declaration Request

    Initial request for assistance via web, email or phone. 2 or 4 hour SLAs available for a response from IR expert.

    Initial Triage

    UnderDefense IR expert reviews and assesses your situation following the request and recommends a course of action.

    Official Declaration

    An authorized party from your organization makes the official declaration of an incident under your IR retainer agreement.

    Declaration Acceptance

    Case is accepted onceUnderDefense and client deem IR services are needed.

    Next Steps

    UnderDefense lead will work with you to define initial investigation steps that typically include collecting evidence, talking to your technical teams for their observations and actions taken and determining if we need to deploy our host and network technology. UnderDefense Incident lead then assembles a team based on the size, complexity and technologies of your environment.  

    Choice and Flexibility:
    What Incident Response Retainer is right for you?

    The Incident Response Retainer provides two tracks of service that are designed to suit different needs and budgets.


    Tier 1: No upfront costs

    • Establish terms and conditions for Incident Response (IR) services
    • Define hourly rates for all incident response-related services and technologies
    • Make no minimum financial commitment or pay no annual cost
    • Incur costs only if you engage Incident Response services
    • Get support based on best effort and current availability
    • Receive no guaranteed service level agreement (SLA)
    • Gain access to UnderDefense technology stack


    Tier 2: Prepaid hours and service level commitment

    • Establish terms and conditions for Incident Response (IR) services
    • Gain peace-of-mind with a 4-hour SLA
    • Enhanced 2-hour SLA also available
    • Flexibility to repurpose unused hours on a variety of technical and strategic services
    • Gain access to theUnderDefense technology stack
    • Work with experts to evaluate and improve your current incident preparedness and response capabilities
    • Access to Incident Response Preparedness Service

    Initial response

    Service-level agreement

    Incident Response Preparedness Service

    Triage security issue

    Provide initial assessment based on UnderDefense Threat Intelligence and elite SOC/IR experience

    Live response analysis of the systems to identify malicious activity

    Access to a 24/7 incident response hotline

    Initial contact (via email or phone) within four hours: The first contact is with UnderDefense incident responder who can immediately help with triaging the incident

    Case is accepted once UnderDefense and client deem that incident response services are needed

    Enhanced two-hour SLA is also available

    Review of existing monitoring, logging and detection technologies

    Ensure ability to quickly contain an incident

    Review of current network and host architecture

    Evaluation of first response capabilities

    Collaborative planning for typical response scenarios

    Recommendations for areas of improvement

    Available consulting services for repurposing prepaid hours include:

    Technical Services

    Strategic Services

    Education Services

    Compromise Assessment

    Red Team Assessments

    Penetration Testing

    Response Readiness Assessment

    Security Program Assessment

    Tabletop Exercise

    Cyber Defense Center Development

    Windows Enterprise Incident Response

    Malware Analysis

    Intelligence and Attribution

    Related products and services

    Managed Defense

    Extends your security team with experts from UnderDefense who will monitor your network for threats around the clock.



    Response Readiness Assessment

    Provides an easy, effective way to evaluate and improve your ability to detect, respond to and contain advanced attacks.

    Threat Intelligence

    Combines adversary intelligence with breach victim and machine-based intelligence for a full 360° view of threats.

    Ready to get started?

    Our security experts are standing by to help you with an incident or
    answer questions about our consulting and managed detection and response services.

    View Report

    Leave your contacts to View Report


    You have Successfully Subscribed!


    Leave your contacts to View Report


    You have Successfully Subscribed!

    View Report

    Leave your contacts to View Report


    You have Successfully Subscribed!

    Pin It on Pinterest