Hard2bit
IR Retainer 24/7 · Contractual SLA · DFIR + Readiness

IR Retainer 24/7 — make the call, the team is already under contract

In a serious incident, minutes are expensive. With our IR/DFIR retainer the contract is signed, the SLA is agreed and a prepaid hour bank is waiting before the alarm goes off. One number, 24/7. A team that already knows your environment. A defensible timeline from minute one.

Request a proposal Call now How it works

Activation

24/7 SLA with emergency channel

Model

Prepaid hour bank

Frameworks

Evidence for DORA, NIS2, ISO 27001

An incident is not the moment to start negotiating a contract

An incident response retainer isn't an insurance policy — it's pre-activated capability. We sign the contract before the incident, prepare your environment, agree the SLA and leave a hour bank ready to consume the moment it's needed.

When the bad day arrives — and statistically it does — organisations that improvise lose the first hours arguing over budget, NDAs and internal sign-off. With a retainer, triage and containment start in minutes, not days.

And the retainer doesn't just contain the incident. It delivers a defensible timeline, a technical report and an executive one, preserved evidence and hardening recommendations. Everything your board, insurer, auditor or supervisor will ask for afterwards.

Key point:

A retainer isn't measured by how many times you activated it. It's measured by how quickly it stopped the incident — and the shape the organisation was in afterwards.

Activation in minutes

24/7 emergency channel, a contractual first-contact SLA and triage that starts with evidence preserved from minute one.

Prepaid hour bank

Hours booked in advance for IR, DFIR, reactive threat hunting, forensics and advisory. No waiting for purchase orders while the network burns.

Readiness before the bad day

We don't wait for the incident. We know your environment, your privileged identities, your playbooks and your on-call list before the phone rings.

Talking to your whole chain

We coordinate with your cyber insurer, legal, comms, board and supervisor. Clean reporting, a timeline that holds up and evidence that survives scrutiny.

Incident types covered by the retainer

End-to-end cover for the incidents that actually land today across financial services, public sector and industry.

Ransomware

Containment, encryption triage, vector analysis, prioritised recovery, informed pay/no-pay guidance and tight coordination with your insurer.

BEC fraud / M365 compromise

Session revocation, identity forensics in Entra ID, malicious inbox-rule discovery, post-incident hardening and a clean audit trail.

Advanced intrusion

DFIR across initial vector, persistence, lateral movement, exfiltration and root cause — with reporting that holds up to regulatory scrutiny.

Insider and exfiltration

Controlled analysis, forensic preservation, chain of custody and support for legal or disciplinary action when required.

What the retainer delivers — beyond picking up the phone

A serious retainer isn't just a phone number with an SLA. It's contracts, readiness, reporting, evidence and an annual review.

24/7 master agreement

Signed retainer with activation SLA, scope, escalation matrix, named responsibilities and contract term.

Hour bank

Prepaid hours consumable for incidents, forensics, reactive hunting, advisory or exercises — with transparent usage reporting.

Readiness onboarding

Onboarding session, collection of critical information, contacts, escalation playbooks and validation of the emergency channels.

Activation plan

A clear procedure so any authorised person can invoke the retainer in seconds — inside business hours or at 3am.

Timeline and reporting

After each activation: timeline, evidence, incident classification, actions and recommendations for the board and the auditor.

Annual retainer review

Usage, activations, lessons learned, shifts in exposure and recommendations for the next cycle.

How the retainer is built and run

From contract to first real incident. Step by step, no surprises when it matters.

Scoping and signature

Agree on scope, SLA, hour bank, applicable frameworks (DORA/NIS2/ISO) and sign with 24/7 cover in place.

Readiness onboarding

We capture critical architecture, privileged identities, points of contact, cyber-insurer details and comms channels.

Activation drill

We validate the emergency channel actually works, measure real response times and fine-tune the playbook before the first real incident.

Live operation

Retainer is armed. Your team calls a single 24/7 number and the protocol kicks off with a full audit trail from minute one.

Incident activation

Triage, containment, DFIR, eradication, recovery — and comms with the board, legal, the insurer and, where relevant, the supervisor.

Post-incident review

Root cause, final report, detection and hardening improvements, plan update, and reporting for committee and audit.

What a retainer actually solves when it's real

Illustrative examples drawn from the client profile we work with. Details are anonymised to protect confidentiality.

Anonymised case

Financial group operating across Europe

Regulated estate under DORA/NIS2 obligations, with an active cyber-insurance policy.

Activation

Activation triggered by ransomware detection at a regional subsidiary, out of office hours.

Outcome

Triage and isolation inside the hour, DFIR running in parallel, coordination with the insurer and legal, recovery prioritised by service criticality, and a timeline delivered to the supervisor that held up under review.

Anonymised case

Public-sector body with citizen-facing services

Mixed on-prem and cloud footprint, with external maintenance providers in the picture.

Activation

Suspected BEC fraud — attempt to redirect payments to external accounts.

Outcome

Revocation of compromised sessions, M365 forensics, malicious inbox rules identified, the payment diversion stopped before the transfer settled and a reinforced finance playbook.

Anonymised case

Industrial company with third-party dependencies

IT segmented from OT, with maintenance windows granted to external vendors.

Activation

Ambiguous alert on anomalous activity against a server accessed by a vendor privileged account.

Outcome

Fast DFIR confirmed vendor credentials reused in an external campaign. Rotation, third-party hardening, vendor-profile detection rules and a contract review.

Retainer vs on-demand response vs cyber insurance

Three different things — and they're complementary. Confusing them gets expensive.

IR Retainer

Executes the response. Contract, SLA, hour bank, readiness and a DFIR team on standby. Stops the incident.

On-demand

Same service, booked under fire. More expensive, slower to start, and the team walks in blind.

Cyber insurance

Transfers part of the financial cost of the incident. It doesn't run the technical response — it delegates to approved providers. Pairs well with a retainer.

How the retainer fits with the rest of the service

The retainer is the rapid-activation layer. It gets stronger when it sits alongside continuous detection, proactive hunting and governance.

Incident response (hub)

Full IR/DFIR picture at Hard2bit — capabilities, scope and flow.

Digital forensics

Evidence preservation and root cause with legal and regulatory rigour.

SOC/MDR 24/7

Continuous detection — the earlier the incident is seen, the earlier the retainer triggers.

Threat Hunting

Shrinks dwell time so the retainer fires before impact compounds.

IR Retainer FAQ

SLA, hour bank, insurer coordination, regulatory fit, and where it differs from on-demand response.

What's the difference between an IR retainer and booking incident response on-demand?
On-demand means the incident hits and then you start negotiating scope, contracts, availability and rates — while your network is live and compromised. A retainer means that conversation is already closed: there's a signed SLA, a paid hour bank ready to use and a team that already knows your environment. The goal is to win the minutes that actually decide the impact of the incident.
What does a Hard2bit retainer include?
A 24/7 master agreement with activation SLA, a prepaid hour bank, readiness onboarding to learn your environment, an activation drill, a dedicated emergency channel, coordination with your cyber insurer, legal and the board during an incident, a final report and an annual service review.
How fast do you activate after a call?
Our first-contact SLA is minutes — in hours and out of hours. From there, triage and containment run in parallel with your internal escalation, with evidence preserved and a timeline captured from minute one. The exact commitment is written into the contract depending on the retainer tier you choose.
What does the hour bank cover, and what happens to unused hours?
The bank is consumed during incidents (IR/DFIR), but also for reactive threat hunting after an ambiguous alert, controlled forensics, tabletop exercises, technical advisory and audit support. Roll-over or reconversion of unused hours is defined in contract; our default leans toward clients getting the value they paid for.
Do you work with cyber insurers?
Yes. We coordinate with the claims team, follow adjuster requirements, maintain chain of custody and align reporting with the obligations of the policy. If your insurer requires an approved provider, we validate that fit before the retainer is signed.
What happens if the incident turns out to be ransomware with a ransom demand?
We run the immediate containment protocol, isolate propagation, preserve evidence, activate DFIR and coordinate with insurer, legal and the board. We bring technical and exposure judgement so the pay/no-pay decision is made with real, traceable and defensible information. The final call always belongs to you and your advisory chain.
Does the retainer help with DORA, NIS2 and ISO 27001?
Yes. It produces operational response capability and the evidence needed to demonstrate maturity in incident management, notification, resilience and continuous improvement required by DORA, NIS2 and ISO 27001.
Do I need a SOC or EDR to buy the retainer?
Not a hard requirement — but it helps a lot. The better your telemetry (EDR/XDR, SIEM, identity and cloud logs), the faster and cleaner the investigation. During onboarding we validate coverage and, where useful, recommend improvements before the first real incident.
How does it work alongside our internal security team?
We plug in behind your CISO, your security team, IT and governance. The retainer doesn't replace your team — it adds specialist DFIR capability and a pre-agreed escalation path for the moments that actually matter.
How much does a retainer cost?
It depends on three variables: SLA tier, hour-bank size and scope of the onboarding. We design it around your risk profile, regulatory obligations and operational criticality. Our team gets back to you with a concrete proposal after a short scoping conversation.
Can I start small and scale?
Yes. Plenty of organisations start with a basic retainer (24/7 activation + limited hour bank + light onboarding) and scale it as the environment matures or the regulatory profile demands. Terms can be revisited at each cycle.
What if I'm already in an incident and don't have a retainer?
We can activate an emergency contract while the incident is live. It's more expensive and slower to start than a pre-signed retainer, but still far better than improvising. Call us — and in parallel we'll scope a retainer for the day after.

Inside Incident Response

The retainer is the commercial product with SLA and hour bank inside the Incident Response pillar, which also covers on-demand IR, forensics and continuity.

See the full Incident Response pillar → See IR (main hub) See Digital forensics See Business Continuity

The bad day is coming. The question is whether whoever you call already knows where to look.

Sign the retainer before the incident and stop wondering what happens the day one lands.

Request a retainer proposal Call now
Incident response (hub) Digital forensics SOC/MDR 24/7 Threat Hunting Threat Intelligence Business continuity (BCP/DRP) Virtual CISO (vCISO) DORA NIS2 ISO 27001 Financial sector