How much does an incident response retainer cost?
IR retainers for mid-market organizations typically run $5,000–$15,000 per month, or are structured as annual prepaid hour blocks ranging from $25,000 to $150,000 or more. On-demand work — no retainer, no prior relationship — is billed at $200–$600 per hour, with no guaranteed availability. Retainer clients generally receive 20–30% lower hourly rates and a contractually guaranteed response time of under 2 hours.
Retainer pricing varies significantly based on firm reputation, team seniority, geographic reach, and the scope of services included. A Big Four or top-tier boutique firm commands higher rates. Regional firms and specialized boutiques often offer more competitive pricing with equivalent technical depth for specific industries or attack types.
For enterprise organizations with complex, multi-site environments, annual retainer spend of $150,000–$500,000 is not unusual. The IBM Cost of a Data Breach Report 2024 found that organizations with a tested IR plan and team saved $2.66 million on average per breach — a figure that frames retainer spend as cost avoidance, not an expense.
| Organization size | Typical annual retainer | Prepaid hours included | Guaranteed response time |
|---|---|---|---|
| SMB (under 500 employees) | $25,000–$60,000/year | 40–80 hours | 2–4 hours |
| Mid-market (500–5,000 employees) | $60,000–$180,000/year | 80–250 hours | 1–2 hours |
| Enterprise (5,000+ employees) | $180,000–$500,000+/year | 250–1,000+ hours | Under 1 hour |
Retainer vs. paying hourly — which is cheaper?
Whether a retainer is cheaper than on-demand billing depends on how many incidents you have per year and how large they are. The table below shows the break-even math for three incident sizes, assuming on-demand billing at $400/hour (mid-range) and a retainer rate of $280/hour (a 30% discount on a $60,000/year retainer).
| Incident size | Est. IR hours | On-demand cost (@$400/hr) | Retainer cost (@$280/hr) | Retainer saves |
|---|---|---|---|---|
| Phishing / credential breach (contained) | 20–40 hours | $8,000–$16,000 | Included in retainer | $8,000–$16,000 per incident |
| Ransomware (mid-size, no data exfil) | 100–200 hours | $40,000–$80,000 | $28,000–$56,000 | $12,000–$24,000 per incident |
| Full data breach (PII exfil, multi-state notification) | 300–600+ hours | $120,000–$240,000+ | $84,000–$168,000+ | $36,000–$72,000+ per incident |
The retainer also provides a less visible benefit: availability. During large-scale incidents — a major ransomware outbreak, a Log4Shell-style event — on-demand IR capacity disappears fast. The firms you call without a prior relationship will be fully committed to retainer clients first. Retainer clients get the team; on-demand callers get a wait list.
A $60,000 annual retainer pays for itself with a single contained ransomware event. If your organization handles healthcare data, financial records, or personal information for thousands of customers, the exposure to notification costs, regulatory penalties, and business interruption makes the retainer math straightforward.
What's included in an IR retainer?
Retainer terms vary by firm, but the core inclusions are consistent across the market. Review the feature table carefully when comparing proposals — "retainer" can mean a simple pricing agreement or a full managed service.
| Feature | Typical inclusion | Notes |
|---|---|---|
| Prepaid investigation hours | Yes — drawn down on any incident | Hours used for reactive IR; some firms allow proactive services |
| Guaranteed response time | Yes — typically under 2 hours, 24/7/365 | SLA is contractually binding; confirm it covers weekends |
| Discounted hourly rate | Yes — 20–30% below on-demand rate | Applies to all hours consumed, including overflow beyond prepaid block |
| Dedicated IR team assignment | Often — named lead consultant or team | Familiarity with your environment reduces ramp-up time |
| Tabletop exercise (annual) | Frequently included (1–2 per year) | Some firms count tabletops against prepaid hours |
| Threat intelligence access | Sometimes — depends on firm | Industry-specific threat feeds; more common in enterprise tiers |
| Breach coach / legal liaison | Varies — often a separate engagement | Critical for notification management; confirm before incident |
| Forensic tool deployment | Often pre-staged (EDR agents, log forwarding) | Pre-staged tools cut investigation time significantly |
| Cyber insurance coordination | Sometimes — especially panel firms | Valuable if the firm is on your insurer's approved panel |
How are retainer hours structured?
IR retainers use one of three hour structures. Understanding which model a firm uses affects your total cost and flexibility.
Prepaid block (draw-down)
You purchase a fixed block of hours upfront (e.g., 100 hours for $28,000). Any reactive or proactive work draws down the block at the retainer rate. When the block is exhausted, additional hours bill at the retainer rate.
Best for: organizations that want predictable spend and flexibility to use hours proactively.
Monthly subscription
A fixed monthly fee ($5,000–$15,000) buys a defined number of hours each month plus standby capacity. Unused hours may roll over (negotiate this) or expire. Some firms apply unused hours to threat hunting or advisory work.
Best for: organizations that want a predictable monthly line item and ongoing proactive services.
On-call agreement
A lower annual fee ($10,000–$20,000) secures a guaranteed response time and a pre-negotiated rate, but no prepaid hours. You pay per engagement at the retainer rate when an incident occurs. Hours don't accumulate or expire.
Best for: organizations with low incident probability that want guaranteed availability without paying for unused hours.
Negotiating roll-over terms
Roll-over policies are negotiable. Push for at least 6-month carry-forward on unused hours, or require the firm to apply unused hours to tabletop exercises, threat hunting, or vulnerability assessments. A firm that won't offer any roll-over mechanism is essentially selling you hours they know you probably won't use.
Do you still need a retainer if you have cyber insurance?
Yes. Cyber insurance reimburses IR costs — it does not guarantee that a qualified team is available the moment you call. These are different products that serve different functions. The right answer for most organizations is both.
What cyber insurance provides
- Financial reimbursement for IR costs after the fact
- Access to insurer's panel IR firms (with pre-negotiated rates)
- Coverage for notification costs, credit monitoring, and legal fees
- Business interruption coverage during recovery
What a retainer provides
- Guaranteed availability of a specific team within 2 hours
- Familiarity with your environment before an incident occurs
- Pre-staged forensic tools that reduce investigation time
- Proactive services (tabletops, threat hunting) year-round
One important nuance: your cyber insurer may require you to use a firm from their approved panel. If your retainer firm is not on the panel, the insurer may refuse to reimburse some or all of the IR costs. Before signing a retainer, confirm whether the firm is on your insurer's panel — or negotiate a pre-approval clause in your policy. See how cyber insurance interacts with IR for the full framework.
Frequently Asked Questions
How much does an incident response retainer cost?
IR retainers typically cost $5,000–$15,000 per month for mid-market organizations, or are structured as prepaid hour blocks ranging from $25,000 to $150,000+ per year. On-demand (no-retainer) IR work is billed at $200–$600 per hour. Retainer clients generally receive a 20–30% discount on hourly rates and a guaranteed response time of under 2 hours.
What is included in an IR retainer?
A typical IR retainer includes: a dedicated IR team on standby, guaranteed response time (often under 2 hours), prepaid investigation hours, threat hunting credits, tabletop exercise facilitation, retainer-rate billing for any incident response work, and often access to threat intelligence feeds.
Do retainer hours roll over if unused?
Roll-over policies vary by firm. Some firms allow unused hours to carry forward for 6–12 months; others operate on a use-it-or-lose-it basis but provide proactive services (threat hunting, tabletop exercises) to consume unused hours. Always negotiate roll-over terms before signing.
Does cyber insurance make an IR retainer unnecessary?
No. Cyber insurance reimburses IR costs after the fact, but it does not guarantee a response team is available the moment you call. A retainer guarantees capacity and a sub-2-hour response time that insurance cannot replicate.
Can I negotiate an IR retainer price?
Yes. Retainer pricing is negotiable, especially on multi-year agreements, larger prepaid hour blocks, or when bundling proactive services. Common negotiation levers include: increasing the prepaid hour block, committing to a multi-year term, and bundling tabletop exercises.
Compare IR firms that offer retainers
Many firms in the directory offer retainer arrangements. Use the directory to compare specializations and find firms that are pre-approved by major cyber insurers.