Back to Blog
Incident Response18 min read

The Incident Response Retainer for Small Businesses: What It Costs, What It Covers, and When It Pays for Itself

A

Alexander Sverdlov

Security Analyst

6/19/2026
The Incident Response Retainer for Small Businesses: What It Costs, What It Covers, and When It Pays for Itself

Incident Response · Preparedness · June 2026

The Incident Response Retainer for Small Businesses: What It Costs, What It Covers, and When It Pays for Itself

An incident response retainer is the single most cost-effective security purchase most small companies never make. It is not insurance, it is not a monitoring product, and it is not a luxury reserved for enterprises. It is a pre-arranged relationship with a response team that turns the worst day of your business year from a frantic vendor search into a single phone call answered in minutes. This guide explains exactly what a retainer includes, what it should cost a company of your size, and how to tell whether you are one of the businesses that genuinely needs one.

Key Takeaways

  • A retainer buys speed, not just hours. The value is in the first six hours of an incident. With a retainer you make one call and forensic responders are working your case the same day. Without one, those hours go to finding, vetting, and contracting a firm while the attacker is still active in your network.
  • For a small business, the price range is modest. Most retainers for companies under 250 people run from roughly $5,000 to $25,000 per year, depending on the included hours, the response time guarantee, and whether proactive work is bundled in. That is a fraction of the cost of a single mishandled incident.
  • Unused hours are rarely wasted. Good retainers let you convert pre-paid incident hours into proactive work: tabletop exercises, backup validation, an architecture review, or detection tuning. The preparation that comes with the retainer often prevents the incident the retainer was bought for.
  • It is not the same as cyber insurance. Insurance pays some of the bill after the fact and dictates which vendors you may use. A retainer is the team that does the work. They are complements, and the best outcomes come from having both, aligned, before anything goes wrong.
  • Read the contract terms that actually matter. Response-time SLA, what counts against your hours, whether the clock is annual or use-it-or-lose-it, after-hours rates, geographic and remote-versus-onsite coverage, and how the engagement coordinates with your insurer's panel. These details separate a retainer that helps from a piece of paper.
  • The break-even is preparation, not luck. A retainer pays for itself the first time it compresses your response from days to hours, keeps your insurance claim valid, or surfaces a backup gap during onboarding before an attacker finds it. You do not need to be breached for it to earn its cost.

A 40-person accounting firm called us on a Friday evening in tax season. An employee had clicked a link in what looked like a routine invoice, entered credentials on a convincing fake login page, and by the time anyone noticed, an attacker was inside the firm's email and moving toward the file server that held thousands of client tax records. The managing partner's first question was not about the attacker. It was, "Who do we even call for this?" They spent the next four hours doing what should have taken four minutes: searching for incident response firms, leaving voicemails, getting quoted emergency rates, and waiting for callbacks while the intrusion spread.

By the time a responder was engaged and working, it was the middle of the night and the attacker had been inside for the better part of a day. The firm recovered, but the cleanup took longer, cost more, and came far closer to a reportable client-data breach than it needed to. When we conducted the post-incident review, the partners asked the question every small business asks afterward: what would have made this go differently? The honest answer was not a more expensive firewall or a new security product. It was a single phone number, agreed in advance, that turned the first four hours from a panicked vendor search into immediate containment.

That phone number is what an incident response retainer provides. It is a deceptively simple thing, and it is consistently underestimated by exactly the companies that need it most. Small businesses tend to assume that retainers are an enterprise concern, that the cost is prohibitive, and that they would be paying for something they hope never to use. All three assumptions are usually wrong, and the gap between the assumption and the reality is where companies lose the most money in an incident.

This guide is written for the owner, managing partner, or operations lead of a small or mid-sized company who has heard the term "IR retainer" and wants to know, in plain terms, whether it is worth it. We will cover what a retainer actually is and is not, what it includes, what it costs for a company of your size, the real arithmetic of retainer versus cold-start response, how to tell whether you need one, and how to buy one without overpaying for capacity you will never use.

📞

Section 1

What an IR Retainer Actually Is (and Is Not)

An incident response retainer is a pre-arranged agreement with a professional response firm that guarantees you prioritized access to their team when a security incident occurs. In practice it bundles three things: a commitment from the firm to respond within a defined time window, a block of pre-paid or pre-rated hours, and a relationship that means the responders already have baseline familiarity with your environment before anything goes wrong. The agreement is signed during calm conditions, the rates are negotiated when you have leverage rather than when you are desperate, and the onboarding work establishes who does what the moment an incident is declared.

The most useful way to understand a retainer is by what it removes from your worst day. In an unprepared response, the first several hours are consumed by logistics that have nothing to do with stopping the attacker: identifying candidate firms, confirming they are available, explaining your situation three times to three different intake teams, agreeing emergency rates, signing contracts under duress, and granting access. A retainer collapses all of that into a phone call. The firm answers, they already know who you are, the contract is already signed, and the technical work begins immediately.

It is equally important to be clear about what a retainer is not. It is not cyber insurance; it does not reimburse you for losses, and it is the team doing the work rather than the policy paying the bill. It is not a managed detection service that watches your network around the clock, though some providers offer both. It is not a guarantee that you will never be breached, and it is not a substitute for the basic controls, backups, and employee training that prevent most incidents in the first place. A retainer is the response capability you draw on when prevention fails, packaged so that it is available in minutes rather than days.

The one-sentence definition: An incident response retainer is a contract you sign while everything is fine, so that when something goes badly wrong you make one call instead of fifty, and the people who answer are already prepared to defend your specific business.

Retainers come in two broad shapes. A pure-response retainer reserves capacity and guarantees a response time, sometimes for a relatively low annual fee, with incident hours billed at a pre-agreed rate when you actually need them. A hours-included retainer bundles a block of hours into the annual fee, and crucially, lets you spend unused hours on proactive work before any incident occurs. For most small businesses the second shape delivers more value, because it converts a cost you hope to never use into preparation you benefit from every year regardless of whether you are attacked.

📋

Section 2

What Is Actually Inside a Retainer

A retainer is only as good as the specific commitments written into it. The marketing language is similar across providers; the contract terms are where the real differences live. There are six components that define what you are actually buying, and a small business evaluating a retainer should be able to find each of them in the agreement before signing.

The response-time commitment. This is the heart of the retainer. It is the guaranteed maximum time between your declaration of an incident and a responder actively working your case. Common commitments range from one hour to next business day. For a small business, a same-day or four-hour remote response is usually sufficient and considerably cheaper than a one-hour onsite guarantee. Read carefully whether the clock covers initial contact or actual technical engagement, and whether it applies around the clock or only during business hours.

The block of hours. Most retainers include a number of pre-paid hours, ranging from a handful to several dozen per year. These cover the responders' time during an incident and, in better agreements, proactive work between incidents. Understand the hourly rate that applies once the block is exhausted, because a serious incident can consume the included hours quickly and the overage rate is what you will actually pay for the bulk of a major engagement.

The pre-engagement onboarding. The best retainers include an onboarding phase where the firm documents your environment: your network architecture, your critical systems, where your backups live, who your key contacts are, and what your business cannot operate without. This work is what lets them respond fast and effectively when the call comes, and it routinely surfaces problems, an untested backup, an exposed remote-access service, a missing logging configuration, before any attacker does.

The scope of services. A full retainer covers forensic investigation, containment, eradication, recovery support, and often coordination with breach counsel and your insurer. Some include threat intelligence, ransomware-specific support, and post-incident reporting suitable for regulators and clients. Confirm what is in scope and what triggers a separate engagement, because the boundaries vary and you do not want to discover a gap mid-incident.

The proactive conversion. This is the feature that turns a retainer from a sunk cost into an investment. Ask explicitly whether unused incident hours can be applied to tabletop exercises, an incident response plan, backup validation, a compromise assessment, or detection tuning. Providers who allow this are giving you preparation that lowers the odds of ever needing the response side, which is precisely what you want.

The coordination terms. A retainer does not operate in isolation during a real incident. It interacts with your cyber insurer, who may require approved vendors, and with breach counsel, who often direct the engagement to preserve legal privilege. The strongest retainers are with firms that already sit on insurer panels and routinely work under counsel's direction, so the relationship slots cleanly into the legal and insurance machinery instead of fighting it.

The Six Components of an Incident Response Retainer What You Are Actually Buying The contract terms that define a retainer, not the marketing language around it. IR Retainer 1. Response-time SLA Guaranteed time to engage 2. Block of hours Pre-paid + overage rate 3. Onboarding They learn your environment 4. Scope of services Forensics to recovery 5. Proactive conversion Unused hours = prep work 6. Coordination Insurer + breach counsel A retainer missing components 3, 5, or 6 is a price list with a phone number, not a prepared response capability.
Figure 1. The six components that make up a real incident response retainer. Most providers advertise the first two; the difference in outcomes comes from the last four.
💰

Section 3

What a Retainer Costs for a Small Business

The price of a retainer is driven by three levers: the speed of the response-time guarantee, the number of hours included, and whether proactive services are bundled in. A next-business-day remote response with a small hours block sits at the bottom of the range. A one-hour, around-the-clock guarantee with onsite capability and a large bundled hours block sits at the top. Most small and mid-sized businesses land somewhere in the middle, and the good news is that the middle is affordable relative to what a single incident costs.

As a practical guide, retainers for companies under 250 employees commonly fall between $5,000 and $25,000 per year. A micro-business or small professional firm can often secure a workable retainer at the lower end, particularly a response-focused agreement with a same-day remote commitment and a modest hours block convertible to proactive work. Larger or more regulated small businesses, those handling health data, financial records, or large volumes of personal data, tend toward the upper end because they need faster response guarantees and more included capacity. The figure below sketches the typical tiers.

Typical IR Retainer Pricing Tiers for Small Businesses Three Tiers, Three Price Points Illustrative annual ranges for companies under 250 employees. Actual quotes vary by provider and risk profile. Essential Micro-business / small firm $5K - $9K per year Same-day remote response Small hours block Basic onboarding One tabletop per year Good fit: low-data-risk SMB Standard Typical small business $10K - $18K per year 4-hour response, 24/7 Mid hours block Full onboarding + IR plan Proactive conversion Insurer panel alignment Best fit for most SMBs Regulated Health / finance / high-data $18K - $25K+ per year 1-hour response, onsite option Large hours block Compromise assessment Regulator-ready reporting Good fit: HIPAA / financial data
Figure 2. Three illustrative retainer tiers for small businesses. The right tier is the one whose response-time guarantee and hours block match the speed your business actually needs and the data risk you carry, not the cheapest line item.

Two pricing details deserve attention before you sign. The first is the overage rate: once your included hours are exhausted, what does the firm charge per hour, and is it the same rate as a non-retainer client or a discounted retainer rate? In a major incident the overage hours dominate the bill, so a slightly higher annual fee with a much lower overage rate can be the cheaper option overall. The second is the renewal and rollover terms: do unused hours expire annually, roll forward, or convert automatically to proactive work? A use-it-or-lose-it block that you never touch is money left on the table.

Put the cost in context. A mishandled incident at a small company routinely runs into six figures once you count emergency response at non-retainer rates, extended downtime, lost data, a voided or reduced insurance claim, regulatory exposure, and the staff time consumed by the chaos. A retainer at $10,000 to $18,000 per year is a small fraction of that single-event cost, and it is the difference between a contained incident and a crisis.

Section 4

The Real Math: Retainer vs Cold-Start Response

The argument for a retainer is not emotional, it is arithmetic, and the arithmetic turns on a single variable: time. In an incident, time is the resource that converts directly into cost. Every hour the attacker remains active is an hour of additional encryption, additional data exfiltration, additional lateral movement, and additional systems that will need to be rebuilt. The retainer's central economic function is to compress the time between detection and effective response, and that compression is where the savings come from.

Consider the two paths through the same incident. In the cold-start path, the first day is largely lost to logistics. The company spends hours identifying and vetting firms, more hours on intake and contracting, and pays emergency rates that carry a significant premium over retainer pricing. The attacker, meanwhile, operates unimpeded through that entire window. By the time containment begins, the scope of damage is materially larger, the recovery is longer, and the insurance claim is at risk because the insurer was notified late and the wrong vendors may have been engaged.

In the retained path, the first call reaches a team that is contractually committed to respond, already knows the environment, and begins containment the same day. The insurer is notified within the policy window because the process is already defined. The forensic evidence is preserved correctly from the start, which keeps both the investigation and the claim intact. The total incident cost is lower not because the attack was less severe, but because the response was faster and cleaner.

Retained vs Cold-Start: Same Incident, Different Cost Same Incident, Two Cost Paths The gap is driven by the first day, not the severity of the attack. Figures are illustrative. Retained company Cold-start company Time to engaged response 2-4 hours (one call) Time to engaged response 1-3 days (find + vet + contract) Responder rate Pre-agreed retainer rate Responder rate Emergency premium rate Insurance claim Valid (timely notice, panel vendor) Insurance claim At risk (late notice, off-panel vendor) Data lost / systems rebuilt Contained early, limited scope Data lost / systems rebuilt Wider scope from extra dwell time Illustrative total: $25K - $70K Retainer fee + contained response Illustrative total: $150K - $500K+ Premium rates + downtime + claim risk Figures are illustrative for a small to mid-sized company. The driver of the gap is response speed and claim validity, not attack severity.
Figure 3. The same incident, run two ways. The retained company is not luckier; it is faster, and speed is what keeps the cost contained and the insurance claim intact.

The figures above are illustrative, and your numbers will differ with your industry, the type of data you hold, and the nature of the incident. But the shape of the comparison holds across nearly every small-business incident we have worked: the retained company pays a known, modest annual fee and a contained response cost, while the cold-start company pays emergency rates on top of a larger incident, and frequently absorbs a reduced or denied insurance claim on top of that. The retainer does not change whether you are attacked. It changes how much the attack costs you.

🧮

Section 5

When a Retainer Genuinely Pays for Itself

Not every small business needs a retainer, and an honest assessment should acknowledge that. A two-person consultancy with no sensitive data, no regulatory exposure, and minimal downtime cost may reasonably decide that a strong relationship with a responsive IT provider and good backups is sufficient. The question is not whether retainers are universally necessary; it is whether your specific business sits in the profile where one pays for itself. Several factors push you into that profile, and the more of them that apply, the clearer the case becomes.

You hold data whose breach is reportable. If you handle health records, financial data, or significant volumes of personal information, an incident is not just an operational problem; it triggers legal reporting clocks and regulatory exposure. The speed and forensic rigor a retainer provides is what lets you meet those obligations correctly, and the documentation it produces is what defends you if a regulator asks questions.

Downtime is expensive for you. If your business cannot operate for more than a day or two without losing significant revenue or breaching client commitments, the time compression a retainer provides translates directly into preserved income. A professional services firm in deadline season, an e-commerce operation, or a logistics company all fit this profile.

You carry cyber insurance. If you have a policy, a retainer aligned with your insurer's panel ensures the response satisfies the policy's vendor and notification conditions automatically. This protects the claim, which is often the largest single financial factor in how an incident resolves. A retainer and a policy that are aligned in advance are far stronger than either alone.

You have no in-house security team. The smaller your internal security capability, the more a retainer matters, because you have no one to run the response yourself. The companies that suffer the worst outcomes are rarely the largest; they are the ones with valuable data, real downtime cost, and no prepared response capability. A retainer fills exactly that gap.

Does Your Small Business Need an IR Retainer? Do You Need a Retainer? Work down the checks. The more that point to yes, the stronger the case. Start here Do you hold reportable data? Health, financial, or large personal-data volumes YES Strong case Retainer recommended NO Is a day of downtime costly? Lost revenue or breached client commitments YES Strong case Speed pays for itself NO Do you carry cyber insurance? Policy with vendor + notice conditions YES Align them Protects the claim NO No in-house security team? Nobody to run the response internally YES Retainer fills gap The clearest case NO Lower priority, but revisit yearly Good backups + responsive IT may suffice for now
Figure 4. A simple way to gauge whether a retainer fits your business. A single yes on reportable data, costly downtime, an existing policy, or the absence of an in-house team is usually enough to justify one.

There is also a quieter way a retainer pays for itself, one that has nothing to do with an incident at all. The onboarding and proactive work that comes with a good retainer routinely uncovers problems before any attacker does. We have found untested backups that would have failed in a real recovery, remote-access services exposed to the internet, logging that was switched off so no investigation would have been possible, and administrator accounts shared across an entire team. Each of those findings, surfaced during a calm onboarding session, is a future incident that did not happen. That preventive value accrues every year, whether or not the response side is ever triggered.

🔍

Section 6

How to Choose a Provider: The Questions That Matter

Once you have decided a retainer makes sense, the choice of provider matters more than the choice of tier. The right firm for a small business is not necessarily the largest or most famous; it is the one whose response model, pricing structure, and working style fit a company of your size and risk profile. The following questions cut through the marketing and surface what you are actually buying.

Ask the provider What a good answer sounds like
What is the guaranteed response time, and does the clock start at contact or at active engagement? A specific number in writing, with the clock measured to active technical engagement, not just an acknowledgement email.
What counts against my included hours? Clear rules: incident hours, proactive hours, and whether administrative or travel time is billed against the block.
What is the overage rate once the block is gone? A discounted retainer rate, not the full emergency rate a non-client would pay.
Can unused hours convert to proactive work? Yes, applied to tabletops, backup validation, plan development, or a compromise assessment.
Are you on my cyber insurer's panel? Either yes, or a clear path to pre-approval so the engagement does not jeopardize the claim.
Who actually shows up, and what is their experience with companies my size? Named, experienced responders, not a junior queue, with a track record on small-business incidents.
How do you coordinate with breach counsel and preserve privilege? A routine, practiced workflow of working under counsel's direction, not an unfamiliar request.

Beyond the answers themselves, pay attention to how the provider engages with you during the sales conversation. A firm that takes the time to understand your business, asks about your data and your downtime tolerance, and recommends a tier that fits rather than the most expensive option is signaling how they will behave during an incident. A firm that quotes a price without asking what you do is selling a product, not a relationship, and a retainer is fundamentally a relationship.

A note on size fit: Some large response firms structure their retainers around enterprise clients and treat a small business as a low-priority account behind a long intake queue. For a small company, a firm that specializes in or genuinely values small and mid-sized clients often delivers faster, more attentive response than a global brand where you are the smallest account. Ask directly how they prioritize, and ask to speak with a reference of similar size.

🚀

Section 7

Getting Started Without Overbuying

The mistake that holds small businesses back from a retainer is the belief that they have to buy a large, expensive agreement or none at all. In practice, the right approach is to start with a tier matched to your actual risk, use the proactive hours to strengthen your preparation in the first months, and scale the agreement up only if your risk profile grows. A retainer is not a one-time purchase that you set and forget; it is a relationship that should track your business as it changes.

A sensible onboarding sequence looks like this. In the first month, the firm documents your environment and you complete a short readiness review together. In the second month, you run a tabletop exercise that walks your leadership through a simulated incident so everyone knows their role before a real one occurs. In the third month, you validate that your backups actually restore, close the highest-risk gaps the onboarding surfaced, and finalize a one-page incident response plan that names your incident commander and the first three calls. By the end of the first quarter, you have both a response capability on standby and a measurably stronger security posture, achieved largely with hours you had already paid for.

The First 90 Days of a Retainer The First 90 Days: Turning Hours Into Readiness Use the proactive hours early. Preparation done now is the incident that never happens. 1 Month 1: Onboard Document environment, readiness review 2 Month 2: Rehearse Tabletop exercise, roles assigned 3 Month 3: Harden Validate backups, close gaps, IR plan By day 90: response capability on standby + measurably stronger posture Most of this is done with proactive hours already included in the retainer fee.
Figure 5. A 90-day onboarding plan that converts a retainer from a dormant insurance-like cost into active preparation. The proactive hours are where a small business extracts value even in a year with no incident.

If a full retainer is genuinely out of reach this year, there is still a meaningful first step. Have a single conversation with a qualified response firm, get their emergency contact details on file, and ask what a right-sized retainer would cost for your business. Even that minimal preparation, knowing who you would call and having had one conversation with them, puts you ahead of the company that starts the search at the moment of crisis. The goal is to never again face the question the accounting firm faced on that Friday evening: "Who do we even call?"

The companies that come through incidents well are not the ones with the largest security budgets. They are the ones that made a small number of high-leverage decisions before anything went wrong: tested backups, a one-page plan, and a phone number that reaches a prepared team in minutes. A retainer is how a small business buys that last piece. It is modest in cost, disproportionate in value, and the one purchase that turns the worst day of your year from a catastrophe into a manageable event.

FAQ

Six Questions Small Businesses Ask About IR Retainers

Is an IR retainer the same as cyber insurance?

No, and the distinction is important because the two do different jobs and work best together. Cyber insurance is a financial instrument: it reimburses some of your losses after an incident, subject to deductibles, limits, and conditions, and it typically dictates which response vendors you are allowed to use and how quickly you must notify the insurer. An incident response retainer is the operational capability itself: it is the team that actually investigates, contains, and helps you recover from the attack. Insurance pays part of the bill; the retainer firm does the work. The strongest position is to have both, and to align them in advance so that your retained response firm sits on your insurer's approved panel. When they are aligned, a single call triggers a response that automatically satisfies the policy's vendor and notification conditions, which protects the claim. When they are not aligned, you risk engaging a firm your insurer will not approve and jeopardizing the very coverage you are paying for.

What happens to the money if we never have an incident?

With a well-structured retainer, very little of it is wasted, because the better agreements let you convert unused incident hours into proactive work. Instead of paying for capacity that sits idle, you spend those hours on tabletop exercises, backup validation, an incident response plan, detection tuning, or a compromise assessment that checks whether an attacker is already in your environment. This proactive work is genuinely valuable on its own and routinely surfaces problems before any attacker finds them. The question to ask any provider before signing is explicit: can unused hours be applied to proactive services, and do they roll forward or expire annually? If the answer is that hours can convert to preparation, then a year with no incident is not a wasted expense; it is a year in which your retainer made you measurably harder to attack. If the answer is that hours simply expire unused, negotiate for conversion or choose a different provider.

We are a small company with good backups. Do we still need one?

Good backups are the single most important defense against many incidents, and if yours are tested, immutable or offline, and genuinely restorable, you have eliminated the worst-case scenario in a ransomware event. But backups address recovery, not the full incident. They do not tell you how the attacker got in, whether they are still present, what data they accessed or exfiltrated before you noticed, or whether you have a reporting obligation to a regulator or to affected individuals. They also do not help you preserve forensic evidence correctly, coordinate with your insurer, or produce the documentation a client or regulator will ask for. A retainer covers the parts of an incident that backups cannot: the investigation, the scoping, the containment of an active intruder, and the legal and regulatory coordination. If you hold sensitive or reportable data, the case for a retainer remains strong even with excellent backups. If you hold little sensitive data and downtime is cheap for you, good backups plus a responsive IT relationship may reasonably be enough for now, and you can revisit the decision as your business grows.

How fast will a retained firm actually respond?

It depends entirely on the response-time commitment written into your agreement, which is why that clause deserves close reading. Commitments range from one hour to next business day, and they may apply around the clock or only during business hours. For most small businesses, a same-day or four-hour remote response covers the need, because the critical first action in most incidents is remote: isolating systems, preserving evidence, and beginning the forensic analysis, none of which requires someone physically onsite in the first hours. A one-hour onsite guarantee is more expensive and is usually only necessary for businesses with very high downtime costs or complex physical environments. The detail to confirm is whether the clock measures the time to a real responder actively working your case or merely the time to an acknowledgement of your call. A guarantee that promises a callback within an hour but does not commit to engagement is much weaker than one that commits to active work within a defined window. Get the specific number, the operating hours it covers, and the definition of when the clock stops, all in writing.

Can our regular IT provider just handle an incident instead?

A good IT provider is valuable, but incident response is a distinct discipline, and the two are not interchangeable in a serious breach. Your IT provider keeps systems running; they are usually not trained in forensic evidence preservation, breach scoping, working under legal privilege, or coordinating a response that satisfies an insurer's conditions and a regulator's reporting requirements. In an incident, well-meaning IT instincts can actually cause harm: rebuilding a compromised machine before it is imaged destroys the evidence needed to scope the breach and support an insurance claim, and restoring from backups into an environment the attacker still controls simply hands them a clean target. This is not a criticism of IT providers; it is a difference in specialization, the same way a general practitioner is not a surgeon. The best arrangement is for your IT provider and your retained response firm to work together, with the IT team providing environmental knowledge and access while the response firm runs the forensic and containment work. Some IT providers partner with response firms precisely so they can bring in specialist capability when an incident exceeds their scope, and that is exactly the right model.

What is the minimum we can do if a full retainer is not in the budget this year?

Even without a signed retainer, you can capture a large share of the benefit with very little spend. The single most valuable step is to identify a qualified incident response firm now, while everything is calm, have one conversation with them about your business, and save their emergency contact details somewhere your leadership can reach them instantly. That alone removes the most expensive part of a cold-start response, the hours lost searching for and vetting a firm during the crisis itself. Alongside that, do the three preparation items that cost little but matter enormously: verify that your backups actually restore by testing a recovery, write a one-page incident response plan that names who is in charge and lists the first three calls to make, and ensure someone on your team knows not to power off or wipe a compromised machine before it can be examined. These steps are achievable in a few hours and a modest budget, and they convert the most dangerous incident scenarios into manageable ones. Then, when budget allows, formalize the relationship into a retainer so that the first conversation becomes a contractual response-time guarantee. The progression from a saved phone number to a full retainer is natural, and every step along it makes your next incident less costly than it would otherwise be.

Next step

Put a prepared response team on standby before you need one

We build incident response retainers sized for small and mid-sized companies, not enterprises. That means a response-time guarantee you can afford, included hours you can convert into tabletops and backup validation, onboarding that learns your specific environment, and alignment with your cyber insurer so a single call protects both your business and your claim. Whether you want a full retainer or simply a conversation and an emergency number on file, the cheapest hour of security spending you will ever make is the one that takes "who do we even call?" off the table forever.

Talk to our incident response team →
Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.