Incident Response Retainer
IR retainer services, on-call procedures, escalation, and vendor management.
Overview
IR retainers provide guaranteed access to incident response experts.
Retainer Components
| Component | Description |
|---|---|
| Response time | SLA for response |
| Hourly rate | Cost per hour |
| Scope | Covered incidents |
| Exclusions | Not covered |
| Reporting | Documentation |
Retainer Agreement
# IR Retainer Agreement
## Service Levels
- Priority 1 (Critical): 1 hour response
- Priority 2 (High): 4 hours response
- Priority 3 (Medium): 24 hours response
## Scope
- Ransomware incidents
- Data breaches
- System compromises
- Malware infections
## Exclusions
- Prior known vulnerabilities
- Third-party breaches
- Acts of God
## Costs
- Retainer fee: $X/month
- Hourly rate: $Y/hour
- Overtime rate: $Z/hour
On-Call Procedures
# On-call rotation
on_call:
primary:
- name: "John Smith"
phone: "+1-555-0101"
email: "john@example.com"
secondary:
- name: "Jane Doe"
phone: "+1-555-0102"
email: "jane@example.com"
escalation:
- name: "Security Manager"
phone: "+1-555-0100"
Escalation Matrix
| Severity | Notification | Response |
|---|---|---|
| Critical | Immediate | Full team |
| High | 1 hour | Core team |
| Medium | 4 hours | Assigned analyst |
| Low | 24 hours | Ticket queue |
Vendor Management
# Vendor tracking
vendors = {
"ir_firm": {
"name": "Security Consulting Inc.",
"retainer_paid": True,
"hours_remaining": 40,
"contact": "ir@example.com"
}
}
Practice
Establish an IR retainer agreement and create on-call procedures.