Why Traditional Incident Response Retainers Leave CISOs Exposed (and Money on the Table)

I have lost count of the post-incident reviews where the most painful conversation was not about the breach itself. It was about the retainer.

A CISO realizes the prepaid hours expired six weeks before the intrusion began. A General Counsel discovers the retained firm is not on the cyber insurance panel and the claim is now in dispute. A board member asks why an organization that paid for "preparedness" spent the first eighteen hours of an incident negotiating scope. None of these failures are about the responders in the room. They are about a procurement model that has not kept pace with how attacks actually unfold.

Devon Ackerman recently wrote about the four most common mistakes that delay containment and drive up costs. My colleague Jamie Mamroe has documented how identity-driven intrusions now define the modern caseload, where attackers blend into trusted business workflows instead of detonating malware. What both posts make clear, when you read them alongside one another, is that the traditional retainer structure was built for a different era of incident response. It assumed shorter dwell times, narrower scope, predictable forensic artifacts, and a one-time burst of hours to handle one bad week.

That model is breaking. Here is what I see breaking it, and what a modern retainer should do instead.

The "Use It or Lose It" Problem Discourages the Work That Matters Most

The classic retainer is structured like a use-it-or-lose-it gym membership. You prepay a block of hours. If you do not have an incident in the term, the hours evaporate. The unspoken incentive is to wait for a crisis so the hours feel "worth it."

That is exactly the opposite of how resilience is built. The most valuable hours an IR firm can spend with a client are almost never the ones billed during a live ransomware event. They are the hours spent running a tabletop with the executive team, validating that the SIEM is logging the right identity telemetry, reviewing the playbook against the current insurance policy, or walking finance through a wire-fraud scenario before the wire is sent.

When retainers expire unused, organizations are penalized for the very preparedness work that would have made a future incident cheaper, shorter, and less litigated. A modern retainer should let unused hours roll into readiness activities, advisory time, or threat intelligence briefings. The money has already been spent. The question is whether it is allowed to produce value before something burns.

Hours Are Not Outcomes

I have watched organizations exhaust a 100-hour retainer on a single mid-sized incident and still not have a contained environment or a defensible forensic record. I have also seen incidents resolved in twenty hours because the right two analysts were on the bridge at the right time.

Hours measure the input. They tell you nothing about whether the attacker was evicted, whether the chain of custody will hold up in litigation, or whether the insurer will reimburse the claim. A retainer priced purely in hours is a retainer that has not been calibrated to outcomes, and that calibration is where modern IR earns its keep.

When Devon describes the Goldilocks Response, the point is that speed and thoroughness are both failure modes if they are not paired with judgment. A retainer should be evaluated on response-time SLAs, the seniority of the responders who actually pick up the phone, and the breadth of services those hours can flex across. If your retainer only covers DFIR and your incident is fundamentally an identity and cloud forensics problem, hours alone will not save you.

No Path to Resilience Maturity

The retainer arrives, the contract is signed, the welcome email goes out, and then nothing happens until something is on fire. That is the experience most clients describe when I ask them what their previous retainer felt like.

A retainer should be the entry point to a maturity journey, not a parking spot for emergency contact information. The clients who weather incidents best are the ones whose retainer relationship includes a defined cadence of tabletop exercises, plan reviews, threat briefings tied to their actual technology stack, and proactive hunts when their industry is being targeted. That is not value-added marketing language. That is the difference between an organization that contains an intrusion in days and one that spends three weeks reconstructing what happened because nobody had practiced the workflow.

Ask your provider what the first ninety days of the retainer look like before any incident is declared. If the answer is "you have our hotline number," that is a retainer designed to sit on a shelf.

You Are Overpaying for Lower-Cost Services at IR Rates

This one is the quiet wealth transfer that nobody puts in a slide. IR rates are premium for a reason. Senior DFIR consultants, forensic tooling, evidence preservation under litigation hold, expert witness availability. None of that comes cheap, and it should not.

But IR retainers frequently get drawn down on work that is not IR. Log review that a managed detection and response team should be running. Vulnerability assessments. Policy writing. Phishing simulations. When those activities are billed at incident response rates because that is the only contract the organization has with the provider, the math gets ugly fast. I have seen clients burn through a six-figure retainer on activities that would have cost a fraction of that under the right service line.

A modern retainer should let prepaid funds flow across the services the client actually needs, whether that is DFIR, advisory, MDR enhancement, or readiness exercises. The pricing for each service line should reflect what that service actually is, not the premium rate of the most expensive person in the room.

The Retainer May Not Be Aligned to Your Insurance Panel

This is the one that ends careers, and I do not say that lightly.

Most cyber insurance policies require the use of a pre-approved IR vendor. If your retained firm is not on the panel and you call them anyway, you can trigger claim delays, partial reimbursement, or outright denial. I have been in the room when a CFO learned, two days into a ransomware response, that the retainer they had been paying for was about to cost them seven figures in unreimbursed expense because their insurer did not recognize the vendor.

The fix is not complicated, but it requires the IR firm to have done the work upstream. Panel relationships take years to build and require sustained engagement with carriers. When you evaluate a retainer, ask for the list of carriers and panels the provider sits on. Ask how their notification workflows integrate with breach counsel and the insurer. If the answer is vague, the retainer has a hole in it that you cannot patch during an incident.

Building a Modern Retainer

If I were a CISO or General Counsel writing the RFP today, I would ask five questions:

1. Does the agreement allow unused funds to roll into readiness, advisory, or threat intelligence work, so my preparedness investment is never wasted?

2. Are response-time commitments backed by an SLA with named seniority, and do those responders have the breadth to handle identity, cloud, and endpoint forensics, not just one of the three?

3. Is there a defined ninety-day onboarding and a recurring cadence of exercises, briefings, and plan reviews built into the retainer, before any incident is ever declared?

4. Can the prepaid funds flow across service lines at the rate appropriate to each service, so I am not paying DFIR rates for work that should not require them?

5. Is the provider on the panels of the carriers I actually use, and can they document the workflow that protects my claim from procedural noncompliance?

The retainer is one of the few cybersecurity investments where the structure of the contract directly determines the outcome of the incident. Get the structure right and the responders will have what they need to work the problem. Get it wrong and the best DFIR team in the world will spend the first day untangling paperwork instead of evicting the attacker.

If you would like to compare your current retainer against this framework, that is a conversation worth having before the next call comes in at 2 a.m.