When production breaks at 2am (credentials in a public repo, a customer reporting an exploit, your AWS account locked out) you need someone who answers the phone and knows what to do. $1K–$3K/month gets you that someone, with a guaranteed response SLA.
Book a scoping callThree tiers, one shape: a real human on call, a contracted SLA, and the relationship in place before you need it.
All tiers: 24/7 coverage, contracted SLA, escalation paths into your tooling (PagerDuty, Slack, phone, email). Unused retainer hours roll forward one month.
Active incidents, not advisory hours. We are in the call within the SLA, in your tooling, working the problem with your engineers.
We run the war room: triage severity, lead the bridge call, write status updates, coordinate engineering and customer comms. Your team focuses on the technical fix; we own the process.
Compromised credentials, malicious commits, exfiltration in progress, DDoS. We have done all of these. Years of running production systems at 99.9%+ uptime and operating an anti-DDoS platform that was acquired within a year of launch.
Blameless postmortem with timeline, root cause, and remediation owners. If customer data was touched, we draft the breach disclosure and coordinate with your legal team. SOC 2 evidence captured along the way.
The retainer is not just for when things burn. Every quarter we run a tabletop on a realistic scenario for your stack (credential leak, ransomware, vendor compromise) so the playbook is tested before it is used.
A breach mid-fundraise will cost you more than the retainer's lifetime fees. The math is simple.
The worst time to find an IR firm is while you are bleeding. The relationship, the contracts, the access, all of that needs to exist beforehand. The retainer puts the paperwork on the shelf so you only call.
Your enterprise security questionnaire will ask if you have a retained incident response provider. Saying "yes, with documented SLA" closes the row. Saying "no, we will figure it out" loses deals.
Most months you will use a few retainer hours for tabletops and security reviews. The month you actually have an incident, the retainer pays back its lifetime cost in a single weekend.
Two weeks from contract to ready-state. We need the runbook in place before the first call.
MSA, retainer SOW, NDA. Read-only access into your cloud, identity provider, and observability stack so we can move fast on day one of an incident. We sign your security questionnaire, not the other way around.
We document your stack, key contacts, decision authority, and escalation paths. PagerDuty integration, Slack channel, phone numbers. Your team knows exactly how to call us; we know exactly who to call back.
Within 30 days of signing, we run a tabletop on the most likely incident type for your business. Surfaces gaps in the runbook before they cost you a real one.
15-minute scoping call. Tier picked, contract drafted, retainer in place within a week.
Book a CallA retainer gives you a defined response path before something goes wrong: an agreed escalation process, prepared runbooks, and reserved access to responders when you need them. It covers triage, containment guidance, and coordination during an incident, plus periodic readiness work like tabletop exercises.
Response targets are set in the retainer agreement so expectations are clear up front. Having a retainer in place is what makes a fast response possible, because access, contacts, and runbooks are already established before an incident rather than scrambled together during one.
During an active incident, hours matter and onboarding a stranger to your environment is slow and risky. A retainer means we already know your stack, your contacts, and your runbooks. You also get the preventative work (tabletops, escalation trees) that reduces the chance of an incident in the first place.
We lead triage, containment strategy, and coordination, and work hands-on within the scope agreed in your retainer. For deep forensic or specialist offensive work we bring in our partner Lorikeet Security. The retainer defines exactly what is covered so there are no surprises mid-incident.
Yes. A documented incident response plan and an IR retainer are commonly expected for SOC 2 and frequently requested by cyber insurers. The runbooks and tabletop records we produce serve as evidence for both.