Incident Response Retainer
Cyber incident response retainer for NYC and NJ businesses. Guaranteed SLA, IR plan development, tabletop exercises, and 24/7 breach response. From $750/month.
What's included
- Guaranteed response SLA (1-4 hours depending on tier)
- Incident response plan development tailored to your environment
- Annual tabletop exercise with post-exercise report
- 24/7 breach detection and containment
- Digital forensics and malware analysis
- Threat actor communication and ransomware negotiation
- Breach counsel coordination
- Regulatory notification guidance (SHIELD Act, HIPAA, PCI)
- Post-incident report and remediation plan
- Cyber insurance documentation and carrier liaison
- Proactive threat hunting and IOC monitoring
- Evidence preservation for law enforcement
When the breach happens, you will not be shopping for help at 2 AM
The average ransomware attack on a small business costs over $250,000. The average time to detect a breach without monitoring is 194 days. The average cost of incident response without a retainer is $800-$1,500 per hour, with response times measured in days — not hours.
An incident response retainer costs $750 per month. The math is not complicated.
What the retainer buys you
Before the incident
IR plan development — A written incident response plan tailored to your environment, your threat profile, your regulatory obligations, and your insurance policy. Not a template. Not a PDF that sits in a drawer. A plan that names roles, defines escalation paths, documents system dependencies, and specifies recovery priorities.
Annual tabletop exercise — A facilitated simulation of a realistic attack scenario. Your team walks through the response step by step. The exercise exposes gaps in the plan — unclear escalation chains, untested backup restores, missing contact information, undocumented system dependencies — before a real incident does. We update the IR plan based on findings.
Environmental knowledge — We document your systems, your critical assets, your backup architecture, your vendor relationships, and your regulatory obligations. When an incident occurs at 2 AM, we do not start with “tell us about your network.” We start with containment.
During the incident
Guaranteed SLA — Standby tier: 4-hour response. Ready tier: 2-hour response. Priority tier: 1-hour response with guaranteed on-site within 4 hours. Compare this to non-retained response times of 2-5 business days.
Containment — Isolate affected systems, cut lateral movement, preserve forensic evidence. The first hours of an incident determine whether you lose one workstation or the entire domain.
Investigation — Identify the attack vector, map the blast radius, determine what data was exposed, and assess the regulatory notification requirements.
24/7 monitoring — Through our MDR partner, your environment is monitored around the clock during an active incident. Threat actors do not work business hours. Neither does the response team.
After the incident
Post-incident report — Written root cause analysis, timeline of events, containment and remediation actions taken, and recommendations to prevent recurrence.
Remediation — Harden the environment based on findings. Close the vulnerability that was exploited. Improve detection capability for the attack vector.
Insurance and regulatory documentation — The evidence package your carrier needs to process a claim, and the notification documentation your regulatory obligations require (SHIELD Act, HIPAA, PCI, depending on the data exposed).
What it costs
| Tier | Annual | Monthly | Included Hours | Overage Rate | Response SLA |
|---|---|---|---|---|---|
| Standby | $9,000/yr | $750/mo | SLA guarantee only | $200/hr | 4 hours |
| Ready | $18,000/yr | $1,500/mo | 40 hrs/yr | $175/hr | 2 hours |
| Priority | $36,000/yr | $3,000/mo | 100 hrs/yr | $150/hr | 1 hour + on-site 4hr |
All tiers include: IR plan development, annual tabletop exercise, breach counsel coordination, regulatory notification guidance, post-incident report, and cyber insurance documentation support.
Existing managed clients on Secure ($159/workstation/month) or Sovereign ($225/workstation/month) tiers receive a 10% discount on retainer pricing.
Without a retainer: $800-$1,500 per hour. Response time: 2-5 business days. No SLA. No pre-built IR plan. No environmental knowledge. The first 20 hours are spent learning your network while the attacker moves.
The economics
A 25-seat professional services firm on the Standby tier pays $750 per month — $9,000 per year.
The same firm without a retainer, hit by ransomware:
- Emergency IR engagement (non-retained): $30,000-$80,000
- Business interruption (3-5 days): $25,000-$75,000
- Regulatory notification and legal: $10,000-$30,000
- Insurance deductible: $10,000-$50,000
- Premium increase at renewal: 20-50%
Businesses with mature IR plans refuse to pay ransom 86% of the time. Businesses without them pay — and still face the recovery costs on top of the ransom.
How it connects
The IR retainer works alongside your existing cybersecurity stack (prevention), compliance program (documentation), and vCISO advisory (strategy). Prevention reduces the likelihood. The retainer handles what happens when prevention is not enough.
For managed clients already on the Secure or Sovereign tier, the EDR, SIEM, backup infrastructure, and environmental knowledge are already in place. The retainer adds the guaranteed SLA, the written plan, the annual exercise, and the insurance-ready documentation.
Incident Response Retainer — questions we get
What is an incident response retainer and why do I need one?
An IR retainer is a pre-negotiated agreement that guarantees a response SLA when a cyber incident occurs. Without a retainer, you are calling vendors cold during a crisis — response times are measured in days, hourly rates jump to $800-$1,500, and the first several hours are spent on-boarding your environment while the attacker moves laterally. With a retainer, we already know your environment, your IR plan is written and tested, and a senior engineer picks up the phone within hours. The retainer is breach insurance for your breach insurance.
How much does an IR retainer cost?
Standby tier: $750 per month ($9,000 per year) — SLA guarantee, IR plan, annual tabletop, no prepaid hours. Ready tier: $1,500 per month ($18,000 per year) — includes 40 hours per year of response time. Priority tier: $3,000 per month ($36,000 per year) — includes 100 hours per year, 1-hour response SLA, and guaranteed on-site within 4 hours. Overage hours are billed at $150-$200 per hour depending on tier — significantly below the $800-$1,500 per hour rate for non-retained incident response.
Do prepaid hours roll over if we do not use them?
No. Hours reset annually. This keeps the retainer cost predictable. The reality: if you are using 100 hours of incident response in a year, the retainer already saved you $50,000-$100,000 compared to non-retained rates. The value is in the SLA and the discounted hourly rate, not in banking hours.
What counts as an incident?
Any event that threatens the confidentiality, integrity, or availability of your systems or data: ransomware, business email compromise, unauthorized access, data exfiltration, malware infection, phishing that resulted in credential compromise, or a suspected breach identified by your monitoring tools or staff. A suspicious email that your team caught and reported before any damage — that is not an incident, that is a ticket. We will not manufacture incidents to burn hours.
Does our cyber insurance require an IR retainer?
Increasingly, yes. Cyber insurance carriers in 2026 are requiring or strongly incentivizing documented IR plans, 24/7 monitoring, and pre-established vendor relationships for incident response. Some carriers offer premium discounts for businesses with active IR retainers. Our retainer documentation package is designed to satisfy carrier requirements — we have pre-approval from major cyber insurance carriers through our MDR partners.
What happens during an actual incident?
Hour 0-1: Alert triggers, senior engineer assesses scope and severity. Hour 1-4: Containment — isolate affected systems, cut lateral movement, preserve forensic evidence. Hour 4-12: Investigation — identify attack vector, map the blast radius, determine data exposure. Hour 12-48: Remediation — eradicate threat, restore from backup, harden the environment. Day 2-5: Recovery — validate systems, monitor for persistence, restore normal operations. Day 5-14: Post-incident — written report, root cause analysis, remediation recommendations, insurance carrier and regulatory documentation.
Do you handle the forensics in-house or partner?
Sage handles initial triage, containment, and coordination directly. For 24/7 SOC monitoring and advanced digital forensics (malware reverse engineering, deep disk forensics, threat intelligence correlation), we partner with a managed detection and response provider — Huntress or Arctic Wolf depending on the client stack. Both are pre-approved by major cyber insurance carriers. You deal with Sage as a single point of contact; the MDR partner operates behind the scenes.
What if we already have managed cybersecurity with Sage?
Managed cybersecurity (EDR, SIEM, backup, patching) is prevention. The IR retainer is the response plan for when prevention is not enough. Managed cybersecurity clients on the Secure or Sovereign tier already have significant overlap — the monitoring, the backup infrastructure, and the environmental knowledge are in place. Adding a Standby IR retainer for $750 per month adds the guaranteed SLA, the written IR plan, the annual tabletop, and the insurance-ready documentation. Existing managed clients receive a 10% discount on IR retainer pricing.
What is a tabletop exercise?
A facilitated walkthrough of a realistic incident scenario — ransomware hits at 2 AM on a Friday, business email compromise targets your CFO, or a disgruntled employee exfiltrates client data before quitting. Your team walks through the response: who calls whom, what gets shut down first, when legal is notified, how clients are informed, what the insurance carrier needs. The exercise exposes gaps in your IR plan before a real incident does. We facilitate one per year and update the IR plan based on findings.
The average ransomware cost seems high. Where does that number come from?
The $250,000+ average cost figure for SMB ransomware attacks includes direct costs (ransom if paid, recovery labor, forensics, legal, notification) and indirect costs (business interruption, lost revenue, reputation damage, increased insurance premiums). Businesses with mature IR plans refuse to pay ransom 86% of the time because they have tested backups and a documented recovery process. The retainer is not about paying us $750 a month — it is about not paying an attacker $250,000.
Other services we deliver
AI Optimization & Workforce Automation
Workflow automation (n8n, Make.com), RAG, custom AI agents, and AI workforce planning — built and deployed, not just pitched.
Read more about AI Optimization & Workforce AutomationManaged IT Services
Helpdesk, monitoring, patching, and vendor management under one flat monthly bill.
Read more about Managed IT ServicesvCIO & vCISO
Fractional IT and security leadership: roadmaps, budgets, QBRs, risk assessments, and compliance strategy.
Read more about vCIO & vCISO
Ready for IT that does not surprise you?
A 30-minute call. No slide deck. We will tell you what looks healthy, what looks risky, and what we would do first.