Most retainer agreements look the same on paper: a contract, an SLA, a phone number. The differences only show up when the phone rings outside business hours.
Two firms can both advertise a "four-hour response SLA" and deliver completely different outcomes in the first six hours of a real incident. The contract language often does not distinguish. The 2 AM call does.
What the SLA actually means
A "4-hour response" SLA can mean any of three different things depending on the firm:
- A senior practitioner picks up the phone within four hours and is already pulling logs by hour two.
- A junior analyst opens a ticket within four hours and a senior is paged once the ticket is triaged.
- An automated acknowledgment fires within four hours and someone calls back during business hours the next day.
All three are technically compliant with the SLA. Only one is useful at 2 AM.
The questions worth asking during retainer negotiation, in order: Who is on the other end of the phone — a named practitioner or a queue? What is the time to engaged forensics, not the time to acknowledgment? How is overnight coverage actually staffed — is there a senior on rotation, or is "after-hours" a callback promise?
What pre-negotiated terms unlock
When the breach is confirmed at 2 AM, the things that determine response speed in the first six hours are mostly contractual, not technical:
- Master Services Agreement already signed. A new MSA negotiated under incident pressure takes 6-12 hours and involves legal back-and-forth that nobody is awake for at 3 AM.
- IR-specific Statement of Work approved or pre-templated. The scope of work — what the IR firm is authorized to do, on which systems, with what data access — should be agreed before the incident. Otherwise the first conversation at 2 AM is a scoping conversation, not a triage conversation.
- Legal counsel notification workflow defined. Privilege and reporting strategy should not be improvised at 3 AM. A pre-defined workflow — counsel engages the firm, the firm reports through counsel where appropriate — keeps the legal posture from being decided under pressure.
- Cyber insurance carrier coordination path established. Most policies require carrier notification within a defined window and approval of the IR firm before the engagement is reimbursable. A pre-approved firm on the carrier's panel removes that approval as a blocker.
- Approved scope of forensic activity. Imaging, log pulls, endpoint isolation, account suspension — each carries operational risk. Pre-approved authority on these actions means the team can start without escalating each step to leadership in the middle of the night.
What the first six hours actually look like
The retainer pays for itself in the first six hours. A representative timeline for a business email compromise response under a properly structured retainer:
- Hour 0 — Customer detects a wire transfer that does not match an existing PO. They call the retainer hotline.
- Hour 0:30 — Senior practitioner is on the phone, access path confirmed via pre-onboarded delegated permissions, M365 audit collection underway, and the team is validating whether inbox rules, sign-ins, OAuth grants, or forwarding activity indicate compromise on the affected account.
- Hour 1 — Affected account suspended, attacker session tokens revoked, password reset, MFA enrollment reset. Forensic image of the user's endpoint initiated remotely.
- Hour 2 — Counsel notified per the pre-defined workflow. Insurance carrier notified within their policy-required window. Customer's CFO briefed on what is confirmed and what is still being investigated.
- Hour 3-4 — Audit pull across the full available retention window for the affected mailbox and adjacent accounts. Cross-referenced against sign-in logs to identify the scope of compromise.
- Hour 5-6 — Initial written brief delivered to customer leadership: what happened, what was stopped, what remains uncertain, what the next 24 hours look like, what decisions are needed from leadership before close of business.
Without a retainer, hours 0 through 2 are spent finding a firm, negotiating an engagement letter, and coordinating insurance approval. The technical work does not start until hour 3 at best — often later. By then, the attacker has already moved.
What ongoing context looks like
The 2 AM call is the visible part of the retainer. The invisible part is what makes the 2 AM call work.
A retainer that delivers in incidents is one where the IR firm already knows your environment — the domain layout, identity provider, EDR vendor, log retention policies, what is in the SIEM and what is not. They already know your people — who has authority to authorize forensic activity, who handles legal, who handles communications, who is the single point of contact during an incident. They already know your contracts — which vendors must be notified, which clients have breach-notification clauses, which regulators apply. And they have seen the false-alarm pattern in your environment — the alerts that fired last quarter that did not turn out to be anything.
This context is built through the quiet quarters: tabletop exercises, IR plan reviews, joint detection-engineering work, runbook tuning, participation in post-mortems for minor incidents. Without it, the first hour of every real incident is spent on background that should already be pre-loaded.
Where retainer relationships fail
The failure modes are predictable.
The renewal that nobody uses. Customer signs the retainer, the relationship goes dormant, the IR firm rotates the assigned lead, the customer's IT team changes vendors. By the time the incident hits 18 months later, the firm has no context and the customer has no idea who at the firm to call. The retainer becomes a line item that gets cut at the next budget review.
The bundled retainer with no actual capacity. An MSP or vendor includes "incident response" in their bundled offering. In practice, the bundling firm's IR capacity is one analyst who handles incidents during business hours, or they are reselling another firm's retainer without integration. The 2 AM call goes to voicemail, to a Tier-1 helpdesk, or to a sub-contracting chain. Bundled retainers work when the bundling firm has actual 24/7 IR capability or a real partnership with one — otherwise it is a checkbox.
The hour-bank that gets burned on the wrong work. Some retainers prepay forensic hours that the customer spends on tooling configuration, policy review, or general consulting because there has not been an incident. When the incident does come, the hour-bank is empty and the customer is paying retail under pressure.
The carrier-mandated firm with no relationship to you. The cyber insurance carrier requires a firm from their panel. The panel firm has never seen your environment. The first hour of the incident is consumed by introductions. The carrier's panel is designed to control claim handling and cost, not to preserve operational familiarity with your environment. Most policies allow you to negotiate the right to use a pre-approved firm of your choice during renewal.
How we structure the work at Strace
What a retainer should buy you is not a phone number. It is a relationship — a firm that knows your environment in detail before the incident, an MSA and SOW already in place, a documented path to your legal counsel and insurance carrier, and a senior practitioner you have already worked with before the night the call has to be made.
Our IR retainer is structured around that pattern. The first 60 days are an onboarding diagnostic: environment baseline, IR plan review, tabletop, runbook documentation, and a written incident playbook tuned to your contracts and your regulators. The ongoing retainer includes quarterly tabletop, annual plan review, a designated lead practitioner who stays with the account, and the pre-negotiated terms above. The 2 AM call works because the work before the 2 AM call has been done.