Risk & Compliance

Incident Response Retainer

The worst time to find an investigator is during an active breach.

An incident response retainer from Sherlock Forensics provides a guaranteed SLA, pre-positioned forensic resources, an annual penetration test and priority investigator access during security incidents. Retainer clients skip the intake process during emergencies because contracts, access and environment documentation are already in place. Available in Standard (4-hour SLA) and Premium (2-hour SLA) tiers.

Get Started Call 604.229.1994

What's Included

Retainer Components

Guaranteed Response SLA: When you report an incident through the dedicated retainer channel, an investigator begins work within the SLA window. Standard tier guarantees a 4-hour response. Premium tier guarantees 2 hours. This SLA is 24/7/365. No voicemail, no intake forms, no waiting for a contract to be signed during an active breach.

Pre-Positioned Resources: During onboarding, we document your network architecture, critical assets, key contacts and escalation procedures. Forensic collection toolkits are configured for your operating systems and endpoint agents. When an incident occurs, we do not spend the first hours asking for network diagrams. We already have them.

Annual Penetration Test: Every retainer includes a full penetration test once per year. This serves two purposes: it identifies vulnerabilities before attackers do, and it gives our team direct familiarity with your environment. When we respond to an incident, we already understand your network topology, common misconfigurations and security control gaps.

IR Plan Review: We review your incident response plan annually to identify gaps in procedures, communication chains and technical response capabilities. If you do not have a written IR plan, we help you build one. A plan that has never been reviewed by an external responder often fails under real-world pressure.

Comparison

Retainer vs Ad-Hoc Response

Factor	Retainer	Ad-Hoc
Response time	2-4 hours (SLA)	24-72 hours (availability dependent)
Contracting	Pre-signed	Negotiated during emergency
Environment knowledge	Pre-documented	Learned during incident
Forensic toolkits	Pre-configured	Built on arrival
Hourly rate	Discounted retainer rate	Emergency premium rate
Annual pentest	Included	Separate engagement
IR plan review	Included	Separate engagement
Priority queue	Yes	No (first-come, first-served)

The real cost difference shows up during an incident. Ad-hoc clients lose hours to contract negotiation, NDA signing, environment onboarding and tool configuration. During a ransomware event, those hours determine whether you recover systems from backup or negotiate with an attacker. Retainer clients eliminate that delay entirely. The pre-signed agreement means we start investigating the moment you call.

Pricing

Retainer Tiers

Standard Tier -- $18,000 CAD/year:

Response SLA: 4 hours, 24/7/365
Pre-purchased hours: 40 hours at retainer rate
Annual penetration test: External network pentest included
IR plan review: Annual review and gap analysis
Environment documentation: Full onboarding and asset inventory
Unused hours: Applied to proactive security services

Premium Tier -- $36,000 CAD/year:

Response SLA: 2 hours, 24/7/365
Pre-purchased hours: 80 hours at retainer rate
Annual penetration test: Internal + external network pentest included
IR plan review: Annual review with tabletop exercise
Environment documentation: Full onboarding with quarterly updates
Unused hours: Applied to proactive security services
Threat briefings: Quarterly threat intelligence briefings

How It Works

Pricing Model

The annual retainer fee covers the SLA guarantee, pre-positioning services and a block of pre-purchased hours. These hours are consumed during incident response work at a rate lower than our standard emergency pricing. If an incident requires more hours than the pre-purchased block, additional hours are billed at the retainer rate, not the emergency rate. There is no penalty for exceeding the block.

If no incidents occur during the retainer period, the pre-purchased hours are applied to proactive security work. This includes additional penetration testing, vulnerability assessment, security architecture review, cloud configuration audit or tabletop exercises. You receive the full value of your retainer regardless of whether an incident occurs. The retainer is not insurance that expires unused. It is a commitment of investigator time that is allocated to your organization one way or another.

Onboarding

What Happens After You Sign

Within the first 30 days, we complete a full onboarding process. We document your network architecture, critical assets, key personnel and escalation procedures. We configure forensic collection toolkits for your environment. We review your existing incident response plan and identify gaps. We establish the dedicated communication channel for incident reporting. After onboarding, you can activate the retainer with a single phone call or message at any time.

The annual penetration test is typically scheduled within the first 90 days. This gives our team direct hands-on knowledge of your environment. When we respond to a future incident, we already understand your network layout, common configurations, security tool deployment and the gaps we identified during the pentest. This familiarity translates directly to faster investigation and more accurate scoping during an emergency.

Get Started

Ready to put response capacity on standby?

Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified

Order Online

Questions

Frequently Asked

What is included in an incident response retainer?

Our retainer includes a guaranteed response time SLA, pre-positioned forensic toolkits configured for your environment, an annual penetration test, an incident response plan review, priority queue placement during active incidents and a pre-negotiated hourly rate that is lower than our ad-hoc emergency rate. Retainer clients skip the intake and scoping process during an emergency because we already know your environment.

How does a retainer differ from ad-hoc incident response?

Ad-hoc clients contact us during an active emergency. They go through intake, scoping, contracting and onboarding before investigation begins. This process adds hours or days to response time. Retainer clients have pre-signed agreements, pre-configured access and a guaranteed SLA. When the call comes, we start working immediately. Retainer clients also pay a lower hourly rate for incident work.

What is the response time SLA?

Standard retainer clients receive a 4-hour response SLA, meaning an investigator begins work within 4 hours of the incident notification. Premium retainer clients receive a 2-hour SLA. Response time is measured from the moment you notify us through the dedicated retainer contact channel, 24 hours a day, 7 days a week.

What happens if we do not use the retainer hours?

Unused retainer hours are applied to proactive security services including penetration testing, vulnerability assessment, security architecture review or tabletop exercises. No hours are wasted. If you have no incidents during the retainer period, you receive the full value in proactive assessment work.

How much does an incident response retainer cost?

Annual retainers start at $18,000 CAD for the Standard tier and $36,000 CAD for the Premium tier. Both include an annual penetration test, IR plan review and guaranteed SLA. The retainer fee covers a block of pre-purchased hours at a discounted rate plus the SLA guarantee and pre-positioning services.