IR Retainer — On-Call Response
Pre-contracted incident response capacity with defined SLAs. When you call, we respond — not a ticketing queue, not a call center. A human with context who knows your environment.
Incident Response Retainer & IR Planning
// When seconds count, you need us already on the clock.
The Cost of Not Having a Plan
The average cost of a data breach for a small business is six figures. The average time to detect a breach is over 200 days. Most small businesses never had an IR plan. The retainer model puts a seasoned response team one phone call away — with pre-negotiated rates, pre-established access, and a plan that exists before you need it.
When an incident hits, every minute without a response team costs money, reputation, and data. An IR retainer with Ottomate IT means we already know your environment, we already have credentials and access documented, we already know your critical systems and your compliance obligations — and we pick up on the first ring.
What’s Included
Tabletop Exercise (Annual)
Facilitated scenario-based exercise that walks your leadership and technical team through a simulated incident. Identifies gaps in communication, decision-making, and technical response before a real event exposes them.
IR Playbook Development
Custom incident response playbooks for your specific environment: ransomware, business email compromise, data exfiltration, insider threat, and more. Written in plain language, tested against real scenarios, and stored where you can reach them when systems are down.
Digital Forensics & Evidence Preservation
Forensically sound disk imaging, memory capture, log preservation, and chain-of-custody documentation. Evidence collected correctly from the start — whether for internal investigation, insurance claims, or law enforcement referral.
Ransomware Response & Negotiation Support
Technical containment, decryption evaluation, backup restoration, and negotiation support when required. We work to minimize downtime and maximize recovery — and we help you understand whether paying is even the right call.
Breach Notification Support
Guidance on legal and regulatory notification obligations under state breach laws, HIPAA, PCI-DSS, and other applicable frameworks. Coordination with legal counsel and support for required filings — so nothing falls through the cracks under pressure.
Post-Incident Review & Hardening
Structured after-action review that documents the timeline, root cause, response actions, and lessons learned. Followed by a concrete hardening roadmap so the same attack path cannot be used twice.
Business Continuity & DR Planning
Recovery Time Objectives, Recovery Point Objectives, failover documentation, and continuity playbooks. We build the plan, test it with you, and make sure the backups actually restore when it matters.
Threat Hunting & Compromise Assessment
Proactive search for existing compromises, unauthorized persistence, and attacker tooling already present in your environment. Combines log analysis, EDR telemetry, and manual investigation to answer the question that matters: are we already breached?
[ALERT] unusual outbound traffic detected on 10.0.1.45
[IR] initiating containment protocol...
[IR] host isolated. forensic image queued.
[IR] lateral movement analysis running...
[IR] no additional hosts compromised. scope confirmed.
[IR] client notified. clock is running.
ir@ottomateit:~$ retainer clients get this response. break-fix clients get a busy signal.
Retainer Tiers
Basic
- 10 retainer hours per year
- Annual tabletop exercise included
- IR playbook review & update
- 4-hour response SLA
- Email & phone escalation path
- Post-incident summary report
// Right for: small teams, light compliance requirements, first IR program
Professional
- 25 retainer hours per year
- Tabletop exercise + 1 drill scenario
- Custom IR playbooks (up to 3 scenarios)
- 2-hour response SLA
- Quarterly environment check-in
- Breach notification guidance included
- Post-incident hardening roadmap
// Right for: growing SMBs, HIPAA / PCI environments, active compliance programs
Enterprise
- Unlimited hours (fair use)
- Monthly environment check-ins
- Full playbook suite (all major scenarios)
- 1-hour response SLA
- Dedicated response contact
- DR / BCP planning included
- Digital forensics on retainer
- Legal coordination support
// Right for: regulated industries, federal contractors, high-risk environments
// All tiers are annual contracts. Hours unused do not roll over. Overage billed at pre-negotiated retainer rates — always lower than break-fix rates.
The IR Lifecycle
Ottomate IT follows the NIST SP 800-61 incident handling framework — the U.S. government standard for computer security incident handling:
- Preparation — establish IR capability before an incident occurs. Playbooks written, access documented, tools deployed, team trained, retainer in place. This is the only phase where you have full control over the timeline.
- Detection & Analysis — identify that an incident has occurred, determine its scope and severity, and characterize the threat. Log analysis, EDR alerts, user reports, and threat intelligence all feed this phase.
- Containment — stop the bleeding. Short-term containment (isolate affected hosts) followed by long-term containment (patch, credential reset, network segmentation) to stabilize the environment while eradication is planned.
- Eradication — remove the threat actor, malware, and all persistence mechanisms from the environment. Every backdoor, every scheduled task, every compromised credential — verified gone before recovery begins.
- Recovery — restore systems and services to normal operation. Validate clean backups, confirm monitoring is in place, and bring systems back online in a controlled, staged sequence.
- Post-Incident Activity — document the full timeline, root cause, and response. Conduct the lessons-learned review. Update playbooks. Implement hardening. Turn a bad day into a more resilient organization.
// Source: NIST SP 800-61r2 — Computer Security Incident Handling Guide
Why a Retainer vs. Break-Fix
When a breach happens and you don’t have a retainer, you call someone who has never heard of you. They have no context. They have no documentation. They have no credentials. They charge emergency rates. They spend the first two hours asking questions you may not be able to answer while your attacker is still active in the environment.
A retainer changes every one of those variables:
- Pre-established trust — we know your team, your systems, your risk tolerance, and your critical assets. No intake interview while the house is burning.
- Pre-existing documentation — your network diagram, asset inventory, admin credentials (vaulted), and recovery procedures are already in our hands.
- Pre-negotiated rates — retainer rates are lower than break-fix emergency rates. The retainer pays for itself the first time you don’t panic-hire a firm you found on a search engine at 2 a.m.
- Defined SLAs — you know exactly how fast we pick up. No guessing, no “someone will call you back.”
- Faster response — time from call to active containment is measured in minutes, not hours, because we skip the onboarding that break-fix requires.
The question is not whether an incident will happen — it is whether you will be ready when it does. A retainer is the cheapest incident response you will ever buy.
Authoritative Resources
References we use and recommend for incident response planning:
- NIST SP 800-61r2 — Computer Security Incident Handling Guide — the foundational U.S. government framework for IR programs
- CISA Incident Response Resources — free tools, playbooks, and guidance from the Cybersecurity & Infrastructure Security Agency
- FBI Internet Crime Complaint Center (IC3) — federal reporting portal for cybercrime; retainer clients are coached on when and how to file
- HHS Breach Reporting (HIPAA) — guidance and portal for covered entities and business associates required to report breaches under the HIPAA Breach Notification Rule
Get on Retainer
Don’t wait until you need us to figure out who we are. A 30-minute conversation now can mean the difference between a manageable incident and a catastrophic one.