Tue, Oct 17, 2023

The IR Retainer Redefined: Boosting Cyber Resilience with MDR + Cyber Risk Retainer

An effective detection and response capability is essential for monitoring key assets, containing threats early and eradicating them. However, due to the current disparate nature of potential attack vectors within an organization, affording the wide range of sensors necessary can be a challenge as well as the worry of the disruption of critical services. Yet, without robust detection and response processes, businesses are left vulnerable. Organizations are also under pressure to manage the potential business and financial costs and complexities of post-breach activities such as privileged investigations, litigation, crisis communications and breach notification to name just a few. Alongside this, they must respond to the changing requirements of cyber insurers, many of whom now require retainers for new policies and renewals.

How can businesses tackle this current landscape to ensure they have the services they need when they need it, without disrupting their business and not breaking the bank? The answer is a more flexible “cyber risk retainer,” as opposed to an incident response (IR) retainer, combined with an MDR service, as this allows them to achieve significant cost savings by bundling together any pre-incident services from tabletop exercises, penetration tests, dark web monitoring or cloud configuration reviews, to any post-incident services such as digital forensics, breach notification and litigation support.

In this article, we outline why it would be misguided to solely rely on a traditional MDR solution or an incident response (IR) retainer and explain why combining a cyber risk retainer with an MDR service significantly advances an organization’s security posture.

Going Beyond the Limitations of Typical IR Retainers

An incident response retainer is not a new offering, and many organizations choose this option to help them stay vigilant. Yet, on its own, an IR retainer presents almost as many limitations as the problems it is meant to address. Given the cost of hiring IR experts to sit on the bench waiting for a security event to occur, organizations typically purchase an incident response retainer from a vendor with digital forensics and incident response (DFIR) expertise.

The three main options for purchasing a retainer are:

Contract With a Third-Party IR Vendor

A third party vendor should be an expert in their field as their business is focused on incident response. However, they won’t have operational knowledge of your business. Getting a third party caught up to speed is frustrating and can delay key actions at a critical time. 

Engage Your Cyber Insurance Provider

Procuring via your insurance provider gives you the assurance that the company is a trusted incident response vendor. However, insurers can be cost sensitive which means you need to be clear about exactly what’s being offered in terms of service-level agreements (SLAs). For example, speed and cost may be prioritized over breadth of service. 

Partner With a Provider Able to Deliver Both MDR and Breach Response

This is the ideal option as an MDR provider acts as an extension of your team. Because they engage daily with the threats targeting your business, they fully understand your company’s security posture and processes. This gives you a significant head start in reducing costs in terms of hours needed to learn about your environment and relevant threats. In this scenario, an MDR provider can also ensure a seamless transition from detection of and response to known threats to escalating an unknown, complex incident to their own DFIR team, working in close collaboration with their SOC analysts. 

You Also Typically Find Two Types of Retainers

Pre-Paid Hours

The customer pays upfront for a certain number of hours, typically per month or per quarter, which can be used to respond to cyber incidents, with an agreed SLA. If the hours are not used in full, those unused retainer hours can be spent on other incident response services or incident readiness services. The challenge with this approach is that there is pressure on the customer to use those up within a specific period. 


The agreement specifies a service level agreement (SLA), nature of services provided, a procedure for declaring incidents, and a cost per incident, which is paid only if the service provider actually renders services.

Organizations can avoid these limitations by opting for a Cyber Risk Retainer that provides a broader scope and range of service and flexibility around hours.

From IR Retainer to True Cyber Resilience

Since hours are tied to breach response activities, many organizations still regard the addition of an incident response retainer to their MDR service in the same way they view an insurance policy. They see it as good to have just in case but don’t recognize its true value until something goes wrong. While the cybersecurity industry has sought to adapt to this by offering the ability to re-allocate a certain percentage of retainer hours to incident readiness services such as tabletop exercises, there is still a notable lack of flexibility.

However, with the right approach and capabilities, it is possible to move beyond just pigeonholing IR retainers within incident response so that they actively enable cyber resilience when paired with MDR.

At Kroll, we believe that a retainer should by default contain fundamental DFIR capabilities and SLAs but also provide organizations with the flexibility of being able to use 100% of their service credits towards any cybersecurity services that can help them become more resilient to future threats. This means that, when adding a Cyber Risk Retainer on top of your MDR service, not only are you already covering key aspects of detection and response but also you have the flexibility of applying your service credits to protection.

From IR Retainer to True Cyber Resilience

Added Response Value: The Benefits of MDR and a Cyber Risk Retainer

Organizations that use an MDR service should already benefit from rapid threat detection and what we define as “complete response”. This is the ability to move beyond tactical response actions that address the symptoms of an attack and bring in remote DFIR capabilities to treat the root cause by also hunting for additional signs of indicators of compromise and reverse engineering malware, eliminating persistence, eradicating the threat across all systems, and providing lessons learned. Not every MDR vendor can provide unlimited DFIR, and Kroll is particularly proud of this feature of our service. So, what additional “response value” should a cyber risk retainer provide on top of your MDR solution?

When it comes to procuring MDR, not all companies will want to deploy detection sensors or agents on certain business-critical assets. Even if they do, there’s always the rare possibility that a complex or unanticipated attack could compromise previously undiscovered systems. More legal and recovery expertise could then be required in order to limit the impact of the attack and bring the business back to normal. This is the point at which an MDR provider should be able to add more breach response capabilities bundled within a cyber risk retainer. Some of the key benefits of these added capabilities include:

Answer the Big Questions to the Level Required for an Audit or for Legal Disclosure

Augmenting an MDR service with a cyber risk retainer will ensure that you have the litigation support you need in the event of a breach. This could include the collection of artifacts for legal disclosure, expert witness support and crisis communications. 

Crisis Communications for Managing Reputational Impact

In the event of a data breach, a structured approach is critical for effectively engaging stakeholders, including investors, journalists, employees and customers, while protecting reputation, securing trust and minimizing disruption. A cyber risk retainer should provide access to experts who can help you prepare communications to different stakeholders and ensure that the right message goes out to contain and manage the impact on your brand reputation. 

Enhance Incident Response Planning

How you respond to a breach can make the difference between experiencing a short period of limited disruption and going out of business. As part of the onboarding process a cyber risk retainer should include a regular annual or semi-annual incident response planning session to understand the most likely breach scenarios, assign roles and responsibilities, and define the thresholds at which require specific decisions should be made. 

Gain More Coverage for Complex Incidents That Require Deeper Investigation

A cyber risk retainer should augment your MDR service by providing deeper investigative support for complex incidents that evade detection. These can include cryptocurrency (“crypto”) investigations, internal investigations, cloud investigations involving platforms/services that are not traditional server endpoints (Salesforce, Monday.com, etc.) and PCI/PFI investigations (financial fraud related to credit cards). Investigations are increasingly involving complex incidents that demand outside counsel guidance due to potential litigation risk and requirements relating to recovery support and in-lab forensic examination. These security events impact even clients of higher maturity and can be complex as well as costly.

On-Site and In-Lab Response and Recovery

When responding to an attack, minimizing business interruption is key. A cyber risk retainer should provide you with on-site support to stand systems back up online or take devices away to forensics labs when needed to rebuild and reimage devices, especially in the event of corrupted or permanently damaged equipment. 

Response to Assets/systems Not Covered by EDR, SIEM, or NDR Technology

Although MDR can immediately provide detection and response coverage, if specific assets/systems that are not monitored become compromised, a cyber risk retainer gives you access to forensic experts who can create custom scripts to conduct root-cause analysis and remediation without a collector or sensor. 

The Cyber Retainer Redefined: Boosting Cyber Resilience with MDR + Cyber Risk Retainer

Responder Clients Improve Resiliency With a Cyber Risk Retainer

Maximizing Security Impact: Case Studies

Uncovering Hidden Threats

An independent provider of foreign exchange risk management and trading services to financial institutions had unfortunately experienced a business email compromise (BEC) attack which made them feel exposed and not confident in their ability to detect and respond adequately to future security incidents. The company also had a lack of trust in the IT Managed Service provider it had in place. The business engaged Kroll for its Responder services – SIEM and EDR – and added Kroll’s Retainer services to that. This combination of support gave the business 24X7 expertise to detect and respond to threats, flexibility to leverage multiple service lines under the retainer, immediate risk reduction through proactive, targeted security assessments, and on-going strategic advice and guidance through Kroll’s virtual CISO.

Exceeding Initial Security Goals

Another Kroll client invested in the Kroll Responder MDR+ Cyber Retainer Bundle in order to meet certain compliance requirements and become more resilient. The company needed a partner to address its MDR needs and help it become more cyber mature and cyber resilient. Going far beyond the company’s initial goals for its retainer, Kroll is now advancing its security posture through tabletop exercises, red teaming and risk assessments.

MDR + Cyber Risk Retainer from Kroll: Minimize Risk, Mature Resilience

As a leading provider of cyber risk management services, our proven expertise across all areas of cyber resilience – protection, detection, response – can be accessed through our MDR+Cyber Risk Retainer Bundle. While our Kroll Responder MDR service ensures threat detection and response coverage, including our cyber risk retainer with it provides the flexibility to use 100% of your service credits towards any other service at a discounted rate across our protection, response and validation service areas. Doing so also provides peace of mind that Kroll’s team of forensic experts are on hand as and when required to respond to, contain and remediate an incident. 

A Kroll Cyber Risk Retainer guarantees expedited response as well as breach notification and proactive services to minimize the impact of an incident and mature your cyber resilience. Our retainer options address the pressure that organizations feel to maximize the value of cyber security investments with upfront pricing and service structure.


Kroll's Cyber Risk Retainer program gave us the flexibility to utilize our retainer credits to help us accomplish some of our IT security goals during the year, while having the peace of mind that we had a Tier 1 partner to quickly respond if we had some type of cyber incident.”

     – NetScout Systems, Inc

Organizations should keep in mind that typical IR retainers focus on incident response to the exclusion of breach response. Because of this, they must be vigilant about selecting a retainer that not only goes beyond incident response but also leads the market in flexibility and range of service. By combining an MDR service with a cyber retainer that can adapt to meet their specific security issues and needs, organizations can look forward to achieving true cyber resilience.

Learn more about our Cyber Risk Retainer or find out about our MDR service, Kroll Responder. Contact us to speak to one of our experts and arrange a demo.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Managed Security Services

World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.

Kroll Responder MDR for Microsoft Security

Kroll Responder managed detection and response for Microsoft delivers enriched telemetry, frontline threat intelligence and Complete Response capabilities to maximize the value of your native endpoint and cloud technology.

24x7 Endpoint Detection and Response

Intelligent Endpoint detection and response: Maximum confidence in data security