Most security incidents that matter — ransomware, data breaches, targeted intrusions — require forensic investigation capability that most organizations don't have internally. Understanding what happened, how, when, what was accessed, and whether data was exfiltrated requires specialized skills, tools, and experience that few in-house teams possess.
The question is how to access that capability. And the answer matters a lot when you're in the middle of an incident.
What Digital Forensics Actually Provides
In the context of a security incident, digital forensics refers to:
Root cause analysis. How did the attacker get in? What was the initial access vector, and what does that mean for containment?
Timeline reconstruction. When did the attacker first have access? What did they do, and in what order? Which systems were accessed and when?
Scope determination. Which systems were compromised? Which accounts were used? Was data accessed or exfiltrated, and if so, what data?
Malware analysis. What tools did the attacker deploy? What do they do, and are there additional backdoors or persistence mechanisms that haven't been found yet?
Evidence preservation. For incidents that may result in litigation or regulatory proceedings, proper forensic evidence preservation (chain of custody, write-protected imaging, etc.) is legally required.
Without forensic investigation, organizations often remediate only what they can see, miss attacker persistence, and later discover the attacker is still present — or that they were breached weeks before they knew it.
The Two Models
IR Retainer. You pay an annual retainer fee to an IR/forensics firm. In return, you get:
- Pre-negotiated response time SLAs (typically 2–4 hours for critical incidents, 24 hours for non-critical)
- Reduced hourly rates versus break-glass engagement
- A pre-established relationship — the firm knows your environment basics before an incident
- Proactive services that may be included (tabletop exercises, IR plan review)
Retainer fees vary widely: $15,000–$100,000+ annually depending on organization size and services included.
Break-Glass Engagement. You engage a firm only when you have an incident. No ongoing relationship, no pre-negotiated terms. You're calling with an urgent need and no existing relationship.
Problems: rates are higher (sometimes significantly). Response times are not guaranteed — firms are on your call simultaneously with every other organization that didn't have a retainer. The firm has no context on your environment. And in an active incident, you're vetting a vendor at the worst possible time.
Which Model Is Right for You?
For most mid-market and larger organizations: a retainer is worth it. The annual cost is modest relative to the value of guaranteed response time during an incident that's costing you money every hour. Cyber insurance also often requires or strongly encourages having a retainer in place.
For small organizations with limited budgets: investigate whether your cyber insurance policy includes access to a panel of IR firms. Most modern cyber policies include this, which partially substitutes for a direct retainer relationship.
What to Look for in an IR Firm
Specialization. General IT consultants who do forensics occasionally are different from dedicated IR firms. The latter have playbooks for your scenario, tools that work, and experience that comes from running hundreds of investigations.
Geographic and regulatory understanding. If you operate in healthcare, finance, or other regulated industries, your IR firm needs to understand the regulatory dimensions — notification timelines, data handling requirements, coordination with regulators.
Availability and response time guarantees. Get the response time commitment in writing. Understand what "response" means — when an analyst is engaged and working your case, not just acknowledged.
References. Talk to clients who have actually used the firm during an incident — not just during retainer onboarding.
Independence. If your IR firm also sells security products, ensure they're not incentivized to push products as part of the investigation.
Practical Steps
If you don't have an IR relationship today: talk to your cyber insurance broker (they often have preferred panel firms with pre-negotiated rates), review a few firms, and establish a retainer with the best fit. The annual cost is worth it for the peace of mind and response time guarantee alone.
If you do have an IR retainer: test the relationship. Call them for a tabletop exercise. Make sure the onboarding information they have is current. Ensure your IR plan has their emergency number, not just an account rep number.