Peace CountryCyber

Annual retainer

Incident Response Retainer. The contract that gets the call answered.

$5,000/year. 24/7 priority breach line, documented IR plan tailored to your environment, named IR coordinator, quarterly tabletop exercises, and post-incident report templates. Built so that when something bad lands at 2 AM on a Sunday, somebody picks up — and they already know your file server names, your carrier, and your lawyer.

Schedule scoping call →Take the free Risk Report

Who this is for

Three patterns describe almost every business that signs a retainer. If you see yourself in any of them, the conversation is worth having.

Carrier or broker is asking for an IR firm on retainer

Your 2026 cyber-insurance application or renewal questionnaire now asks: do you have an incident response firm under contract, and if yes, who. Saying we'll figure it out if it happens used to be acceptable. It is not anymore. The carrier wants a name, a contract date, and a phone number that works at 2 AM on a Sunday.

Internal IT but no breach playbook

The business has internal IT or a generalist MSP. They handle the day-to-day. They have never run an active incident and they know it. The retainer fills the specific gap of who do we call when the file server is encrypted and our IT person has not slept in 36 hours.

Lessons learned the hard way

The business — or a peer business they trust — has been through a breach and discovered, mid-incident, that nobody was actually on the hook to help. The lawyer charged $800/hr. The unfamiliar IR firm flew in three days late. The carrier's panel-approved provider was overloaded. The retainer means none of that happens again.

Why most SMBs discover the problem mid-breach

A breach at a 20-seat Mackenzie County business typically starts on a Friday afternoon or a Sunday night. The bookkeeper notices the accounting software will not open. The dispatcher cannot log into the fleet management system. Files have unfamiliar extensions. The owner gets a call from someone in operations who does not quite know how to describe what is wrong.

The owner calls the IT provider. The provider is at a soccer tournament, at a wedding, on vacation, or already inside another client's incident. They will get to it Monday morning. By Monday morning, lateral movement has finished, backups have been deleted, and there is a ransom note on every file server. The provider, doing their honest best, now has to triage an active ransomware incident with no plan, no preserved evidence, and no formal authority to authorize containment actions that cost money.

That entire sequence is preventable, but only if the contract was signed before the incident. The retainer is the document that turns “we will figure it out” into “here is the plan, here is the coordinator, here is the phone number, here is the carrier paperwork.” The cost of being wrong about whether you needed one is the cost of the breach itself.

What the retainer includes

Seven deliverables that produce a real, audit-ready arrangement — not a template with a logo and a phone number that nobody answers.

01

Priority breach line — 24/7

A dedicated number that rings through to a human during business hours and to a paged on-call practitioner outside of them. Two-hour acknowledgment, eight-hour engagement, written from day one — not a marketing claim. The number is for breaches, not helpdesk tickets, and is communicated to the people in the business who need to know it.

02

Documented IR plan, tailored to your environment

Not a template with your logo on it. A written incident response plan that knows what your file server is called, where the backups live, which line-of-business apps matter, who has authority to authorize containment that costs money, which carrier and broker get called, and which lawyer reviews the breach-notification letter. Updated annually as the environment changes.

03

Named IR coordinator

One named person at our firm who owns the relationship, knows your environment, and answers the call. Not a queue. Not a different analyst every quarter. The coordinator does the onboarding, runs the tabletop exercises, signs the post-incident reports, and shows up by name if a real incident lands.

04

Quarterly tabletop scenario

Once per quarter we run a 60–90 minute tabletop with the owner, IT lead, and one or two key stakeholders. A realistic scenario specific to your industry — ransomware on a sawmill PLC, vendor-fraud wire at an ag-services supplier, dispatch compromise at a trucking outfit. We walk through the response, surface gaps, and update the IR plan with what we learned.

05

Post-incident report templates

Templates and a writing assist for the documents that come out of every real incident — internal lessons-learned, executive summary for the board, breach-notification letter for affected parties (counsel-reviewed), evidence package for the carrier, regulatory notification where required. The work after the work is what most businesses underestimate.

06

Huntress SOC integration where present

If your environment is on managed EDR with the Huntress SOC, the retainer plugs into their escalation chain — we are the named escalate-to on critical events, which means containment decisions and customer comms run on minutes, not hours. Where Huntress is not deployed, we coordinate with whatever EDR or AV stack you have.

07

Annual broker and carrier debrief

Once a year we sit with your broker and carrier on a call to confirm the retainer arrangement, walk through the IR plan, and produce the documentation the underwriter needs for renewal. The retainer becomes a renewal asset, not just a contract on a shelf.

The onboarding — first 30 days

The first month builds the plan and runs the first tabletop. After that the retainer is steady — quarterly exercises, an annual refresh, and a phone number on file.

  1. 1

    Day 0

    Scoping call (30 minutes)

    Free. We confirm fit — the retainer makes sense for some businesses and not others — and outline the onboarding timeline. No annual fee invoiced until the engagement letter is signed.

  2. 2

    Week 1

    Environment intake

    We document your environment, the people authorized to make decisions, the carrier and broker contacts, the lawyer, the backup architecture, the critical line-of-business apps, and the realistic worst-case scenarios. Most of this is interview-driven; we do not need deep technical access.

  3. 3

    Week 2–3

    IR plan authored

    We draft the IR plan from the intake. You review, push back, request changes. Plan finalized and signed by the named decision-makers in the business. Copies stored in two places — your records and our on-call kit — so the plan is reachable when the primary systems are not.

  4. 4

    Week 4

    First tabletop exercise

    We run the first tabletop scenario within 30 days of signing. The first one almost always surfaces three or four things that need cleanup — usually backup gaps, missing call-tree numbers, or unclear authority lines. We fix them and update the plan.

  5. 5

    Quarterly

    Ongoing tabletops and plan refresh

    One tabletop per quarter. Plan refresh whenever the environment changes — new line-of-business app, change of carrier, change of IT provider, change of key staff. The retainer is a living arrangement, not a binder on a shelf.

What this retainer is not

Clarity on scope keeps the arrangement honest — and keeps the carrier and broker conversations clean.

This is not incident response work itself

When a real incident lands, the response work is billed time-and-materials at the engagement rate published in the retainer letter. The retainer guarantees that we pick up the phone, that the plan exists, and that the coordinator knows your environment. It does not pre-pay an unlimited number of incident hours — no responsible firm will sell that contract.

This is not legal counsel

We coordinate with your lawyer during a breach. We do not replace them. Breach-notification letters, regulatory filings, and privilege questions are decisions for counsel; we provide the technical facts and the timeline.

This is not a substitute for the technical controls

A retainer does not stop the breach from happening. The managed EDR, MFA, backup architecture, and Conditional Access do that work. The retainer covers what happens after a control has failed and somebody has to make decisions under pressure.

This is not a guarantee of zero downtime

Incident response is the work of containing damage and restoring operations. It is not magic. Some incidents take days to resolve regardless of how good the IR plan is. What the retainer guarantees is that the response is structured, decisions are made on facts, evidence is preserved, and the business comes out the other side with documentation that protects the next renewal.

Pricing — said out loud

  • $5,000 CAD per year, paid annually in advance. The 12-month contract is what the carrier wants to see on file.
  • Active incident hours billed time-and-materials. $250/hour coordinator, $175/hour supporting practitioner, per-incident cap agreed in writing at signing. Carriers almost always cover these costs against the policy.
  • Bundled in Cyber Premium. The Cyber Premium managed tier ($275/seat/mo) includes the priority line, coordinator hours, IR plan, and tabletops at no separate retainer fee.
  • Annual renewal, 60 days' written notice.If the relationship is not working, you give 60 days' notice before the anniversary. We do not penalize anyone for changing direction.

Frequently asked questions

Why $5,000/year — what does that actually cover?

It covers the onboarding, the IR plan authoring and annual refresh, four tabletop exercises per year, 24/7 priority line coverage, named coordinator hours, broker and carrier liaison, and a templated post-incident reporting package. Active incident response time, when an event lands, is billed at $250/hour for the coordinator and $175/hour for supporting practitioners, capped per incident at a number we agree on up front. The carrier almost always covers those costs.

How is this different from what the carrier provides?

Most carriers have a panel of approved IR firms. Those firms are good, often very good, and they are also juggling many simultaneous incidents — particularly during ransomware waves where one strain hits dozens of businesses in the same week. The retainer means a named firm in the Peace region with your environment in their hands shows up first, while the panel firm engages on the timeline they can. The two are complementary, not competing.

What if I never have an incident?

Then you have spent $5,000/year on a documented IR plan, four tabletop exercises, broker-ready evidence, and the quiet confidence that the worst-case scenario has been pre-thought. The plan itself moves the needle on cyber-insurance renewals; many clients see the retainer pay for itself in premium reductions before the first incident would ever land.

Does the Huntress integration cost extra?

No. If you are already on managed EDR with the Huntress SOC, the retainer plugs into the existing escalation chain at no extra charge. If you are not on managed EDR, the retainer still works — we coordinate with whatever EDR or AV stack you have — but the response timing is materially faster with the SOC in the chain.

Can the retainer credit toward managed services?

If you move from standalone retainer to a Cyber Premium tier (which includes vCISO and a richer engagement), the retainer rolls into the tier with no separate fee. The Cyber Premium engagement covers the same priority breach line and the same coordinator hours as part of the bundle.

Is the retainer paid annually or monthly?

Annually, in advance — $5,000 at engagement signing, then $5,000 each subsequent anniversary. The annual model matches how carriers underwrite the arrangement; carriers want to see a 12-month contract on file, not a month-to-month subscription that could be cancelled the day before an incident lands.

Want the contract on file before you need it?

The scoping call is free, takes 30 minutes, and tells you honestly whether the retainer fits the business today.

Schedule scoping call →Take the Risk Report