Understanding IR retainer India cost before a ransomware group detonates at 2 AM on a Sunday is the difference between recovery in hours and recovery in days. The organisations that take days to recover are the ones still negotiating an SOW while the attacker moves laterally. Retainer pricing varies by 3–4× across vendors at apparently-similar coverage levels, and the variance reflects six independent factors that procurement teams should probe during scoping. This guide is the operational decomposition of those factors.
The six factors compound. A retainer that looks half the price of another is typically half the response-time commitment, half the included hours, no on-site option, no CERT-In empanelment for regulator filing, and no India-resident senior responders. Knowing which factors matter for your specific risk profile lets you scope a retainer that works at 2 AM on Sunday rather than one that looks affordable on paper but fails in operation.
Before the cost discussion: what an IR retainer actually is
An incident-response retainer is a pre-negotiated agreement with a security firm that provides:
- Guaranteed response-time commitment (typically 15–60 minutes from acknowledged alert)
- Pre-authorised forensic access to systems and logs
- Pre-customised playbooks and reporting templates
- Quarterly tabletop exercises and readiness reviews
- Direct partner-level escalation contact
What an IR retainer is not, and these confusions distort budget expectations:
- It is not a preventative security service — it does not replace VAPT, monitoring, or SIEM.
- It is not an unlimited-hours arrangement — most retainers include a defined number of response hours per quarter.
- It is not a guarantee of zero impact — it guarantees speed and expertise, not outcome.
- It is not interchangeable with cyber insurance — insurance covers financial loss; the retainer covers operational response.
Factor 1 — Response-time SLA
The single biggest cost driver. The SLA is measured from acknowledged alert to first analyst engagement, not from incident occurrence:
- 15-minute SLA — top-tier; requires duty-roster staffing across all India time zones plus on-call senior responders. Mandatory for crypto exchanges, MIIs, and Tier-1 BFSI.
- 30-minute SLA — professional tier; requires duty-roster across business hours plus extended on-call coverage. Typical for BFSI Tier 2/3 and SEBI-regulated entities.
- 60-minute SLA — essential tier; duty-roster during business hours, on-call response after hours. Typical for B2B SaaS and non-regulated entities.
- 4-hour or longer SLA — not adequate for ransomware response; useful only for compliance-baseline coverage.
The cost lever: tightening the SLA from 60 to 30 minutes typically increases retainer fees by 60–80% because the firm must pre-stage senior responders. From 30 to 15 minutes adds another 40–60%. SLA decision rule: match the SLA to your highest-risk incident type; for ransomware exposure, anything slower than 30 minutes is operationally insufficient.
Factor 2 — Included hours per quarter
Retainers structure included hours into different categories:
- Response hours — time spent on actual incident handling (analyst investigation, forensic analysis, containment, eradication). The largest category.
- Preparation hours — time spent on quarterly tabletop exercises, runbook updates, threat-intelligence briefings.
- Reporting hours — time spent on regulatory reporting (CERT-In, RBI, SEBI), board briefings, post-incident documentation.
- Excess-hour rates — rates for hours beyond the included tier.
The cost lever: doubling included hours typically increases retainer fees by 50–70% (sub-linear because some setup cost is fixed). Included-hours decision rule: estimate based on prior incident history if available; for organisations with no incident history, start with 16–32 hours/quarter and upgrade based on actual usage.
Procurement teams should ask: how is the hour split allocated between response, preparation, and reporting? Retainers that allocate all hours to “preparation” and zero to “response” are designed to extract excess-hour billing during real incidents.
Factor 3 — Tier of coverage (Essential vs Professional vs Enterprise)
Retainers typically come in three tiers, each combining the previous factors plus tier-specific additions:
Essential tier
60-minute SLA, modest included hours, remote-only response, standard reporting templates, monthly threat-intelligence briefing, single tabletop scenario per quarter. Suitable for mid-market SaaS, non-regulated entities, and organisations beginning their IR journey.
Professional tier
30-minute SLA, expanded included hours, remote response with on-site available at additional cost, sector-specific reporting templates (RBI, SEBI, IRDAI as applicable), monthly threat briefings with sector overlay, quarterly tabletop with multiple scenarios. Suitable for BFSI, HealthTech with PHI exposure, SEBI-regulated entities.
Enterprise tier
15-minute SLA, generous included hours, war-room support with on-site responders pre-positioned, full regulator-coordination depth, weekly threat briefings, quarterly tabletops with realistic adversary simulation. Suitable for crypto exchanges, large BFSI, Market Infrastructure Institutions.
The cost lever: stepping from Essential to Professional typically increases retainer fees by 60–100%. Professional to Enterprise adds another 50–80%. Tier decision rule: match tier to the most-demanding regulator or buyer expectation, not to internal-team comfort level.
Factor 4 — On-site posture
Many incidents require on-site responders for evidence handling, regulator coordination, or physical-infrastructure access:
- Remote-only retainers — cheapest; rely on remote access to all systems. Adequate for cloud-native environments without on-premises components.
- On-site available at additional cost — most common structure; remote default with on-site response billed at daily rates plus travel.
- On-site pre-positioned — Enterprise-tier feature; responders pre-staged for major incidents. Material cost premium.
The cost lever: pre-negotiated on-site rates avoid procurement friction during active incidents but cost more on the baseline retainer fee. On-site decision rule: for organisations with on-premises infrastructure, hybrid cloud, or regulator-physical-evidence-seizure requirements, pre-negotiate on-site rates rather than discovering them mid-incident.
Factor 5 — Regulator-reporting workflow depth
Indian regulated entities require specific regulator-reporting workflows:
- CERT-In Direction 20(3)/2022 — six-hour reporting window for material incidents. The retainer must include CERT-In-empanelled responders who can file the report on your behalf. See our CERT-In runbook.
- RBI Cyber Security Framework — banks, NBFCs, and PAs face additional sector-specific reporting expectations.
- SEBI Cyber Security Resilience Framework — stockbrokers, AMCs, and MIIs face SEBI-specific reporting and MSOC integration requirements.
- IRDAI Information and Cyber Security Guidelines — insurers face IRDAI reporting requirements.
- DPDP Act 2023 — data fiduciaries face Data Protection Board notification requirements for material breaches.
The cost lever: retainers with deep regulator-coordination expertise charge a premium because the firm must invest in regulator relationships and template-maintenance. Firms without empanelment cannot file CERT-In reports on the client’s behalf, requiring the client to handle the filing internally during active incidents — a material operational burden. Reporting decision rule: verify the retainer firm’s CERT-In empanelment status and sector-specific reporting depth before engagement.
Factor 6 — Engagement model and contract structure
How the retainer is billed materially affects total cost:
Fixed-fee retainer with capped excess. The retainer fee is fixed for the contract term; excess-hour rates are capped. Predictable budget; aligned incentives. Recommended structure.
Variable retainer with consumption billing. The retainer fee scales with incident activity; quiet quarters cost less, active quarters cost more. Less predictable; some firms argue this is fairer but it disincentivises preparation investment.
Hybrid with tabletop and threat-intelligence included. A fixed baseline covering preparation hours plus consumption-based incident-response hours. Common in mid-market engagements.
The cost lever: fixed-fee retainers appear 10–20% more expensive than consumption-based alternatives but typically cost less in total because they incentivise preparation investment. Engagement-model decision rule: insist on fixed-fee with capped excess; reject variable-billing structures unless you have predictable incident frequency.
Sector-specific retainer patterns
The six-factor framework applies broadly. Sector-specific patterns:
BFSI — Professional or Enterprise tier required
Indian banks, NBFCs, and payment aggregators face the strictest IR expectations. RBI’s Cyber Security Framework expects sub-15-minute response capability for material incidents; CERT-In requires reporting within six hours; sectoral coordinator (CSIRT-Fin) expects parallel notification. Essential tier’s 60-minute response is insufficient; BFSI organisations should retain at Professional or Enterprise tier minimum.
Capital markets — Enterprise tier strongly recommended
SEBI-regulated entities, particularly Market Infrastructure Institutions and top-100 brokers, face SEBI-coordinated cyber-resilience drills, MSOC integration requirements, and continuous regulator scrutiny. Enterprise tier’s war-room support and 15-minute SLA align with these expectations.
HealthTech — Professional tier for PHI exposure
Indian HealthTech platforms handling PHI face DPDP children’s-data and DISHA framework expectations on top of general cybersecurity. Professional tier’s faster response is typically appropriate; PHI exposure incidents have legal-counsel coordination requirements that Essential tier may not adequately support.
Crypto exchanges — Enterprise tier mandatory
Crypto exchanges face threat-actor sophistication that justifies the highest tier. Enterprise tier’s war-room support, 15-minute response, and generous included hours align with operational reality. Most Indian-origin crypto exchanges operate at this tier or higher.
B2B SaaS — Essential tier sufficient initially
Most Bangalore B2B SaaS platforms can begin at Essential tier and upgrade as enterprise customer expectations evolve. The trigger for upgrade is typically the first major customer requiring SLA-backed incident response in the contract.
The 24×7 incident-response workflow (what the retainer actually delivers)
When the retainer is invoked, the workflow proceeds across structured time-boxed phases:
T+0 to T+15 minutes — alert and triage
Client invokes the retainer hotline or alert email. Duty analyst acknowledges and begins triage. Initial classification: malware, breach, DDoS, insider threat, BEC, data exfiltration.
T+15 to T+60 minutes — containment
Isolate affected systems (network segmentation, endpoint isolation). Preserve forensic evidence (memory dumps, disk images, log exports). Determine scope: how many systems, what data, what user populations.
T+1 to T+6 hours — reporting and escalation
Initial report to CERT-In within six hours where applicable. Sectoral regulator notification (RBI, SEBI, IRDAI) as required. Board / executive briefing call.
T+6 to T+24 hours — analysis and eradication
Forensic timeline construction. Root-cause analysis. Malware reverse engineering if required. Eradication of attacker presence.
T+24 to T+72 hours — recovery and hardening
System rebuild or restoration from clean backups. Control-gap closure. Re-test to confirm eradication.
T+72 hours+ — documentation and lessons learned
Final incident report. Regulator follow-up. Tabletop exercise update. Insurance claim support if applicable.
The retainer’s value is measured not in the headline SLA alone but in execution-quality across all phases.
Common IR retainer procurement mistakes
- Buying on price without checking response-time SLA. A nominally cheap retainer with 4-hour SLA is worthless for ransomware.
- Not testing the retainer. Tabletop exercises reveal communication gaps, access issues, and playbook gaps before a real incident.
- Assuming the retainer covers everything. Most retainers have hour limits; excess hours are billed at standard rates.
- Forgetting regulator notification depth. Retainer must include CERT-In, RBI, or SEBI reporting templates specific to your sector.
- No on-site option. For breaches involving physical infrastructure or evidence seizure, remote-only response is insufficient.
- Ignoring the hour-allocation split. Retainers that allocate all hours to preparation and zero to response are designed to extract excess-hour billing during real incidents.
- Not verifying CERT-In empanelment. Non-empanelled firms cannot file CERT-In reports on your behalf; client must handle the filing internally during active incidents.
Vendor evaluation rubric for IR retainers in India
Five questions that surface vendor quality faster than asking for a quote:
- What is your median time-to-engagement for retainer clients? The SLA is a ceiling; the median is the real metric.
- Are you CERT-In empanelled for incident response? Non-empanelled firms cannot file CERT-In reports on your behalf.
- How many India-based incidents have you handled in the last 12 months? International firms may lack local regulator relationships.
- Do you fix the retainer fee for the contract term? Variable billing destroys budget predictability.
- Will the same partner attend scoping, the incident, and the board debrief? Continuity matters for context retention.
Cross-framework mapping
- CERT-In Direction 20(3)/2022 — The six-hour reporting window is the hardest deadline. A retainer pre-stages the reporting workflow. See our CERT-In runbook.
- ISO 27001:2022 Annex A 5.24 — Information security incident management planning and preparation. See our ISO 27001 service page.
- SOC 2 CC7.3 — Incident detection and monitoring. See our SOC 2 service page.
- DPDP Act 2023 — Data fiduciaries face Data Protection Board notification requirements for material breaches.
Tabletop exercise scenarios for retainer testing
Effective retainer relationships test the engagement quarterly with realistic scenarios:
Scenario A — ransomware via compromised vendor remote-access tool. Tests vendor-incident coordination, multi-system containment, and shared-infrastructure response.
Scenario B — BEC fraudulent wire transfer initiated by finance team. Tests verification protocol, financial control, and banking-partner coordination.
Scenario C — cloud account compromise via leaked GitHub credentials. Tests credential rotation, exfiltration assessment, cloud forensics.
Scenario D — insider threat with data exfiltration. Tests detection, HR-coordinated investigation, evidence preservation.
Scenario E — supply-chain compromise via npm dependency. Tests software-bill-of-materials process, build verification, customer impact assessment.
Retainer clients who run all five scenarios over a year have materially better real-incident response than clients who run none.
Documenting the retainer for regulator acceptance
For Indian regulated entities, retainer documentation matters for inspection acceptance:
Engagement letter content should explicitly include: response-time SLA, included-hour allocation, regulator-reporting workflow (CERT-In, RBI, SEBI as applicable), data-handling protocol, retention policy for forensic artefacts, jurisdiction for any disputes.
Evidence of preparation should include quarterly tabletop exercise reports, threat-intelligence briefing records, runbook update history, escalation-tree validation records.
Real-incident logs for any incidents handled under the retainer should include detection time, escalation time, containment time, regulatory-notification time, full forensic timeline, root-cause analysis, remediation evidence, and re-test confirmation.
Regulators conducting inspection ask for this documentation; retainer relationships that maintain it pass inspections faster than relationships that reconstruct documentation post-hoc.
Practical next steps
If you do not have an incident-response playbook, use the 24×7 workflow above as a starting point. If you need to verify your auditor’s empanelment, see our CERT-In Empanelled Auditor List. If you want to scope an IR retainer, our Incident Response service page walks through the model.
For a thirty-minute scoping conversation with a partner, the contact form in the site footer books the call directly. We commit to written scope, fixed retainer fee for the contract term, and 24×7 response with sub-15-minute target time-to-engagement for Enterprise-tier clients.
IR retainer FAQ
Do I need a retainer if I have an in-house security team? Most in-house teams benefit from a retainer for forensic depth, regulator-coordination expertise, and capacity overflow during major incidents. Small in-house teams especially benefit; large enterprise security teams may not.
Is the response-time SLA the same for all incident types? Generally yes. Some retainers include faster SLA for specific incident categories (ransomware, BEC) but the standard is uniform across types.
Can I test the retainer with a fake incident? Yes — quarterly tabletop exercises are built for exactly this. Real-incident-style drill testing reveals gaps before a real incident.
What is included in response hours? Analyst time spent on investigation, containment, forensic analysis, and reporting. Travel time is typically separate; engagement hours focus on substantive incident work.
Are excess hours billed at premium rates? Yes, typically. Excess-hour rates are usually 25–50% higher than the implicit included-hour rate. Procurement teams should clarify these rates upfront.
Can the retainer cover multi-entity organisations? Yes — most retainers can be scoped to cover related entities. Scope-extension affects the SLA hours and pricing.
Does the retainer include legal counsel? Generally no. Some retainers include coordination with your legal counsel; substantive legal work is separate.
What about insurance coordination? Yes for cyber-insurance carriers — the retainer typically includes coordination during incident response. Specific insurers may have preferred-vendor lists.
Can the same firm provide both VAPT and IR retainer? Yes, and many do. The same firm understanding your environment from VAPT engagement provides faster incident response. Auditor-independence is preserved if the firm is not also the assurance auditor. See our VAPT cost factors guide.
Is on-site response part of the standard retainer? Remote response is standard; on-site response is typically billed separately at daily rates plus travel. Pre-negotiating on-site rates avoids procurement friction during an active incident.
What happens if I need to terminate the retainer? Most retainers allow termination on 60–90 day notice. Pre-paid quarterly fees may be partially refundable depending on contract terms.
Does retaining one firm prevent me from engaging others? Generally no — the retainer is non-exclusive. You can engage additional firms for specific scopes, though most organisations consolidate to a single primary IR retainer.
How retainer effectiveness compounds
The retainer relationship produces compounding value when sustained over multiple years:
- Year 1. Onboarding completes, first tabletop, first real incident if any. Substantial learning on both sides.
- Year 2. Runbook matures based on Year 1 learnings. Tabletop scenarios diversify. The retainer firm’s knowledge of your environment becomes substantive.
- Year 3. Knowledge base is mature. Real incidents (when they occur) are handled faster than in Year 1. The retainer becomes operational infrastructure rather than an external service.
- Year 5+. The retainer firm has institutional knowledge of your environment that internal team turnover would otherwise have lost. Forensic baseline is established; anomaly detection is calibrated.
When to upgrade tier — practical signals
Specific signals indicate retainer-tier upgrade is warranted:
- Customer requests indicating regulatory exposure. New customer SLAs requiring 30-minute incident response trigger upgrade from Essential to Professional.
- Material incident exposes capacity gap. A real incident that consumed all included hours plus excess hours indicates the tier is undersized.
- Sector regulatory change. RBI or SEBI framework updates that increase incident-response expectations may require upgrade.
- Architectural complexity growth. Multi-cloud, multi-region, or significant headcount growth (over 200 employees) typically requires Professional or Enterprise tier.
- Threat-actor activity increase. Sector-specific threat-actor activity (crypto-exchange targeting waves, BFSI-targeting campaign waves) may justify temporary or permanent upgrade.
What separates effective IR retainers from nominal ones
Beyond tier and SLA, qualitative differentiators emerge during real incidents:
Speed of senior engagement. SLA promises Hour-1 response; reality varies. Effective retainers have senior responders engaged within minutes, not just analysts. The Hour-1 conversation tone — strategic versus reactive — sets the tone for the entire response.
Quality of regulatory coordination. CERT-In, RBI, SEBI coordination during incidents is materially affected by the responder’s existing relationships with regulator-side staff. Retainers with deep regulator-coordination depth produce smoother regulator engagement.
Forensic depth. Surface forensic analysis identifies the obvious; deep forensic analysis traces attacker movement, identifies persistence mechanisms, and produces durable remediation.
Communication discipline. Effective retainers maintain hourly updates during active incidents, daily updates during investigation, written status documents at key milestones. Nominal retainers communicate sporadically and reactively.
Post-incident maturity. Effective retainers produce post-incident reports that drive systemic improvement; nominal retainers produce reports that satisfy compliance requirements without changing organisational behaviour.
The economically efficient IR retainer is not the cheapest fee at the cheapest SLA; it is the retainer scoped to your highest-risk incident type, with the right empanelment for your regulator, executed against tested tabletop scenarios, and renewed multi-year for compounding environmental knowledge.