The MSP Incident Response Retainer: How to Build, Price, and Deliver IR as a Service

Most MSPs Are Leaving Incident Response Revenue on the Table

Ask any MSP how they handle security incidents and the answer is usually some version of: “We get called in, we fix it, we bill for the time.”

That model has two problems.

First, it caps your incident revenue at whatever hours you can throw at a crisis. Second — and more important to your clients — it means they’re exposed. When something goes wrong, there’s no plan, no defined response team, no communication playbook, and no clear SLA. They’re just hoping you pick up the phone.

Incident response retainers fix both problems. For the MSP: predictable recurring revenue with a defined scope. For the client: a documented response capability they can reference in vendor questionnaires, cyber insurance applications, and board risk reviews.

The market is moving fast here. Cyber insurers are starting to ask whether clients have a retained IR provider before offering coverage. Frameworks like SOC 2 and ISO 27001 treat incident response as a core requirement, not an optional extra. And MSPs that embed IR into their security stack — rather than treating it as a break-fix service — retain clients longer and charge higher fees.

This guide covers how to build the service from the ground up: what to include, how to price it, what you need to deliver it, and how to connect it to the vCISO practice you’re already building.

---

What an IR Retainer Actually Is

Before you sell it, be clear on what you’re committing to.

An incident response retainer is a pre-agreed contract where the MSP provides defined IR capabilities — at a fixed monthly or annual fee — in exchange for the client’s commitment to use your team when something happens. It’s not a promise to resolve every breach; it’s a promise to have a plan, a team, and a process ready to engage within defined response times.

The core components:

• Incident response plan (IRP): A documented, client-specific playbook covering detection, containment, eradication, recovery, and post-incident review.
• Defined SLAs: Response time commitments — typically acknowledge within 1 hour of alert escalation, initial containment steps within 4 hours.
• Pre-paid hours: A bank of IR hours the client draws on when an event occurs. Hours that go unused don’t typically roll over but give the client a defined response budget.
• Regular tabletop exercises: At least annually, run a simulated incident to test the plan, identify gaps, and keep the response team sharp.
• Communication playbook: Pre-approved templates for notifying leadership, customers, and regulators — so that during a real incident, no one is drafting notifications from scratch.
• Post-incident review: After any triggered event, a formal review that captures what happened, what worked, and what changes the plan needs.

The retainer does not cover everything. Be explicit about what’s excluded: forensic deep-dives requiring specialist tooling, public PR management, legal counsel, ransom negotiations. List these as out-of-scope in the contract and have a referral network for when they’re needed.

---

Structuring the Service: Tiers That Work

Most MSP IR retainers fail not because of bad technical work but because the scope is too vague. You end up absorbing hours that were never priced in, and clients feel short-changed when the response doesn’t match their expectations.

Build tiers with hard scope lines:

Tier 1 — IR Readiness

Who it’s for: smaller clients who need a plan and want to check the box for insurance or compliance purposes.

What’s included:

• Documented incident response plan (reviewed annually)
• One tabletop exercise per year
• Communication templates and regulatory notification checklist
• On-call contact number during business hours (no after-hours SLA)
• Up to 10 pre-paid IR hours per year

What’s not included: after-hours response, forensic investigation beyond basic triage, regulatory liaison.

Pricing guide: $1,200–$1,800/month (£950–£1,400/month). Additional hours billed at retainer rate minus 20%.

Tier 2 — Active IR Retainer

Who it’s for: mid-market clients, those with cyber insurance requirements, or clients handling sensitive regulated data.

What’s included:

• Everything in Tier 1
• SLA: 1-hour acknowledge, 4-hour initial containment (business hours); best-effort after-hours
• Named response lead (senior engineer or vCISO)
• Up to 30 pre-paid IR hours per year
• Two tabletop exercises per year (one general, one scenario-specific)
• Integration with client MDR/EDR alerting
• Post-incident report after any declared event

Pricing guide: $2,500–$4,500/month (£2,000–£3,500/month).

Tier 3 — Full IR Partnership

Who it’s for: clients with 24/7 SLA requirements, significant regulatory exposure (financial services, healthcare-adjacent), or those who have already experienced an incident.

What’s included:

• Everything in Tier 2
• 24/7 on-call SLA: 1-hour acknowledge, 2-hour initial containment
• 50+ pre-paid IR hours per year
• Quarterly tabletop or scenario exercises
• Direct regulatory liaison support (GDPR breach notification, FCA, ICO)
• Forensic evidence preservation capability
• Board-level incident communication support

Pricing guide: $5,000–$10,000/month (£4,000–£8,000/month). This tier typically requires a partner MDR relationship if you don’t run your own SOC.

---

What You Need to Deliver It

Selling the retainer is the easy part. Delivering it reliably is where MSPs run into trouble.

Detection and initial triage

You can’t respond to incidents you can’t detect. Most MSPs already deploy EDR at client sites — make sure your tooling gives you:

• Centralised alert visibility across client endpoints
• A defined escalation path: who reviews alerts, who declares an incident, who triggers the IR plan
• A documented triage checklist: what information you need before escalating to a full IR response

If you’re not running this yourself, partner with an MDR provider. Make sure the MDR contract is clear on what they hand off to you and when.

A real incident response plan per client

Shared templates are fine as a starting point. But the plan needs to be client-specific: who do you call inside the client organisation, what systems are in scope, what are their regulatory notification timelines (GDPR’s 72-hour window, PCI’s requirements), and where is their data backed up.

Store this inside your GRC platform — not in a SharePoint folder that no one can find during a real incident. In GetCybr’s vCISO services stack, incident response plans connect directly to the client’s risk register and control library, so updates flow both ways.

An internal response team (even a small one)

You don’t need a 10-person IR team to sell a retainer. You do need:

• One named IR lead per client (typically the vCISO or a senior engineer)
• Clear escalation paths if the lead is unavailable
• A documented handoff process for after-hours or major incidents

If you’re thin on specialist forensic capability, set up a referral relationship with a dedicated IR firm before you need them. Clients understand that specialist forensics is out of scope; they don’t understand your team scrambling for contacts during a live incident.

A communication playbook

The communication piece is where most IR responses fall apart. Under pressure, people forget who to call, draft notifications that expose the client legally, or go silent when stakeholders need updates.

Build pre-approved templates for:

• Internal escalation (IT manager → leadership → board)
• External communication (affected customers, vendors, media — even if “we’re investigating and will update you by [time]”)
• Regulatory notification (GDPR breach to ICO, FCA notification, sector-specific requirements)

Review these with the client’s legal team before an incident happens. Getting sign-off in advance is dramatically easier than arguing about wording at 2am.

Post-incident review process

Every triggered incident should produce a post-incident report. This is one of the most undervalued outputs of a good IR retainer: it feeds directly into the risk register, closes framework control gaps, and gives the client something concrete for their next board report or insurance renewal.

Use your GRC platform to connect the incident report to relevant controls — so you’re not manually updating evidence across multiple frameworks after a response.

---

Pricing Without Leaving Money Behind

Most MSPs underprice IR retainers by treating them like another managed service. IR is a specialist capability with real liability exposure. Price it that way.

A few principles:

Price the plan, not just the hours. The planning work — writing the IRP, running tabletops, reviewing and updating annually — is billable work. It’s not a free add-on. Make sure it’s either included in the retainer fee or scoped as a separate engagement.

Pre-paid hours are not hourly billing in disguise. They carry a risk premium for your team’s availability commitment. Price them above your standard billable rate if the SLA is strict.

Charge for regulatory exposure. A client processing payment card data or holding significant personal data (GDPR notifiable categories) needs more of your time and carries more liability for you. That should be reflected in the tier.

Don’t underestimate after-hours costs. If you’re committing to a 24/7 SLA, you need either on-call staffing or an on-call compensation structure. Price it in before you sell it, not after you’re covering it out of margin.

A simple pricing floor: take your annual IR delivery cost (staff time for planning, tabletops, and expected response hours), add a margin appropriate to the risk tier, and divide by 12. Then check that against market comparables — other MSPs with comparable SLAs and depth. If you’re below market, charge more.

---

Selling the Retainer to Existing Clients

If you already run managed services for a client, you have most of the information you need to make the IR retainer sale.

Lead with what they’ve already told you about risk. If they’ve had a near-miss with ransomware, or they came to you after a vendor breach, or they’re chasing ISO 27001 certification — use that. An IR retainer directly answers the risk they already know they have.

Connect it to their insurance. Cyber insurance questionnaires increasingly ask whether the applicant has a documented IR plan and a retained IR provider. If a client can’t answer yes, their coverage may be limited — or their premium will be higher. An IR retainer directly addresses this gap.

Tie it to the vCISO engagement if you’re running one. If you’re already acting as vCISO, the IR retainer is a natural extension: you built the plan, you know the environment, you’re already in the risk register. It would be strange for someone else to lead the response. The conversation is “this is already part of what we do — let’s formalise it with defined SLAs and pre-paid hours.”

Use tabletop exercises as a proof of concept. If a client isn’t sure the retainer is worth it, offer a standalone tabletop exercise first. Run a realistic scenario — ransomware, data exfiltration, a compromised vendor — and walk the team through how they’d respond without the retainer in place. The gaps usually sell the service.

---

Connecting IR to GRC and Compliance

Incident response doesn’t sit in isolation. It plugs directly into the compliance and governance work you’re already doing for vCISO clients.

Under ISO 27001 Annex A controls (A.5.24–A.5.28), organisations need to plan and prepare for incidents, manage them systematically, and learn from them. SOC 2 Trust Service Criteria require evidence that incidents are identified, contained, and reviewed. NIST CSF 2.0’s Respond and Recover functions map directly to IR plan requirements.

If your clients are on a compliance framework journey, their IR capability is evidence for multiple controls simultaneously. An IR retainer that’s properly documented and exercised generates:

• Evidence for incident management controls
• Documented corrective actions that feed into the risk register
• Post-incident reviews that demonstrate continual improvement
• Communication logs that satisfy regulatory notification requirements

Run this through a GRC platform and you’re generating audit evidence automatically rather than scrambling for it at assessment time.

---

The Business Case for Adding IR to Your Stack Now

The MSPs that win security practices over the next few years won’t be the ones with the cheapest managed services rates. They’ll be the ones clients trust when something goes wrong.

An IR retainer is a statement about your relationship with a client. You’re saying: we’re invested in your outcomes, not just your uptime. We’ve thought about the scenarios that keep your leadership team awake, and we have a plan for them.

That kind of trust doesn’t come from a quarterly vulnerability scan or a policy review. It comes from being the team that shows up with a playbook when everything is on fire.

Build the retainer service. Test it with a tabletop. Price it properly. And then sell it as the natural next step from wherever your security relationship with each client currently sits.

If you want to see how GetCybr connects the IR plan, vCISO governance, and GRC compliance evidence in one platform — rather than managing it across spreadsheets and documents — book a demo and we’ll walk through how other MSPs are running it.