
Incident Response Retainer
Reduce your incident response time and minimize breach impact with FireEye Mandiant on speed dial
The Mandiant Incident Response Retainer (IRR) gives your organization the ability to quickly identify malicious activity and receive contextual intelligence on attacks — enabling faster and more effective response to cyber incidents.
What are your business and security requirements?
Retainer agreements can be packaged in different ways to match your needs. Consider these factors.
- Budget. Confirm the number of prepaid hours and the hourly rate for additional hours.
- Unused hours. Ask what happens if you don’t use your prepaid hours during the contract term.
- Response Time. Get service level agreement (SLA) details for remote and onsite consulting. 2 or 4 hour SLAs are available.
- Terms. Confirm the length of retainer—most are 12 months—and payment terms, such as whether you need to pay up-front.
- Cyber insurance. Consider how your cyber insurance policy reimburses for incident response (IR) expenses and ask your insurer about lower premiums if you can show a proactive approach to cyber security.
Contact Us
Complete this short form to learn more about Incident Response Retainers.
Ramp up response readiness

Get access to elite Mandiant security experts and technologies
Improve your current incident preparedness and response capabilities with industry-leading expertise and technology.
- Have Mandiant experts on standby to help when you need it
- Take advantage of leading-edge advances in cyber security

Accelerate incident response speed
React faster and minimize impact with a team of experienced first-responders that will spring into action as soon as a breach is suspected.
- Get expert response within hours, not days or weeks
- Have a dedicated malware team on-call

Pre-negotiate terms and conditions
Establish contractual terms before an incident occurs for rapid incident response when it matters most.
- Eliminate paperwork-related response delays when every minute matters
- Ensure your first call focuses on action
Declaration process
Declaration Request
Initial request for assistance via web, email or phone. 2 or 4 hour SLAs available for response from Mandiant IR expert.
Initial Triage
A Mandiant IR expert reviews and assesses your situation following the request and recommends a course of action.
Official Declaration
An authorized party from your organization makes the official declaration of an incident under your IR retainer agreement.
Declaration Acceptance
Case is accepted once Mandiant and client deem IR services are needed.
Next Steps
A Mandiant lead will work with you to define initial investigation steps that typically include collecting evidence, talking to your technical teams for their observations and actions taken and determining if we need to deploy our host and network technology. The Mandiant lead then assembles a team based on the size, complexity and technologies of your environment.
Choice and
Flexibility:
What Incident Response Retainer is right for you?
The Incident Response Retainer provides two tracks of service that are designed to suit different needs and budgets.

Tier 1: No upfront costs
- Establish terms and conditions for Mandiant Incident Response (IR) services
- Define hourly rates for all incident response-related services and technologies
- Make no minimum financial commitment or pay no annual cost
- Incur costs only if you engage Mandiant Incident Response services
- Get support based on best effort and current availability
- Receive no guaranteed service level agreement (SLA)
- Gain access to the FireEye Mandiant technology stack

Tier 2: Prepaid hours and service level commitment
- Establish terms and conditions for Mandiant Incident Response (IR) services
- Gain peace-of-mind with a 4-hour SLA
- Enhanced 2-hour SLA also available
- Flexibility to repurpose unused hours on a variety of technical and strategic services
- Gain access to the FireEye Mandiant technology stack
- Work with Mandiant experts to evaluate and improve your current incident preparedness and response capabilities
- Access to Incident Response Preparedness Service
Initial response |
Service-level agreement |
Incident Response Preparedness Service |
Triage security issue Provide initial assessment based on FireEye intelligence and Mandiant experience Live response analysis of the systems to identify malicious activity |
Access to a 24/7 incident response hotline Initial contact (via email or phone) within four hours: The first contact is with a Mandiant incident responder who can immediately help with triaging the incident Case is accepted once Mandiant and client deem that incident response services are needed Enhanced two-hour SLA is also available |
Review of existing monitoring, logging and detection technologies Ensure ability to quickly contain an incident Review of current network and host architecture Evaluation of first response capabilities Collaborative planning for typical response scenarios Recommendations for areas of improvement |
Available consulting services for repurposing prepaid hours include:
Technical Services |
Strategic Services |
Education Services |
Windows Enterprise Incident Response |
Related resources
Datasheet
Incident Response Retainer
eBook
Dramatically enhance your organization’s breach response preparedness
Reasons
7 Reasons to have FireEye Mandiant on speed dial
Webinar
Breach Readiness: Next Generation of Incident Preparedness
Related products and services
Ready to get started?
Our security experts are standing by to help you with an incident or answer questions about consulting services.