Incident Response Retainer and Advisory Services

Prepare for and resolve security incidents quickly and effectively to minimize your business impact

Any organization using information technology is a target for data theft, ransomware, denial of service attacks, and other nefarious attacks – no one is immune. For companies holding customer-sensitive information, federally or state-protected information, personal health information, or even trade secret information, developing an effective incident response plan is crucial.

Coalfire’s comprehensive Incident Response Services help organizations prepare for cyber incidents before they happen, coordinate response when they do, and help restore operations to normal after a cyber event.

Experience addressing cyberattacks

Coalfire has nearly two decades of experience analyzing multiple types of cyberattacks, including:

  • Insider threats: The activities of former and current employees, contractors, or business associates who have inside information on the organization
  • Financial crime: Securities, credit card, and banking fraud at stock markets, payment organizations, and financial institutions
  • State-sponsored attacks: The crimes of trade secrets and other sensitive data across a wide range of industries
  • Destructive attacks: Attacks intended to cause the victim organization pain by making information or systems unrecoverable
  • Protected Health Information (PHI): Exposure of protected health care information
  • Prvacy Data and Personally Identifiable Information (PII): Exposure of information used to uniquely identify individuals

Our Offerings

Our team provides a broad set of Incident Response Services:

our tailored approach helps clients respond to and recover from an incident, while managing regulatory requirements and reputational damage


Specific Readiness Services include:

  • On-site or remote requirements analysis: Interview key stakeholders to assess the operational environment and determine any special requirements
  • Incident response plan development: Prepare for and respond to cybersecurity attacks more efficiently with a proven response plan
  • Annual or semi-annual status review and refresh: Review and identify any changes needing modification with the in-place incident response plan
  • Tabletop exercise: Hold a two-hour roleplaying session of likely attack scenarios and discuss the actions to be taken as part of the response plan

Incident Response Support includes:

  • Incident response hotline access: Access incident support related to a cyber breach, available remotely (within one to four hours) or onsite (within 12 to 24 hours)
  • Incident triage: Organization and planning for cyber incident response activities, including assistance in identifying potential indicators of compromise
  • Incident investigation / forensics: Root cause identification of the cyber incident including memory and disk image bit level analysis
  • IR containment services: Identification and deployment of compromised host containment activities, including potential removal or segregation of compromised hosts from the environment
  • Eradication services: Removal of the malicious or unauthorized infections
  • Post-Incident Support includes: Remediation and Engineering Support: Guidance on best practice activities and technologies to reduce the likelihood of another cyber incident

Which incident response service offering is right for you?

Our services are offered a-la carte and through our Incident Response Retainer (IRR)

Our Incident Response Retainer (IRR) allows organizations to establish terms and conditions for incident response services before a cyber security incident occurs.  With a retainer in place, you have experts partnering with you to proactively prepare for an incident and a trusted partner on your side when a cyber breach occurs. This proactive approach significantly reduces response time, reducing the impact of a breach.

We offer two retainer options:

Service Description Standard
On-site or remote requirements analysis Our team members deploy on-site for a one-day requirements analysis to interview key client stakeholders in order to assess your operational environment and determine any special requirements X X
Incident response plan development

The Coalfire team develops a basic Incident Response Plan consisting of:

  • Incident Response Process Overview
  • Incident Response Team Organization Chart (tailored to client organization)
  • Incident Response Roles and Responsibilities (tailored to client organization)
  • Contact Lists
  • Incident Classification and Categorization Scheme
  • Incident Report Form Template
Incident response playbooks Up to four customized playbooks containing procedures and flow charts to respond to specific incidents the client is most likely to experience   X
Status reviews and refresh Our team will conduct a review of in-place materials to determine the best method to update the content X
Tabletop exercise A session where the Incident Response Team is assembled, given one or two distinct scenarios, and discuss actions to be taken as part of the incident response   X
Incident response hotline access Experts on standby 24x7 X X
Post incident support Prepaid hours included with retainer subscription 25 hours 45 hours
Preferred retainer rate Discounted hourly rate for additional incident support related to a breach – with deeper discount associated with the Enhanced Retainer X X


Our unique value proposition

World-class expertise
  • Experience working hundreds of incident response cases, including some of the world’s largest and most complex
  • Our subject matter experts have worked on some of the most notable cyber breaches in US history, including malware reverse engineering to help resolve an incident, return to normal operations, and prevent recurring incidents
  • The trusted advisor and partner to many law firms, federal government agencies, and public and private organizations
Faster, high-value results
  • Enhancement for every stage in your cyber incident program
  • Rapid resolution, lowering costs significantly and empowering executives to make the right business decisions
  • Technology-agnostic – leveraging your current technology investments to provide efficient response and, effective support
One stop shop: preparation, incident response, remediation
  • Coordination, communication, and reporting on every aspect of incident response activity
  • Efficient support provided because we learn your environment during the preparation phase
  • A comprehensive report of the investigation with recommendations, including executive and board-level summaries of our findings
Reliable operations
  • Customer contact within 1 to 4 hours for remote assistance, and in as little as 12 to 24 hours for onsite assistance
  • Experts on standby 24x7 to help when you need it the most