Lesley Carhart 
I don’t understand companies that buy a credible incident response retainer and then are terrified to activate it, even though the hours are paid for and a rate and SLA are guaranteed. When in doubt, activate your retainer! Get a fresh set of eyes! You don’t just buy the retainer for the sake of your insurer and regulator. You have specialist incident responders on call to help you and help make things better! Any legitimate company will just use the minimum required hours for the contract and situation. It isn’t a magic red button where the incident isn’t real until you press it… #infosec #DFIR
Zate 🦘🇦🇺@hacks4pancakes One thing I have found is that sometimes, there is a disconnect with legal and if they activate it, its an admission of a breach that has to be notified etc. It's weird.
@zate that can certainly be true, but it’s incredibly unhealthy, organizationally!
Jess@hacks4pancakes sry don't want to sound like a noob, what's a IR Retainer about? Is it a resource or software ?
@fink_jess it’s like buying medical insurance for a cybersecurity incident or breach. Similar to having a lawyer on retainer in case you get sued. Lots of organizations can’t respond to a big incident and do the forensics in house so they retain a firm.
@hacks4pancakes ohhh not heard of that before, thanks for explaining!
NerdShinobi@fink_jess @hacks4pancakes noobs rock! One of my favorite people is such because they're always fearlessly asking questions. 😉
Experts in the making.
Experts in the making.
@NerdShinobi @hacks4pancakes I'm already about to annoy my infosec counterpart at work on Monday about it. Something I'm not yet using in our day to day incident response so keen to learn if we can borrow some ideas and concepts 
₵ⱧⱤł₴ ⱤØ₥₱ NZ6F 🇺🇦💪🏻🇬🇱❤️@rombat it wasn’t a subtoot, I see it all the time as a retainer provider. People spend the money but are terrified to activate.
@hacks4pancakes I kid, I kid. 😅
@rombat you wouldn’t be wrong…
@hacks4pancakes “Everyone go set up a new email system while we work on this” always instills confidence.
John Cas@hacks4pancakes similar to the mindset around raising an internal incident to a P1. We have a team that decides if it is or not because it protects some one higher up.
@moresunshine tears out hair
d0pp3l6ang3r 
@hacks4pancakes yep, I have also seen MSSP vendors providing insurance if they are selected as vendors and still customers dont activate them. Would be keen to know why the reluctance to press the ☎️
@d0pp3l6ang3r it’s so sad
@hacks4pancakes yep, evenif they say “Hey guys, we see x, let us know if you think its bad, and if we should activate IR. Let us know an estimate of how many hours will this be. We have x hours with you every month, if this goes beyond that let us know why we should priortize this or extend those hours. For exploratory engagment we are okay to spend Y, but if nothing yields in z hours we gotta deactivate you!” With vendors providing insurance per server, you can just say we use you as MSSP, if you think this is false pos, let us know if not, go ahead and initiat the claim process and IR”
@hacks4pancakes more times i have seen the #dfir team are just super keen to validate that everything is kosher 🖖
That Anonymous Coward@hacks4pancakes
Humans. (chuckle)
Many of them did get it just to appease insurance/regulations.
It IS a magic red button that makes it real.
- they have to admit its something they can't handle
- they fear more costs in the future (see ppl not going through ins to fix car accident)
- they are sure they can fix it & not waste the experts time b/c this problem isn't THAT big
Breaking human nature is hard.
Need clauses that say if you try to go it on your own we're out.
@hacks4pancakes I think its like "we gotta save it in case there's an even WORSE incident!"
Andy@hacks4pancakes I think it's like the idea of "phone minutes"... you want to save them for when you REALLY need them, because you have to pay extra once they're all gone.
No@hacks4pancakes I always assumed it was one of those unaccounted for psychological quirks - a "corporate/organisational ego" which is damaged by needing assistance; "We are fine until we have to ask the grown ups for help".
Esp. If there is an in house response, they'll have to admit it is beyond their capability and it probably knocks their pride.
Esp. If there is an in house response, they'll have to admit it is beyond their capability and it probably knocks their pride.
Dustin [BusySignal-KE2EFX]@hacks4pancakes so many disorganized and ego centric places won’t admit they need it. They’re already getting beaten up internally they’ve had an incident - so now it’s down played and spirals to the crappy depths of internal failure. So now full on admitting they can’t take care of it themselves. That’s gonna be chaos and no one thinks they’re gonna see it come to light they failed because most public posts about IR happening does always divulge internal failure before IR teams arrived. Lots of public posts leave a bit of that stuff out.
AJE@hacks4pancakes they spent too many years watching cartoons. You never fell off the cliff until you realized you were in mid-air.
Maybe, just maybe … this isn’t a breach if I don’t ask anyone if it’s a breach?
Maybe, just maybe … this isn’t a breach if I don’t ask anyone if it’s a breach?
sebadiaz@hacks4pancakes this is the first time I hear about this kind of services and I feel a bit surprise for not be aware of, because I recently start a new position in a division responsible for incident Response.
Could you share with me some of those companies as well as information about it 🙏
Could you share with me some of those companies as well as information about it 🙏
Larry@hacks4pancakes I think it’s because usually it’s not security that is the final arbiter of when something is an incident but often legal. You’re right. Use the retainer it’s what it is for.
bitzbyte 
@hacks4pancakes When legal controls the ability to activate said retainer and convincing them it's worth the the "risk" takes a month or 2 just not bothering is generally the only answer.
Also, in every case I've seen an IR retainer its cost is 100% of the IR budget line. So it's held back as insurance in case "something worse" happens tomorrow.