Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
Cyber Resilience Retainer: Proactive security that runs on your terms, not procurement timelines.
One commercial arrangement. Continuous proactive security across your full programme. Adjustable as your priorities evolve.
OVERVIEW
What is the Resilience Retainer?
The Resilience Retainer is a pre-committed annual arrangement that gives your organisation ongoing access to proactive security services across penetration testing, red teaming, vulnerability management, tabletop exercises, and threat intelligence briefings. Hours are allocated at the start of the term and drawn down against agreed services throughout the year, so proactive security work happens on a defined cadence, on your terms.
It is a commercial structure that removes the friction causing security programmes to run reactively: the budget cycles, the re-scoping conversations, the delays between identifying a need and being able to act on it. Your programme runs on a cadence. The work gets done.
What the Resilience Retainer Covers:
-
scheduled engagements across agreed scope
-
goal-based exercises against your organisation
-
continuous scanning, prioritisation, and remediation tracking
-
executive and technical-level simulation exercises
-
APAC-specific threat actor and incident intelligence
-
service mix adjusted as priorities evolve throughout the term
Business Outcome:
Your proactive security programme runs continuously, on a cadence that reflects your risk profile. Security investment is committed upfront and drawn against a plan. Your team focuses on security outcomes. Commercial terms are set once at the start of the year. Your security posture improves measurably across the year.
THE CHALLENGE
Security programmes that run on procurement cycles run reactively. The Resilience Retainer changes that.
Most organisations know which proactive security activities they should be running: annual penetration tests, periodic red team exercises, continuous vulnerability management, regular tabletop exercises. The gap between knowing and doing is almost always procurement.
Each engagement requires its own scoping conversation, its own approval process, and its own contracting cycle. By the time the paperwork is done, the window that made the engagement timely has passed. The penetration test that should have happened before the product launch happens six weeks after it. The tabletop exercise planned for Q2 runs in Q4. The vulnerability management programme that should be continuous runs quarterly because that is as often as the team can get it approved.
The Resilience Retainer removes that friction. The commitment is made once. The programme runs continuously.
What procurement-driven security programmes consistently produce:
Delayed engagements
security work approved too late to be timely
Gaps between assessments
exposure that accumulates between periodic point-in-time tests
Re-scoping overhead
time spent on commercial and legal process instead of security work
Reactive posture
security activity triggered by incidents or audit deadlines rather than programme cadence
Inconsistent coverage
some areas tested when budget allows, others deferred indefinitely
HOW IT WORKS
How the Resilience Retainer works.
1
Scope and Commitment
Theos works with your team to define the programme scope, agree the service mix, and set the annual hour commitment. The mix is built around your risk profile, your regulatory obligations, and your security programme priorities. The commitment is made once at the start of the term.
2
Programme Planning
A delivery plan is agreed at the start of the term, mapping services to a cadence across the year. Your Customer Success Manager owns the plan and tracks delivery throughout the engagement, ensuring work happens when it should, on the cadence agreed at the start of the term.
3
Draw-Down
As services are scoped and delivered throughout the year, hours are drawn down against each engagement. Theos tracks utilisation and provides visibility into remaining hours at each reporting cadence. Your team always knows where the retainer stands and what is coming next.
4
Flexibility
The Resilience Retainer is designed to flex with your priorities. If your focus shifts mid-year, or a regulatory requirement accelerates the need for a specific engagement, hours can be reallocated. Adjustments are agreed between your team and your Theos Customer Success Manager without requiring a new commercial process.
5
Reporting and Review
Theos provides regular programme reporting covering utilisation, completed engagements, findings to date, and upcoming delivery. Quarterly reviews with your Customer Success Manager keep the programme aligned to your evolving priorities and confirm the cadence for the next period.
SERVICES COVERED
What Resilience Retainer hours can be applied to.
-
Penetration testing and VAPT
network, web application, mobile, API, cloud, and infrastructure
-
Red teaming
goal-based adversary simulation, intelligence-led engagements, threat actor emulation
-
Purple teaming
collaborative detection and response validation exercises
-
Vulnerability management
continuous scanning, risk-based prioritisation, remediation tracking
-
Tabletop exercises
foundation, intermediate, and advanced formats for technical and executive teams
-
Threat intelligence briefings
APAC-specific threat actor intelligence and sector-relevant briefings
-
IR preparedness
playbook development, plan review, and response capability assessment
-
Phishing exercises
simulated phishing campaigns and awareness measurement
BENEFITS
What the Resilience Retainer delivers for your organisation.
Programme continuity
Security work runs on a cadence aligned to your risk profile
Commercial simplicity
one arrangement covering multiple services across the year
Flexibility
service mix adjustable as priorities evolve, agreed with your CSM
Customer Success Management
a dedicated CSM owns delivery and tracks programme progress
Regulatory confidence
documented proactive programme evidence for regulators and insurers
Compounding intelligence
findings from each engagement feed into the next, building programme depth across the year
Continuity of team
the same Theos practitioners across every engagement throughout the term
RESILIENCE RETAINER vs IR RETAINER
Resilience Retainer and IR Retainer: designed to work together.
The two retainers are complementary. They cover different parts of the security lifecycle and are designed to be held simultaneously.
Factor
Purpose
When activated
Services covered
Commercial structure
Can be held together
Outcome
Resilience Retainer
Proactive. Continuous security programme delivery.
Throughout the year, on a planned cadence.
VAPT, red teaming, VM, TTX, threat intelligence, and more.
Annual hour pool, drawn down across agreed services.
Yes. Designed to be held simultaneously.
Stronger security posture. Fewer incidents.
IR Retainer
Reactive. Priority access when an incident occurs.
At the moment of an incident.
Incident response and digital forensics.
Retainer fee covering priority access and defined SLAs.
Yes. Designed to be held simultaneously.
Faster, better-managed incident response when one occurs.
USE CASES
Who the Resilience Retainer is built for.
Regulated enterprises managing security across multiple APAC markets
Regulated enterprises managing security programmes across multiple APAC markets face different regulatory obligations, different testing cadences, and different threat exposures in each jurisdiction. The Resilience Retainer provides the commercial flexibility to allocate hours across markets and services without requiring separate engagements for each.
Security teams that need a structured programme running on a defined cadence
For CISOs and security leads managing multiple workstreams, the Resilience Retainer removes the overhead of repeated scoping and contracting. The programme is planned at the start of the year. The team delivers against it. Security work happens when it should.
Organisations preparing for regulatory review or insurer scrutiny
Regulators and insurers increasingly look for evidence of a structured, continuous proactive security programme rather than point-in-time assessments. The Resilience Retainer provides the documented programme cadence and delivery record that demonstrates that evidence.
Organisations that want a single partner across multiple service lines
Managing separate vendors for penetration testing, red teaming, vulnerability management, and tabletop exercises creates overhead and loses the intelligence that compounds when the same team sees your environment across every engagement. The Resilience Retainer consolidates that into a single relationship with a single team.
PROOF
What continuity produces.
4+
Average Years, Key Retainer Relationships
200+
Offensive Engagements Delivered Per Year
8.9
Client Satisfaction Score
20+
APAC Markets Served
Hear it from our clients
What outcome accountability
looks like in practice.
THEOS operates across Singapore, Hong Kong, Malaysia, and the Philippines, serving regulated enterprises where the cost of a breach is highest. What our clients describe is not a vendor relationship. It is a security partnership.
“
“
The engagement identified gaps our existing programme had not surfaced. The findings went directly into our regulatory submission and the gaps have since been remediated.
“
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
“
We called Theos during an active ransomware incident. Two weeks later the threat was contained. We have not used another security provider since.
WHY THEOS
Why the Theos Resilience Retainer
Intelligence that compounds across every engagement
When the same team delivers your penetration test, your red team exercise, and your tabletop, the findings from each engagement inform the next. A vulnerability identified in a VAPT becomes a scope input for the red team. A detection gap found in a purple team exercise becomes a detection rule in MDR. A coordination failure surfaced in a tabletop becomes a playbook improvement. That compounding only happens when there is continuity of team and continuity of programme.
Continuity of team across every engagement
Theos retainer clients work with the same senior practitioners across every engagement throughout the term. For organisations managing complex, evolving security programmes across multiple markets, that continuity has compounding value. Practitioners who know your environment, your risk profile, and your regulatory obligations arrive at each engagement already ahead.
A dedicated Customer Success Manager
Every Resilience Retainer client has a dedicated Customer Success Manager who owns programme delivery from start to finish. The CSM tracks utilisation, manages the delivery calendar, coordinates engagements, and ensures the programme runs on cadence. When priorities shift, the CSM manages the adjustment without requiring your team to start a new commercial process.
Flexibility built into the structure
The Resilience Retainer is designed to flex with your organisation. If a regulatory requirement accelerates the need for a specific engagement, hours are reallocated. If a new risk surface emerges mid-year, the service mix adjusts to cover it. The commitment is made once. The programme adapts continuously.
One partner across your full proactive security programme
Managing separate vendors across your proactive security programme creates coordination overhead, re-briefing cycles, and gaps in continuity. The Resilience Retainer consolidates that into a single relationship, a single commercial arrangement, and a single team accountable for your programme outcomes.
GET PROTECTED TODAY
Security is not a product you buy. It is an outcome you earn.
The Resilience Retainer gives your organisation the structure to run a proactive security programme on its own terms: one commitment, a full programme, a team that stays accountable across the year.
We deliver outcomes.
FAQ
Frequently Asked Questions
The questions organisations ask most often before committing to a Resilience Retainer.
What is the Resilience Retainer?
The Resilience Retainer is a pre-committed annual arrangement that gives your organisation ongoing access to proactive security services across penetration testing, red teaming, vulnerability management, tabletop exercises, and threat intelligence briefings. Hours are allocated at the start of the term and drawn down against agreed services throughout the year, so proactive security work happens on a defined cadence, on your terms.
How is it different from the IR Retainer?
The IR Retainer is designed for reactive situations. It guarantees access to experienced responders when an incident occurs. The Resilience Retainer is designed for proactive situations. It ensures your organisation is continuously testing, validating, and strengthening its security posture before an incident occurs. The two retainers are complementary and can be held simultaneously.
What services can retainer hours be applied to?
Retainer hours can be applied across penetration testing and VAPT, red teaming and adversary simulation, vulnerability management, tabletop exercises at executive and technical levels, and threat intelligence briefings. The mix of services is agreed at the start of the term and can be adjusted as priorities evolve.
How does the draw-down model work?
At the start of the engagement, a pool of hours is agreed based on your anticipated programme requirements. As services are scoped and delivered throughout the year, hours are drawn down against each engagement. Theos tracks utilisation and provides visibility into remaining hours at each reporting cadence, so your team always knows where the retainer stands.
Can we adjust the mix of services during the term?
Yes. The Resilience Retainer is designed to flex with your priorities. If your focus shifts from penetration testing to red teaming mid-year, or a regulatory requirement accelerates the need for a tabletop exercise, hours can be reallocated. Adjustments are agreed between your team and your Theos Customer Success Manager.
What is the minimum commitment?
The structure is designed to be flexible above a defined minimum, giving clients the room to run a meaningful proactive programme without over-committing at the outset. Minimum commitment and pricing are defined during scoping based on your environment, risk profile, and the services you want to include. Contact Theos to discuss what the right structure looks like for your organisation.
Can the Resilience Retainer be held alongside the IR Retainer?
Yes. The two retainers are designed to be held simultaneously. The Resilience Retainer covers proactive programme delivery. The IR Retainer covers reactive response. Together they give your organisation continuous coverage across the full security lifecycle: before, during, and after an incident.