Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
Incident Response Retainer: When a breach occurs, the response has already begun.
Contractual response SLA: under four hours. Typical engagement: within one hour of notification.
OVERVIEW
What is an Incident Response Retainer?
An incident response retainer gives your organisation priority access to experienced responders before a cyber incident occurs. When a breach happens, the team is already engaged, already onboarded, and ready to act.
The Theos IR Retainer removes the friction that slows response when it matters most. Contracts are signed. Onboarding is complete. Response begins from the first call.
What the IR Retainer Includes:
-
Retainer clients are responded to ahead of ad-hoc engagements
-
Response initiated within four hours, typically within one hour
-
Onboarding, contracting, and scoping completed before an incident occurs
-
The full Theos DFIR capability, on call
-
Retainer hours applicable to tabletop exercises, IR plan reviews, and offensive security assessments
-
Up to 25% of unused hours carry forward for renewing clients
Business Outcome:
When an incident occurs, response begins immediately. Your regulator, insurer, and board see an organisation that was prepared.
THE CHALLENGE
Every hour between detection and an engaged response team is an hour the attacker has uncontested access to your environment.
Organisations without a cyber incident retainer face a consistent and costly problem: the time between detecting an incident and having an experienced response team working the problem is measured in hours or days.
Engaging a provider without a pre-agreed retainer requires time for introductions, contracting, legal review, and scoping before response begins. Engaging a provider you have worked with before is faster, but still carries friction if the commercial terms have not been pre-agreed. Every hour of that process is an hour the attacker has uncontested access to your environment.
The retainer solves this. The question is not whether Theos will respond. It is already answered. The question is how fast.
What the IR Retainer prevents:
Faster containment
every hour saved reduces lateral movement and data exposure
Evidence preserved
collection begins before tracks can be covered
Blast radius limited
damage contained before commercial friction is resolved
Regulatory timelines met
notification clock runs with response already underway
Insurer claims supported
documentation complete when response was immediate
WHAT YOU GET
What retainer clients receive.
Priority Access
Retainer clients receive priority access to the Theos incident response and digital forensics team. When an incident occurs, retainer clients are responded to ahead of ad-hoc engagements.
Sub-Four-Hour Response SLA
The contractual response SLA for retainer clients is under four hours. In practice, the Theos team typically engages within one hour of notification. That commitment is built into the retainer agreement and holds regardless of when the incident occurs.
Pre-Agreed Engagement Processes
Onboarding, contracting, scoping, and escalation paths are all agreed before an incident occurs. When something happens, the team already knows your environment, your key contacts, and your escalation structure.
Full DFIR Capability
The IR Retainer covers the full Theos DFIR capability: incident response, digital forensics, and threat hunting. If an incident requires forensic investigation for regulatory or legal purposes, that capability is available immediately. Theos works within your existing EDR, SIEM, and cloud platforms from the first moment of engagement.
Proactive Services
Retainer hours apply across tabletop exercises, IR plan reviews, red teaming, and penetration testing. Proactive use of retainer hours builds the capability that reduces the probability and severity of an incident before it occurs.
Unused Hours Rollover
Retainer hours are designed to be used within the contract term. For renewing clients, up to 25% of unused hours carry forward into the next term, rewarding continuity and protecting the value of the retainer at renewal.
RETAINER vs AD HOC
IR Retainer vs ad-hoc engagement: the operational difference.
Factor
Response initiation
SLA
Environment familiarity
Commercial friction
Proactive services
Unused hours
Priority access
Theos IR Retainer
Immediate. Processes pre-agreed. Response begins from first call.
Contractual. Under four hours. Typically within one hour.
Team briefed on your environment before an incident occurs.
None. Retainer covers response.
Tabletop exercises, plan reviews, offensive security included.
Up to 25% carry forward for renewing clients.
Yes. Ahead of ad-hoc engagements.
Ad-hoc Engagement
Delayed by contracting, scoping, and onboarding.
SLA subject to availability and negotiation.
Onboarding happens during the incident.
Terms negotiated under pressure, during an active incident.
Response only.
Not applicable.
Subject to team availability.
HOW IT WORKS
How the IR Retainer works.
1
Onboarding
Theos completes onboarding before an incident occurs. Your environment, key contacts, escalation paths, and critical assets are documented. Engagement processes and communication protocols are agreed. The team that will respond knows your organisation before they need to act.
2
Retainer in Place
The retainer is active. Hours are allocated. Escalation contacts are confirmed. Your organisation has priority access to the Theos DFIR team, 24 hours a day, every day of the year.
3
Incident Occurs
Contact Theos via the dedicated retainer hotline or emergency contact. The team assesses the situation immediately. Remote response begins within the hour in practice, and within four hours as a contractual commitment.
4
Response and Investigation
Theos contains the incident and runs the forensic investigation in parallel. Containment actions begin immediately. The scope of the breach is established rapidly. Your leadership team has clarity on what is happening as it happens.
5
Proactive Draw-Down
Outside of incidents, retainer hours are drawn down against proactive services: tabletop exercises, IR plan reviews, penetration testing, and board briefings. Each proactive engagement builds the capability that reduces the probability and severity of an incident before it occurs.
6
Renewal and Rollover
At renewal, up to 25% of unused hours carry forward. Renewing clients benefit from a team that already knows their environment, compounding the value of continuity across each term.
USE CASES
Who the IR Retainer is built for.
Regulated enterprises with notification obligations
MAS, HKMA, BNM, and BSP all carry incident notification requirements with defined timelines. Theos delivers a managed IR retainer in Singapore and across APAC, ensuring response has already begun and evidence collection is underway before the notification clock becomes critical.
Organisations without an internal incident response capability
Building and sustaining an internal IR capability requires specialist talent that is difficult to recruit and retain. The Theos IR Retainer gives your organisation immediate access to a full DFIR team, on call, without the overhead of maintaining it internally.
Organisations that have experienced a previous incident
Organisations that have been through a breach understand the cost of delayed response. A retainer ensures that if it happens again, the team is already engaged, already familiar with the environment, and already ready to act.
Boards and leadership teams that want to demonstrate preparedness
Regulators and cyber insurers across APAC increasingly expect organisations to demonstrate incident response readiness. An IR Retainer is one of the clearest signals that readiness is genuine, not theoretical.
Organisations that want full lifecycle coverage
Held alongside the Resilience Retainer, the IR Retainer gives your organisation continuous coverage across the full security lifecycle: proactive testing and programme development before an incident, and priority response when one occurs.
PROOF
What retainer clients experience.
Under 4hr
Contractual Response SLA
~1hr
Typical Engagement Time
5,000+
Incidents Managed Across the Practice
24/7
Availability, Every Market
Hear it from our clients
What outcome accountability
looks like in practice.
THEOS operates across Singapore, Hong Kong, Malaysia, and the Philippines, serving regulated enterprises where the cost of a breach is highest. What our clients describe is not a vendor relationship. It is a security partnership.
“
“
The engagement identified gaps our existing programme had not surfaced. The findings went directly into our regulatory submission and the gaps have since been remediated.
“
Theos engaged credibly at board level and at SOC level in the same programme. The ability to do both simultaneously, and produce documentation that holds up to BNM examination, is what made the difference.
“
We called Theos during an active ransomware incident. Two weeks later the threat was contained. We have not used another security provider since.
WHY THEOS
Why the Theos IR Retainer.
Speed that comes from readiness, built before the incident.
The sub-four-hour SLA is a contractual obligation backed by a team that is on call, with processes pre-agreed and an environment already known. The typical engagement time of within one hour reflects how the retainer operates in practice.
The team that responds already knows your environment
The team that responds already knows your environment
Full DFIR capability, no handoff
Theos delivers incident response and digital forensics through the same practice. Evidence is collected to legal standard from the moment of engagement. Chain of custody is maintained throughout. The investigation that supports your regulatory notification and your insurer claim is built on the same foundation as the response that contained the incident.
Proactive value built into every term
The IR Retainer is not dormant between incidents. Retainer hours draw down against tabletop exercises, IR plan reviews, penetration testing, and board briefings throughout the year. Every proactive engagement builds the capability that reduces the probability of the incident the retainer exists to respond to.
Continuity that compounds
Renewing retainer clients carry forward up to 25% of unused hours and benefit from a team that already knows their environment at programme depth. The second year of a retainer relationship is more valuable than the first. The third more valuable than the second. Theos clients work with the same team across every term. As a cybersecurity retainer across APAC, the value compounds with continuity.
GET PROTECTED TODAY
Security is not a product you buy. It is an outcome you earn.
If an incident happened today, how long would it take your organisation to have an experienced response team working the problem? For retainer clients, the answer is already determined. For organisations without a retainer, it depends on how fast onboarding and contracting can move.
We deliver outcomes.
FAQ
Frequently Asked Questions
The questions organisations ask most often before committing to an IR Retainer.
What is an incident response retainer and why do I need one?
An incident response retainer gives your organisation priority access to experienced responders before a cyber incident occurs. When a breach happens, the team is already engaged, already onboarded, and ready to act.
What is included in the Theos IR Retainer?
The Theos IR Retainer provides priority access to Theos incident response and digital forensics specialists. Streamlined onboarding and predefined engagement processes eliminate delays when an incident occurs. Retainer clients also draw on proactive services including tabletop exercises, incident response plan reviews, and offensive security assessments.
What is the difference between a retainer and calling you when something happens?
Engaging Theos on an ad-hoc basis requires time for onboarding, contracting, and scoping before response can begin. Retainer clients receive priority access, faster mobilisation, and immediate engagement, with commercial and legal prerequisites already in place. In an active incident, that difference in response time directly affects outcomes.
How quickly do retainer clients get a response during an active incident?
Retainer clients receive priority response during an active incident. The contractual response time is under four hours, and in practice the Theos team typically engages within one hour of notification. This ensures rapid triage, containment, and guidance when time is most critical.
Does unused retainer time roll over or expire?
Retainer hours are designed to be used within the contract term. For renewing clients, up to 25% of unused hours carry forward into the next term, rewarding continuity and protecting the value of the retainer at renewal.
Can the retainer cover proactive services (tabletop exercises, plan review)?
Yes. Retainer hours can be applied across a wide range of proactive services, including tabletop exercises, incident response plan reviews, red teaming, and penetration testing. Clients also commonly use retainer time for board briefings and readiness assessments. Retainer hours are available across most Theos services, with continuous monitoring programmes handled separately.
Is an IR retainer required by insurers or regulators in APAC?
Cyber insurers and regulators across APAC increasingly expect organisations to demonstrate incident response readiness. While requirements vary by jurisdiction and insurer, having a retainer in place is a strong indicator of preparedness and can support both underwriting conversations and regulatory compliance discussions. Theos recommends confirming specific requirements with your insurer or legal counsel.
How is the retainer priced?
Retainer pricing depends on the type of engagement. Incident response work is billed on an hourly basis, with an estimated cost provided following an initial scoping call so you can confirm how to allocate your retainer hours. Proactive and project-based services may be priced on a fixed fee or hourly basis depending on scope. Pricing and scope are defined upfront before any work begins.
What happens if we need more support than the retainer covers?
Retainer hours can be topped up at any time. If retainer hours have been used for proactive services earlier in the year and an incident occurs, additional hours can be added immediately. The Theos team scopes the additional support required quickly and ensures response continues without interruption.