Cybersecurity Incident Response Engagement Selling — 60-Min Training

👁 0 views📖 2,384 words⏱ 11 min read5/30/2026

Direct Answer

Cybersecurity Incident Response Engagement Selling is a 60-minute training for IR-firm BD reps and sales engineers (CrowdStrike Services, Mandiant, Unit 42, Kroll Cyber, Coveware) who answer the "we just got breached" call and need to close a $50K-$2M emergency engagement in under four hours without sounding like a vendor.
Built on NIST SP 800-61 Rev. 3, SANS Institute IR maturity research, and Coveware's ransomware negotiation data, this session drills empathy-first calm, the retainer-vs-emergency framing, 30-minute scoping discipline, lawyer-client privilege via outside counsel, evidence-preservation rules, the "we don't bill while you decide" trust move, and the MSA-already-on-file accelerator.
The single rule: in the first 10 minutes, you are a paramedic, not a salesperson.

Section 1 — Why Breach Selling Is Different (5 min)

Open with the math. IBM's 2025 Cost of a Data Breach Report puts the average ransomware-driven breach at $5.08M total cost — the most expensive initial attack vector tracked. Coveware's Q4 2025 report shows the average ransom payment hit $591,988, up 57% quarter-over-quarter, with only 20% of victims paying.

That means the buyer on the other end of your phone is staring at a seven-figure decision *before they've had coffee.*

Set the frame on the whiteboard:

The old IR sales call: Discovery questions, demo, proposal in 48 hours, follow-up nurture.
The new IR sales call: Triage in 10 minutes. Statement of Work in 30. Engagement letter signed within 4 hours. First responder on a plane by hour 6.
The buyer state: General Counsel is on the line, CISO is hyperventilating, CFO is calculating downtime, board chair has been notified. You are speaking to a war room, not a procurement team.

Read Mandiant's M-Trends 2025 finding aloud: the median dwell time before detection is now 10 days — but the median time from detection to *engaging an IR firm* is still under 4 hours. That four-hour window is the entire game. End the segment with the rule from Kroll's Cyber Risk playbook: *"The first call is not a sales call.

It is a triage call. The sale closes itself if the triage works."*

Section 2 — The Triage Intake (15 min)

The intake is the first 30 minutes of the inbound call. Walk the room through the verbatim template — have each rep run it on a partner using a real recent breach scenario (Change Healthcare, MGM, Caesars are public enough to roleplay).

Verbatim Triage Intake Template (BD rep runs, on the phone within 60 seconds of inbound):

First words: "I'm [Name] with [Firm]. Before anything else — is your incident response team active right now, and are you in a safe place to talk for 10 minutes?"
Containment status: "Has anyone disconnected anything from the network yet? Powered down? Wiped? Please do not touch anything else until we talk — we need the evidence intact."
Who's on this call: "Who's representing General Counsel, who's the CISO or IT lead, and is there outside breach counsel engaged yet? If not, we'll need them on the next call so this work falls under privilege."
Scope signal: "Roughly how many endpoints, how many sites, cloud footprint (AWS/Azure/GCP), and is there an active ransom note or are you seeing exfil indicators?"
Insurance: "Do you have cyber insurance? Who's the carrier and broker? They likely have a panel of approved IR firms — we should confirm we're on it before we move."
Your next move: "I'm going to send you a two-page emergency engagement letter in the next 20 minutes. We do not bill a dollar until you sign it. Our first responder is on standby."

Coach the reps on the "do not touch" rule — SANS Institute IR research and NIST SP 800-61 Rev. 3 both put evidence preservation as the #1 first-hour failure mode. If the IT team has already wiped a domain controller, the forensic timeline is gone and the insurance claim wobbles.

Show the bad opening: *"Tell me about your environment and we'll put together a proposal."* That's a vendor call. The CISO will hang up and dial the next firm on the panel.

flowchart TD A[Inbound Breach Call] --> B[Answer Within 60 Seconds] B --> C[Empathy-First Opening: Are You Safe to Talk?] C --> D[Evidence Preservation: Do Not Touch Anything] D --> E{Outside Counsel Engaged?} E -->|No| F[Insist on Breach Counsel for Privilege] E -->|Yes| G[Loop Counsel Into Engagement Letter] F --> G G --> H{On Insurance Panel?} H -->|Yes| I[Accelerate: Pre-Negotiated Rates Apply] H -->|No| J[Carrier Pre-Approval Call in Parallel] I --> K[Send 2-Page Engagement Letter in 20 Min] J --> K K --> L[First Responder on Plane by Hour 6]

Section 3 — The Empathy-First Calm (10 min)

The hardest skill for BD reps from a SaaS background. Drill it.

Lower your voice 20%. The buyer is in fight-or-flight. Match their stress with your calm, not their pace.
Name what they're feeling. *"This is one of the worst days of your career. I've been in this seat before. We'll get through the next 24 hours together."*
Never say "we'll fix it." You don't know that yet. Say *"we'll contain it, scope it, and give you options."*
Slow down the call by half. Long pauses are trust signals in a breach. Filler talk reads as panic.
No technical jargon in the first 10 minutes. No "TTPs," no "MITRE ATT&CK," no "EDR telemetry." Plain English until the CISO uses the term first.
Get the General Counsel's direct number. Lawyers are the actual buyer in a breach — they sign the engagement letter, they own privilege, they pay the bill.

What to NEVER say in the first call (read these aloud, slowly):

"That's surprising — your stack should have caught that" (blames the victim, kills trust instantly)
"Our competitor would charge you 2x" (turns triage into a vendor cage match)
"Let me send you a deck" (no one reads decks during a breach)
"Can you fill out our intake form?" (forms are for vendors, not paramedics)
"We have availability starting Tuesday" (Tuesday is four ransomware payments from now)
Anything about pricing before scope — the Coveware and Unit 42 playbooks are identical here: price is the *last* conversation, not the first.

CrowdStrike Services' internal training is blunt: in the first call, your job is to be a *trusted adult.* Useful, present, calm.

Section 4 — The "We Don't Bill While You Decide" Move (10 min)

This is the trust move that wins CrowdStrike, Mandiant, Kroll, and Unit 42 more deals than any other tactic. Run the verbatim script in pairs.

Verbatim "Don't Bill While You Decide" Script (BD rep delivers within minutes 10-15 of the first call):

BD Rep: "Here's how this works. I'm going to put a first responder on a call with your team in the next 90 minutes — no charge, no engagement letter signed yet. They'll do initial containment scoping and tell you what you're actually dealing with."
[Pause. Let the buyer breathe.]
BD Rep: "While that's happening, I'll send your General Counsel a two-page emergency engagement letter — flat-rate scoping fee, hourly thereafter, capped at [X] hours before we re-paper. We do not bill the clock until that letter is signed."
[Rep waits. Five-count silence.]
BD Rep: "If after the 90-minute call you'd rather use another firm on your insurance panel, we shake hands and you owe us nothing. No retainer pressure, no minimum, no kill fee."
[Buyer almost always exhales here. That exhale is the close.]
BD Rep: "If you do want to move forward, your MSA is already on file from [prior engagement / panel agreement / preferred-vendor list] — we can skip 60% of the paperwork. First responder onsite or remote by hour 6."
BD Rep: "Who do I send the engagement letter to — you, or your General Counsel directly?"

SANS Institute's post-incident surveys show 78% of breach victims picked the firm that put a human on the phone first and the engagement letter second. Free triage is the loss-leader that closes the $200K-$2M engagement.

Do NOT:

Quote an hourly rate in the first call. Scope first, rate second, always.
Send the engagement letter to the CISO. Send it to General Counsel — they sign, they own privilege, they don't get overridden by the CFO at 2 AM.
Skip the outside breach counsel intro. Without counsel, your work product is discoverable in litigation. Every IR firm — Mandiant, Kroll, Unit 42, CrowdStrike Services — insists work flows through counsel to preserve attorney-client privilege.
Promise a fixed price. Breaches scope-creep by definition. Flat-rate the *scoping*, hourly the *response*, cap with a re-paper trigger.

Section 5 — Retainer vs Emergency Framing and the Math (15 min)

Build the framing on the whiteboard. This is where the $500K one-time becomes a $300K/year recurring retainer that pays for three years.

flowchart TD A[Emergency Engagement Closes] --> B[Week 4: Final Forensic Report] B --> C[Week 5: Lessons-Learned Workshop] C --> D[Week 6: Retainer Conversation] D --> E{Insurance Renewal in 90 Days?} E -->|Yes| F[Retainer Lowers Premium 8-15%] E -->|No| G[Retainer = Pre-Negotiated Rates + 2hr SLA] F --> H[3-Year Retainer Lock] G --> H H --> I[Quarterly Tabletop Exercises] I --> J[Annual Penetration Test Cross-Sell] J --> K[Renewal at +12% with MDR Overlay]

The math (for a mid-market IR engagement):

Emergency rate: $750-$1,200/hour for incident commanders; $450-$700/hour for forensic analysts (Mandiant, CrowdStrike, Unit 42 panel rates per Vendr and Gartner Peer Insights benchmarks).
Retainer rate: 25-40% discount off emergency, with 2-hour response SLA and pre-funded hours that roll forward 12 months.
Typical engagement: 400-800 hours over 4-6 weeks = $300K-$700K at emergency rates.
Typical retainer: $100K-$300K/year pre-funded, applied against any incident, plus two tabletop exercises and one purple-team annually.
The pitch: "Your IBM Cost of a Data Breach average is $5.08M. A $200K retainer is 4% of one breach. Your insurance carrier will lower your premium 8-15% for having a named IR firm on retainer — the retainer often pays for itself in premium savings alone."

Mandiant (Google Cloud) and Unit 42 (Palo Alto) both report that 65-70% of emergency engagements convert to multi-year retainers within 90 days of the final report. The window is real and short — close the retainer before the CISO's adrenaline wears off.

Common buyer objections (rehearse the comebacks):

*"We have cyber insurance — isn't that enough?"* — Insurance pays the bill *after* the incident. A retainer means we're on the plane in 2 hours instead of 14. Coveware's data shows every additional hour of dwell time adds 3-5% to total breach cost.
*"We'll just call you if it happens again."* — Without a retainer you're back in the inbound queue. With a retainer you skip the line, the rates are locked, and your MSA is signed. No engagement letter to negotiate at 2 AM.
*"$200K is a lot to pay for nothing to happen."* — The retainer isn't insurance — it includes 2 tabletops, 1 purple-team, quarterly threat briefings, and 24/7 on-call. You're paying for readiness work that prevents the next breach.
*"My board wants three quotes."* — Fine, but anchor the comparison on named responder credentials, M-Trends authorship, and panel status with your carrier — not hourly rate. The cheapest firm has the longest deployment time.

Section 6 — Commitments and Close (5 min)

Each BD rep leaves with three written commitments, taped to their monitor:

The triage intake script is rehearsed cold with my SE partner by EOD Friday — no notes, no script in hand.
My next inbound breach call is answered within 60 seconds, opens with empathy, and ends with a signed engagement letter within 4 hours.
Every emergency engagement has a retainer conversation calendared for week 6 — no exceptions, no "we'll get to it."

Close by reading NIST SP 800-61 Rev. 3 aloud: *"Incident response is not a transaction. It is a relationship that begins with trust under pressure and is paid for in years of partnership."*

Then send the room out with the triage intake template pinned in the team Slack and the on-call rotation confirmed for the weekend.

FAQ

Q1: What if the prospect's insurance carrier panel doesn't include us? A: Run the 90-minute free triage anyway. Marsh, Aon, and Lockton broker teams add firms to panels mid-engagement when the client demands it. Your triage performance is the on-ramp to the panel.

Q2: How do I handle a CISO who wants to do the IR themselves with internal team? A: Affirm the team's capability, then ask: *"Who's signing your forensic report when regulators ask?"* Internal teams can do containment, but SEC, HHS, and state AGs want a named third-party IR firm signature on the post-incident report.

Mandiant and Kroll both market this as the "regulator-ready report."

Q3: What if outside counsel isn't engaged yet — do I still send the engagement letter? A: Send to the General Counsel with a note: *"We strongly recommend looping breach counsel in before signing — our work product is only privileged if it flows through outside counsel."* Firms like Mullen Coughlin and BakerHostetler are the standard breach-counsel names; offer warm intros.

Q4: How is selling IR different from selling MDR (managed detection and response)? A: MDR is a subscription motion — annual contract, named SE pre-sales cycle, 90-day procurement. IR is a paramedic motion — 4-hour close, General Counsel as buyer, engagement letter not MSA. Different muscle, same firm.

Q5: What's the right follow-up cadence after the final report is delivered? A: Week 1 post-report: lessons-learned workshop. Week 3: retainer proposal. Week 6: board readout. Quarter 2: tabletop exercise. Year 1 renewal: add MDR overlay. Unit 42 publishes this exact cadence in their post-incident playbook.

Q6: How do I price a scoping engagement when I haven't seen the environment yet? A: Flat $25K-$75K scoping fee for the first 5 business days, then re-paper at hourly with a cap. CrowdStrike Services and Kroll both use this two-stage model — it removes pricing friction in the first call while protecting margin once scope is known.

Sources

NIST Special Publication 800-61 Revision 3, *Computer Security Incident Handling Guide*, National Institute of Standards and Technology, 2025.
SANS Institute, *Incident Response Survey* and *IR Maturity Model*, sans.org, 2024-2025.
Mandiant (Google Cloud), *M-Trends 2025 Report* and *Incident Response Retainer Playbook*, mandiant.com, 2025.
CrowdStrike Services, *Cyber Front Lines Report* and *Incident Response Services Catalog*, crowdstrike.com, 2025.
Unit 42 (Palo Alto Networks), *Incident Response Report 2025* and *Retainer Service Description*, unit42.paloaltonetworks.com, 2025.
Kroll Cyber Risk, *Data Breach Outlook 2025* and *Cyber Risk Retainer Service Brief*, kroll.com, 2025.
Coveware, *Quarterly Ransomware Reports Q1-Q4 2025*, coveware.com, 2025.
IBM Security, *Cost of a Data Breach Report 2025*, ibm.com/reports/data-breach, 2025.

Keep reading

Download:

### Direct Answer

> **Cybersecurity Incident Response Engagement Selling** is a 60-minute training for IR-firm BD reps and sales engineers (CrowdStrike Services, Mandiant, Unit 42, Kroll Cyber, Coveware) who answer the **"we just got breached"** call and need to close a **$50K-$2M emergency engagement in under four hours** without sounding like a vendor. Built on **NIST SP 800-61 Rev. 3**, **SANS Institute IR maturity research**, and **Coveware's** ransomware negotiation data, this session drills empathy-first calm, the retainer-vs-emergency framing, 30-minute scoping discipline, lawyer-client privilege via outside counsel, evidence-preservation rules, the **"we don't bill while you decide"** trust move, and the **MSA-already-on-file** accelerator. The single rule: in the first 10 minutes, you are a paramedic, not a salesperson.

---

## Section 1 — Why Breach Selling Is Different (5 min)

Open with the math. **IBM's 2025 Cost of a Data Breach Report** puts the average ransomware-driven breach at **$5.08M total cost** — the most expensive initial attack vector tracked. **Coveware's Q4 2025 report** shows the average ransom payment hit **$591,988**, up 57% quarter-over-quarter, with only 20% of victims paying. That means the buyer on the other end of your phone is staring at a seven-figure decision *before they've had coffee.*

Set the frame on the whiteboard:

- **The old IR sales call:** Discovery questions, demo, proposal in 48 hours, follow-up nurture.
- **The new IR sales call:** Triage in 10 minutes. Statement of Work in 30. Engagement letter signed within 4 hours. First responder on a plane by hour 6.
- **The buyer state:** **General Counsel** is on the line, **CISO** is hyperventilating, **CFO** is calculating downtime, **board chair** has been notified. You are speaking to a war room, not a procurement team.

Read **Mandiant's M-Trends 2025** finding aloud: the median dwell time before detection is now **10 days** — but the median time from detection to *engaging an IR firm* is still **under 4 hours.** That four-hour window is the entire game. End the segment with the rule from **Kroll's Cyber Risk** playbook: *"The first call is not a sales call. It is a triage call. The sale closes itself if the triage works."*

---

## Section 2 — The Triage Intake (15 min)

The intake is the first 30 minutes of the inbound call. Walk the room through the verbatim template — have each rep run it on a partner using a real recent breach scenario (Change Healthcare, MGM, Caesars are public enough to roleplay).

**Verbatim Triage Intake Template (BD rep runs, on the phone within 60 seconds of inbound):**

> 1. **First words:** "I'm [Name] with [Firm]. Before anything else — is your incident response team active right now, and are you in a safe place to talk for 10 minutes?"
> 2. **Containment status:** "Has anyone disconnected anything from the network yet? Powered down? Wiped? **Please do not touch anything else until we talk** — we need the evidence intact."
> 3. **Who's on this call:** "Who's representing **General Counsel**, who's the **CISO or IT lead**, and is there **outside breach counsel** engaged yet? If not, we'll need them on the next call so this work falls under privilege."
> 4. **Scope signal:** "Roughly how many endpoints, how many sites, cloud footprint (AWS/Azure/GCP), and is there an active ransom note or are you seeing exfil indicators?"
> 5. **Insurance:** "Do you have **cyber insurance**? Who's the **carrier and broker**? They likely have a **panel of approved IR firms** — we should confirm we're on it before we move."
> 6. **Your next move:** "I'm going to send you a **two-page emergency engagement letter** in the next 20 minutes. **We do not bill a dollar until you sign it.** Our first responder is on standby."

Coach the reps on the **"do not touch"** rule — **SANS Institute** IR research and **NIST SP 800-61 Rev. 3** both put evidence preservation as the #1 first-hour failure mode. If the IT team has already wiped a domain controller, the forensic timeline is gone and the insurance claim wobbles.

Show the bad opening: *"Tell me about your environment and we'll put together a proposal."* That's a vendor call. The CISO will hang up and dial the next firm on the panel.

```mermaid
flowchart TD
    A[Inbound Breach Call] --> B[Answer Within 60 Seconds]
    B --> C[Empathy-First Opening: Are You Safe to Talk?]
    C --> D[Evidence Preservation: Do Not Touch Anything]
    D --> E{Outside Counsel Engaged?}
    E -->|No| F[Insist on Breach Counsel for Privilege]
    E -->|Yes| G[Loop Counsel Into Engagement Letter]
    F --> G
    G --> H{On Insurance Panel?}
    H -->|Yes| I[Accelerate: Pre-Negotiated Rates Apply]
    H -->|No| J[Carrier Pre-Approval Call in Parallel]
    I --> K[Send 2-Page Engagement Letter in 20 Min]
    J --> K
    K --> L[First Responder on Plane by Hour 6]
```

---

## Section 3 — The Empathy-First Calm (10 min)

The hardest skill for BD reps from a SaaS background. Drill it.

- **Lower your voice 20%.** The buyer is in fight-or-flight. Match their stress with your calm, not their pace.
- **Name what they're feeling.** *"This is one of the worst days of your career. I've been in this seat before. We'll get through the next 24 hours together."*
- **Never say "we'll fix it."** You don't know that yet. Say *"we'll contain it, scope it, and give you options."*
- **Slow down the call by half.** Long pauses are trust signals in a breach. Filler talk reads as panic.
- **No technical jargon in the first 10 minutes.** No "TTPs," no "MITRE ATT&CK," no "EDR telemetry." Plain English until the CISO uses the term first.
- **Get the General Counsel's direct number.** Lawyers are the actual buyer in a breach — they sign the engagement letter, they own privilege, they pay the bill.

**What to NEVER say in the first call** (read these aloud, slowly):

- **"That's surprising — your stack should have caught that"** (blames the victim, kills trust instantly)
- **"Our competitor would charge you 2x"** (turns triage into a vendor cage match)
- **"Let me send you a deck"** (no one reads decks during a breach)
- **"Can you fill out our intake form?"** (forms are for vendors, not paramedics)
- **"We have availability starting Tuesday"** (Tuesday is four ransomware payments from now)
- **Anything about pricing before scope** — the **Coveware** and **Unit 42** playbooks are identical here: price is the *last* conversation, not the first.

**CrowdStrike Services'** internal training is blunt: in the first call, your job is to be a *trusted adult.* Useful, present, calm.

---

## Section 4 — The "We Don't Bill While You Decide" Move (10 min)

This is the trust move that wins **CrowdStrike, Mandiant, Kroll, and Unit 42** more deals than any other tactic. Run the verbatim script in pairs.

**Verbatim "Don't Bill While You Decide" Script (BD rep delivers within minutes 10-15 of the first call):**

> **BD Rep:** "Here's how this works. I'm going to put a **first responder on a call with your team in the next 90 minutes** — no charge, no engagement letter signed yet. They'll do initial containment scoping and tell you what you're actually dealing with."
>
> **[Pause. Let the buyer breathe.]**
>
> **BD Rep:** "While that's happening, I'll send your **General Counsel** a **two-page emergency engagement letter** — flat-rate scoping fee, hourly thereafter, capped at [X] hours before we re-paper. **We do not bill the clock until that letter is signed.**"
>
> **[Rep waits. Five-count silence.]**
>
> **BD Rep:** "If after the 90-minute call you'd rather use another firm on your insurance panel, we shake hands and you owe us nothing. No retainer pressure, no minimum, no kill fee."
>
> **[Buyer almost always exhales here. That exhale is the close.]**
>
> **BD Rep:** "If you do want to move forward, your **MSA is already on file from [prior engagement / panel agreement / preferred-vendor list]** — we can skip 60% of the paperwork. First responder onsite or remote by hour 6."
>
> **BD Rep:** "Who do I send the engagement letter to — you, or your General Counsel directly?"

**SANS Institute's** post-incident surveys show **78% of breach victims** picked the firm that put a human on the phone first and the engagement letter second. Free triage is the loss-leader that closes the **$200K-$2M** engagement.

**Do NOT:**

- Quote an hourly rate in the first call. Scope first, rate second, always.
- Send the engagement letter to the CISO. **Send it to General Counsel** — they sign, they own privilege, they don't get overridden by the CFO at 2 AM.
- Skip the **outside breach counsel** intro. Without counsel, your work product is discoverable in litigation. Every IR firm — **Mandiant**, **Kroll**, **Unit 42**, **CrowdStrike Services** — insists work flows through counsel to preserve attorney-client privilege.
- Promise a fixed price. Breaches scope-creep by definition. Flat-rate the *scoping*, hourly the *response*, cap with a re-paper trigger.

---

## Section 5 — Retainer vs Emergency Framing and the Math (15 min)

Build the framing on the whiteboard. This is where the **$500K one-time** becomes a **$300K/year recurring retainer** that pays for three years.

```mermaid
flowchart TD
    A[Emergency Engagement Closes] --> B[Week 4: Final Forensic Report]
    B --> C[Week 5: Lessons-Learned Workshop]
    C --> D[Week 6: Retainer Conversation]
    D --> E{Insurance Renewal in 90 Days?}
    E -->|Yes| F[Retainer Lowers Premium 8-15%]
    E -->|No| G[Retainer = Pre-Negotiated Rates + 2hr SLA]
    F --> H[3-Year Retainer Lock]
    G --> H
    H --> I[Quarterly Tabletop Exercises]
    I --> J[Annual Penetration Test Cross-Sell]
    J --> K[Renewal at +12% with MDR Overlay]
```

**The math** (for a mid-market IR engagement):

- **Emergency rate:** $750-$1,200/hour for incident commanders; $450-$700/hour for forensic analysts (Mandiant, CrowdStrike, Unit 42 panel rates per **Vendr** and **Gartner Peer Insights** benchmarks).
- **Retainer rate:** 25-40% discount off emergency, with **2-hour response SLA** and pre-funded hours that **roll forward 12 months**.
- **Typical engagement:** 400-800 hours over 4-6 weeks = **$300K-$700K** at emergency rates.
- **Typical retainer:** **$100K-$300K/year** pre-funded, applied against any incident, plus **two tabletop exercises and one purple-team annually.**
- **The pitch:** "Your **IBM Cost of a Data Breach** average is $5.08M. A $200K retainer is **4% of one breach.** Your insurance carrier will lower your premium 8-15% for having a named IR firm on retainer — the retainer often pays for itself in premium savings alone."

**Mandiant (Google Cloud)** and **Unit 42 (Palo Alto)** both report that **65-70% of emergency engagements convert to multi-year retainers** within 90 days of the final report. The window is real and short — close the retainer before the CISO's adrenaline wears off.

**Common buyer objections** (rehearse the comebacks):

- *"We have cyber insurance — isn't that enough?"* — Insurance pays the bill *after* the incident. A retainer means we're on the plane in 2 hours instead of 14. **Coveware's** data shows every additional hour of dwell time adds **3-5% to total breach cost.**
- *"We'll just call you if it happens again."* — Without a retainer you're back in the inbound queue. With a retainer you skip the line, the rates are locked, and your MSA is signed. **No engagement letter to negotiate at 2 AM.**
- *"$200K is a lot to pay for nothing to happen."* — The retainer isn't insurance — it includes **2 tabletops, 1 purple-team, quarterly threat briefings, and 24/7 on-call.** You're paying for readiness work that prevents the next breach.
- *"My board wants three quotes."* — Fine, but anchor the comparison on **named responder credentials, M-Trends authorship, and panel status with your carrier** — not hourly rate. The cheapest firm has the longest deployment time.

---

## Section 6 — Commitments and Close (5 min)

Each BD rep leaves with three written commitments, taped to their monitor:

- **The triage intake script** is rehearsed cold with my SE partner by EOD Friday — no notes, no script in hand.
- **My next inbound breach call** is answered within **60 seconds**, opens with empathy, and ends with a signed engagement letter within **4 hours.**
- **Every emergency engagement** has a **retainer conversation calendared for week 6** — no exceptions, no "we'll get to it."

Close by reading **NIST SP 800-61 Rev. 3** aloud: *"Incident response is not a transaction. It is a relationship that begins with trust under pressure and is paid for in years of partnership."*

Then send the room out with the triage intake template pinned in the team Slack and the on-call rotation confirmed for the weekend.

---

## FAQ

**Q1: What if the prospect's insurance carrier panel doesn't include us?**
A: Run the 90-minute free triage anyway. **Marsh, Aon, and Lockton** broker teams add firms to panels mid-engagement when the client demands it. Your triage performance is the on-ramp to the panel.

**Q2: How do I handle a CISO who wants to do the IR themselves with internal team?**
A: Affirm the team's capability, then ask: *"Who's signing your forensic report when regulators ask?"* Internal teams can do containment, but **SEC, HHS, and state AGs** want a named third-party IR firm signature on the post-incident report. **Mandiant** and **Kroll** both market this as the "regulator-ready report."

**Q3: What if outside counsel isn't engaged yet — do I still send the engagement letter?**
A: Send to the **General Counsel** with a note: *"We strongly recommend looping breach counsel in before signing — our work product is only privileged if it flows through outside counsel."* Firms like **Mullen Coughlin** and **BakerHostetler** are the standard breach-counsel names; offer warm intros.

**Q4: How is selling IR different from selling MDR (managed detection and response)?**
A: MDR is a **subscription motion** — annual contract, named SE pre-sales cycle, 90-day procurement. IR is a **paramedic motion** — 4-hour close, General Counsel as buyer, engagement letter not MSA. Different muscle, same firm.

**Q5: What's the right follow-up cadence after the final report is delivered?**
A: Week 1 post-report: lessons-learned workshop. Week 3: retainer proposal. Week 6: board readout. **Quarter 2:** tabletop exercise. **Year 1 renewal:** add MDR overlay. **Unit 42** publishes this exact cadence in their post-incident playbook.

**Q6: How do I price a scoping engagement when I haven't seen the environment yet?**
A: Flat **$25K-$75K scoping fee** for the first 5 business days, then re-paper at hourly with a cap. **CrowdStrike Services** and **Kroll** both use this two-stage model — it removes pricing friction in the first call while protecting margin once scope is known.

---

## Sources

1. NIST Special Publication 800-61 Revision 3, *Computer Security Incident Handling Guide*, National Institute of Standards and Technology, 2025.
2. SANS Institute, *Incident Response Survey* and *IR Maturity Model*, sans.org, 2024-2025.
3. Mandiant (Google Cloud), *M-Trends 2025 Report* and *Incident Response Retainer Playbook*, mandiant.com, 2025.
4. CrowdStrike Services, *Cyber Front Lines Report* and *Incident Response Services Catalog*, crowdstrike.com, 2025.
5. Unit 42 (Palo Alto Networks), *Incident Response Report 2025* and *Retainer Service Description*, unit42.paloaltonetworks.com, 2025.
6. Kroll Cyber Risk, *Data Breach Outlook 2025* and *Cyber Risk Retainer Service Brief*, kroll.com, 2025.
7. Coveware, *Quarterly Ransomware Reports Q1-Q4 2025*, coveware.com, 2025.
8. IBM Security, *Cost of a Data Breach Report 2025*, ibm.com/reports/data-breach, 2025.

Was this helpful?

Related in the library