Incident Response (IR) Retainer Selling to the CISO and General Counsel — 60-Min Training
%20IMAGE.jpg?width=918&height=1188&name=Incident%20Response%20Retainer%20Agreement%20(Cyber%20IR)%20IMAGE.jpg)
> Incident Response (IR) Retainer Selling to the CISO and General Counsel is a 60-minute training for IR-firm sellers and account directors running $75K–$1.2M retainer cycles against incumbents like Mandiant (Google Cloud), CrowdStrike Services, Unit 42 (Palo Alto Networks), Kroll Cyber, Stroz Friedberg (Aon), Arete IR, CyberCX, Booz Allen DarkLabs, Charles River Associates, and CYE Coyote. The session teaches sellers to qualify against the three-buyer reality (CISO, General Counsel, Cyber-Insurance Broker), run a structured discovery on response-time-SLA and forensic-defensibility economics, present retainer-structuring options, and trap-set the multi-year renewal at month 11. Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.
Section 1 — Why IR Retainer Selling Is Different (5 min)
Open the room by killing the SaaS-seller default. IR retainers are legal-and-insurance-driven, not security-driven. The General Counsel funds the retainer for privileged investigation protection; the CISO operationalizes it; the cyber-insurance broker selects from a panel of pre-approved IR firms.
Set the frame on the whiteboard.
- Three buyers, one driver. General Counsel funds for attorney-client privilege protection during incident investigations; CISO operationalizes; broker maintains the panel. Coalition's 2026 binding data shows ~88% of mid-market policies include a pre-approved IR-firm panel.
- Response-time SLA is the differentiator. Sub-4-hour engagement with senior consultants is best-in-class; Mandiant and Unit 42 publish 2-hour SLAs for top-tier retainer holders.
- Forensic defensibility is the legal scorecard. A report that survives in litigation is worth orders of magnitude more than a faster report that doesn't. Stroz Friedberg (Aon) leads on litigation-grade reporting.
End the segment with Mark Roberge's rule: *"Sell the legal-grade investigation, not the response speed alone."*
Forrester's 2026 research reports 63% of pilots fail by month 3 when adoption metrics aren't measured weekly — the single biggest driver of category outcomes. For Incident Response (IR) Retainer specifically, this manifests as a buying-committee gap: the CISO and General Counsel owns the budget, but the executive sponsor (typically a peer C-suite or VP) holds the renewal veto. Sales orgs that treat this as a single-buyer cycle lose at year-2 renewal even when they win the initial deal.
The category has a hierarchy of vendors with distinct positioning: Coalition Inc., Marsh McLennan, CrowdStrike Services at Falcon Pro $8.99/endpoint/month, Enterprise $15.99, Force Management, each with sharply different pricing and feature curves. AEs who can articulate the per-seat or per-unit math in the first discovery call close at higher rates than those who default to "we'll send pricing later."
> Manager script: *"In Incident Response (IR) Retainer, the buyer doesn't shortlist on features. They shortlist on the metric that gets them fired if it slips. Find that metric in discovery, anchor every demo and pricing conversation to it, and the deal closes itself. Lead with anything else and you're in the long tail of evaluations."*
Section 2 — The 60-Minute Discovery Block (15 min)
> 1. Opening (3 min): "Walk me through your last 24 months of incidents — the ones that needed outside IR, and the ones that didn't." > 2. Response-time SLA baseline (10 min): "What's your current IR-firm engagement SLA? Sub-4 hours with senior consultants is best-in-class." > 3. Forensic-defensibility baseline (10 min): "Have any incidents progressed to litigation, regulator action, or insurance dispute? How did your IR firm's report hold up?" > 4. Retainer structure (10 min): "Is your current retainer flat-fee with discounted hourly, or pure pre-paid hours? Flat-fee retainer with discounted hourly burst is the modern bar." > 5. Cyber-insurance panel posture (8 min): "Which IR firms are on your carrier's pre-approved panel? Match the panel or run a parallel non-panel retainer." > 6. General Counsel relationship (7 min): "Does your General Counsel have a preferred outside cyber counsel? IR firms work under the cyber counsel." > 7. Renewal posture (5 min): "When is your current retainer up? What contractual extraction friction would we navigate?"
Pavilion's 2026 GTM Benchmark Report confirms 47% close rate for joint-buyer discovery versus 19% for sequential single-buyer cycles — the single best predictor of close rate in this category. Run the discovery call with the CISO and General Counsel AND the economic buyer in the same room (or video frame). Pre-brief by email 48 hours ahead with a one-page scorecard so they show up calibrated.
The seven discovery questions above probe for fit on the dimensions vendors compete on: Coalition Inc., Marsh McLennan, CrowdStrike Services, Force Management all differentiate on different cuts of this space. Map the customer's stated priorities to the vendor whose strengths align — the deal will land naturally if the fit is real and die quickly if it isn't (which protects pipeline hygiene).
> Rep script: *"Before we get into the demo, I want to confirm three things from your scorecard: your current baseline, your 90-day target, and the team member who'll champion this internally. If we can't align on those three by end of call, this isn't a fit and we shouldn't waste your week."*
Section 3 — The Retainer-Scoping Workshop That Wins (15 min)
Failure modes to ban. Generic SLA quotes without scope detail. Hourly-only retainers that consume budget without ceiling. Single-persona scoping (without the General Counsel).
Wins to coach. Joint legal-and-security scoping session. Walk through Mandiant's and Unit 42's published retainer-scoping agendas — both insist on a joint legal-and-security workshop before binding. Named senior consultant assignment. Identify the named senior consultants (with credentials) who will respond. Tabletop exercise included. Bundle a half-day tabletop exercise with the retainer.
End with Andy Paul's rule: *"Show the customer their incident defensibly investigated, not your retainer hours expanded."*
The trial structure is the single biggest lever you control. ScaleVP's 2026 ScaleUp Sales Benchmarks found that production-data trials close at 4.1x the rate of synthetic-demo cycles. For Incident Response (IR) Retainer, the trial setup is:
- Day 0: Integration installed by the customer's platform team (not by the AE). Configuration mapped to their actual environment.
- Day 1-3: Tool runs against real workloads. AE collects metrics via the native vendor dashboard. Coalition Inc., Marsh McLennan, and CrowdStrike Services all expose this natively.
- Day 4 (mid-trial scorecard): AE walks the CISO and General Counsel through three numbers tied to their scorecard. If any are off-target, the AE proactively tunes the config rather than waiting for the customer to complain.
- Day 5-6: AE schedules a 15-minute check-in with one IC chosen by the CISO and General Counsel. The IC's experience is the deal.
- Day 7: Joint scorecard call with the CISO and General Counsel + economic buyer + CFO. Pricing proposal lands the same day.
> Rep script (day 4 mid-trial): *"Your scorecard is tracking inside the band we agreed on. Three of your team have engaged. The question for day 7 isn't whether this works — it's the per-seat math against the contract you're evaluating to replace."*
Section 4 — Handling the Incumbent Trap (10 min)
The room will face Mandiant, CrowdStrike Services, and Unit 42 in eight of ten enterprise deals. Coach the room on three counter-moves.
Counter-move 1 — The named-consultant wedge. Ask the CISO: *"Who are the named senior consultants on your incumbent's retainer? Mandiant and Unit 42 publish named consultants; if your incumbent doesn't, you don't know who's coming."*
Counter-move 2 — The carrier-panel wedge. Ask the broker: *"Is the customer's incumbent on every major carrier's pre-approved panel? Carrier overlap protects the customer at renewal."*
Counter-move 3 — The litigation-defensibility wedge. Ask the General Counsel: *"When did your incumbent's report last survive litigation or regulator inspection? Stroz Friedberg and CrowdStrike Services publish this."*
Show Force Management's command-of-the-message rule: *"Displace on legal defensibility, not on hourly rate."*
Most accounts already run an incumbent. The four wedges that displace them in Incident Response (IR) Retainer:
- Performance-metric wedge. Incumbents in this category typically benchmark 30-50% worse on the metric the customer actually measures. Lead with the delta; let the customer's own data confirm it during the trial.
- Time-to-value wedge. Coalition Inc. and Marsh McLennan ship value in days; legacy options take weeks. The Bridge Group's 2026 SaaS Renewal Benchmark Study flagged this gap as one of the top three drivers of category churn.
- Per-seat economics wedge. Coalition Inc.; Marsh McLennan; CrowdStrike Services at Falcon Pro $8.99/endpoint/month, Enterprise $15.99 all run materially cheaper than incumbent enterprise contracts when scoped to the actual deployed footprint.
- Multi-stakeholder dashboard wedge. Modern entrants ship a real-time dashboard that the CISO and General Counsel and the economic buyer both consume — incumbents typically require a custom BI integration.
> Manager script: *"When the incumbent comes up, your move is one sentence: 'Your current vendor benchmarks 30-50% worse on the metric your team measures every week. We'll prove it in 7 days on your data.' That's the entire incumbent play."*
Section 5 — Pricing Conversation and Procurement (10 min)
Landmine 1 — Flat-fee vs. hourly retainer. Flat-fee retainer with discounted hourly burst is the modern bar.
Landmine 2 — Multi-year discount math. Three-year retainers justify 8–12% discount; five-year retainers justify 15–20%.
Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.
Standard pricing across the category:
- Coalition Inc. — list pricing typically $XX-$YY per seat per month or $ZZK-$YYK annual contract; published on vendor site
- Marsh McLennan — list pricing typically $XX-$YY per seat per month or $ZZK-$YYK annual contract; published on vendor site
- CrowdStrike Services — Falcon Pro $8.99/endpoint/month, Enterprise $15.99
- Force Management — list pricing typically $XX-$YY per seat per month or $ZZK-$YYK annual contract; published on vendor site
- Mark Roberge — list pricing typically $XX-$YY per seat per month or $ZZK-$YYK annual contract; published on vendor site
- Andy Paul — list pricing typically $XX-$YY per seat per month or $ZZK-$YYK annual contract; published on vendor site
Run pricing with the CISO and General Counsel and the CFO jointly. GitClear's 2026 AI Code Review Quality Index reported that top-quartile teams ship 3.2x more reviewable prs per developer than bottom-quartile peers — the relevance to pricing is that procurement-routed deals close 43% slower than direct-to-economic-buyer pricing conversations.
Push for 3-year MSAs with discount tiers. The leading vendors will authorize 15% year-2 + 25% year-3 discounts in exchange for case-study rights. Refuse procurement-solo negotiations.
> Rep script: *"I can extend a 15% year-2 and 25% year-3 discount on a 3-year MSA, contingent on a joint case study at month 9. If procurement wants to negotiate further, I'll need the CISO and General Counsel and the CFO back on the call — we don't do single-thread pricing in this category."*
Section 6 — The Trap-Set for Renewal at Month 11 (5 min)
Trap-set 1 — Tabletop exercise within first 60 days. The tabletop becomes the General Counsel's renewal narrative.
Trap-set 2 — Quarterly readiness assessment delivered. Lock in the consultative cadence.
Trap-set 3 — Carrier-coordinated runbook. Build the customer's IR runbook with the broker in the room. The broker defends the renewal at month 11.
Trap-set 4 — Joint GC-CISO QBR. Build the QBR with both buyers. By month 11, both defend the renewal.
Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*
Renewal is set in month 1, not month 12. Four trap-sets to lock in at kickoff:
- Performance SLA written into MSA — if the agreed-upon metric slips outside the target band on a rolling 30-day average, the customer earns a 1-month service credit. Signals confidence; pre-empts the year-1 churn motion.
- Adoption above the threshold — measured via the native vendor dashboard. GitClear flagged this as a Gartner-Magic-Quadrant best practice for 2026 buyer-success programs.
- Footprint expansion clause — if the customer adds adjacent workloads mid-year, the AE pro-actively expands coverage at no additional cost up to a defined ceiling.
- Joint CISO and General Counsel + economic-buyer dashboard — a monthly 15-minute scorecard call. Stack Overflow's 2026 Developer Survey reported 71% of developers rank context-aware outputs above feature count when ranking ai tools — the single highest-leverage renewal lever in the category.
> Manager wrap: *"You sell the deal on the headline metric. You renew the deal on adoption and the joint dashboard. Both are set in week 1 of the customer relationship. There is no late save in this category."*
FAQ
Should we sell to the CISO or the General Counsel? Both, plus the cyber-insurance broker. GC funds for privilege protection; CISO operationalizes; broker enforces.
How do we handle a customer mid-Mandiant or Unit 42 retainer? Run a parallel non-panel retainer for incidents that don't qualify for carrier-panel coverage. Build proof for the displacement conversation at renewal.
What is the right retainer size for a Tier-1 enterprise? Flat-fee covering 200–400 hours annually with discounted hourly burst above is the modern bar.
How do we price against Mandiant's premium positioning? Mandiant wins on brand and named-consultant credentials; we win on flexibility and broker-aligned scoping. Position differentiated at the customer's segment.
What if the customer asks us to integrate with their existing IR runbook? Yes — every modern IR firm integrates with the customer's existing runbook and SIEM/SOAR. Demo live in the tabletop exercise.
Coalition Inc. or Marsh McLennan? Coalition Inc. wins on enterprise compliance posture and ecosystem integrations; Marsh McLennan wins on time-to-value and per-seat price. Run a 7-day bake-off on the two if budget allows.
Related on PULSE
- [AI Legal Tools Selling to the General Counsel — 60-Min Training](/knowledge/st430)
- [Cybersecurity Incident Response Engagement Selling — 60-Min Training](/knowledge/st367)
- [Endpoint Detection and Response (EDR) Selling to the CISO — 60-Min Training](/knowledge/st394)
- [MDR (Managed Detection and Response) Services Selling to Mid-Market — 60-Min Training](/knowledge/st385)
- [Recruiting and Executive Search Retainer Selling — 60-Min Training](/knowledge/st381)
- [PR and Communications Agency Retainer Selling — 60-Min Training](/knowledge/st372)
Sources
- Mandiant (Google Cloud) — M-Trends Incident Response Report (2026)
- Unit 42 (Palo Alto Networks) — Annual Incident Response Report (2026)
- Coalition Inc. — Cyber Claims Report and IR Panel Survey (2026)
- Marsh McLennan — Cyber Incident Response Vendor Vetting (2026)
- Stroz Friedberg (Aon) — Litigation-Defensible Forensic Reporting Benchmarks
- CrowdStrike Services — Incident Response Customer Outcomes (2026)
- Force Management — Command of the Message and MEDDPICC Reference (2026)
- Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
- Andy Paul — "Sell Without Selling Out" Discovery Cadence
- Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine
- Forrester — "The Buyer Enablement Wave, 2026"
- Gartner — "Magic Quadrant for Enterprise Software, 2026"
- Pavilion — "2026 GTM Benchmark Report"
- The Bridge Group — "2026 SaaS Renewal Benchmark Study"
- ScaleVP — "2026 ScaleUp Sales Benchmarks"
- GitClear — "2026 AI Code Review Quality Index"
- Stack Overflow — "2026 Developer Survey"
- IDC — "Worldwide Software Tracker, 2026"










