Incident Response (IR) Retainer Selling to the CISO and General Counsel — 60-Min Training

Direct Answer

Incident Response (IR) Retainer Selling to the CISO and General Counsel is a 60-minute training for IR-firm sellers and account directors running $75K–$1.2M retainer cycles against incumbents like Mandiant (Google Cloud), CrowdStrike Services, Unit 42 (Palo Alto Networks), Kroll Cyber, Stroz Friedberg (Aon), Arete IR, CyberCX, Booz Allen DarkLabs, Charles River Associates, and CYE Coyote.

The session teaches sellers to qualify against the three-buyer reality (CISO, General Counsel, Cyber-Insurance Broker), run a structured discovery on response-time-SLA and forensic-defensibility economics, present retainer-structuring options, and trap-set the multi-year renewal at month 11.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why IR Retainer Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. IR retainers are legal-and-insurance-driven, not security-driven. The General Counsel funds the retainer for privileged investigation protection; the CISO operationalizes it; the cyber-insurance broker selects from a panel of pre-approved IR firms.

Set the frame on the whiteboard.

• Three buyers, one driver. General Counsel funds for attorney-client privilege protection during incident investigations; CISO operationalizes; broker maintains the panel. Coalition's 2026 binding data shows ~88% of mid-market policies include a pre-approved IR-firm panel.
• Response-time SLA is the differentiator. Sub-4-hour engagement with senior consultants is best-in-class; Mandiant and Unit 42 publish 2-hour SLAs for top-tier retainer holders.
• Forensic defensibility is the legal scorecard. A report that survives in litigation is worth orders of magnitude more than a faster report that doesn't. Stroz Friedberg (Aon) leads on litigation-grade reporting.

End the segment with Mark Roberge's rule: *"Sell the legal-grade investigation, not the response speed alone."*

Section 2 — The 60-Minute Discovery Block (15 min)

1. Opening (3 min): "Walk me through your last 24 months of incidents — the ones that needed outside IR, and the ones that didn't."
2. Response-time SLA baseline (10 min): "What's your current IR-firm engagement SLA? Sub-4 hours with senior consultants is best-in-class."
3. Forensic-defensibility baseline (10 min): "Have any incidents progressed to litigation, regulator action, or insurance dispute? How did your IR firm's report hold up?"
4. Retainer structure (10 min): "Is your current retainer flat-fee with discounted hourly, or pure pre-paid hours? Flat-fee retainer with discounted hourly burst is the modern bar."
5. Cyber-insurance panel posture (8 min): "Which IR firms are on your carrier's pre-approved panel? Match the panel or run a parallel non-panel retainer."
6. General Counsel relationship (7 min): "Does your General Counsel have a preferred outside cyber counsel? IR firms work under the cyber counsel."
7. Renewal posture (5 min): "When is your current retainer up? What contractual extraction friction would we navigate?"

Section 3 — The Retainer-Scoping Workshop That Wins (15 min)

Failure modes to ban. Generic SLA quotes without scope detail. Hourly-only retainers that consume budget without ceiling. Single-persona scoping (without the General Counsel).

Wins to coach. Joint legal-and-security scoping session. Walk through Mandiant's and Unit 42's published retainer-scoping agendas — both insist on a joint legal-and-security workshop before binding. Named senior consultant assignment. Identify the named senior consultants (with credentials) who will respond.

Tabletop exercise included. Bundle a half-day tabletop exercise with the retainer.

End with Andy Paul's rule: *"Show the customer their incident defensibly investigated, not your retainer hours expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Mandiant, CrowdStrike Services, and Unit 42 in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The named-consultant wedge. Ask the CISO: *"Who are the named senior consultants on your incumbent's retainer? Mandiant and Unit 42 publish named consultants; if your incumbent doesn't, you don't know who's coming."*

Counter-move 2 — The carrier-panel wedge. Ask the broker: *"Is the customer's incumbent on every major carrier's pre-approved panel? Carrier overlap protects the customer at renewal."*

Counter-move 3 — The litigation-defensibility wedge. Ask the General Counsel: *"When did your incumbent's report last survive litigation or regulator inspection? Stroz Friedberg and CrowdStrike Services publish this."*

Show Force Management's command-of-the-message rule: *"Displace on legal defensibility, not on hourly rate."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Flat-fee vs. Hourly retainer. Flat-fee retainer with discounted hourly burst is the modern bar.

Landmine 2 — Multi-year discount math. Three-year retainers justify 8–12% discount; five-year retainers justify 15–20%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Section 6 — The Trap-Set for Renewal at Month 11 (5 min)

Trap-set 1 — Tabletop exercise within first 60 days. The tabletop becomes the General Counsel's renewal narrative.

Trap-set 2 — Quarterly readiness assessment delivered. Lock in the consultative cadence.

Trap-set 3 — Carrier-coordinated runbook. Build the customer's IR runbook with the broker in the room. The broker defends the renewal at month 11.

Trap-set 4 — Joint GC-CISO QBR. Build the QBR with both buyers. By month 11, both defend the renewal.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we sell to the CISO or the General Counsel? Both, plus the cyber-insurance broker. GC funds for privilege protection; CISO operationalizes; broker enforces.

How do we handle a customer mid-Mandiant or Unit 42 retainer? Run a parallel non-panel retainer for incidents that don't qualify for carrier-panel coverage. Build proof for the displacement conversation at renewal.

What is the right retainer size for a Tier-1 enterprise? Flat-fee covering 200–400 hours annually with discounted hourly burst above is the modern bar.

How do we price against Mandiant's premium positioning? Mandiant wins on brand and named-consultant credentials; we win on flexibility and broker-aligned scoping. Position differentiated at the customer's segment.

What if the customer asks us to integrate with their existing IR runbook? Yes — every modern IR firm integrates with the customer's existing runbook and SIEM/SOAR. Demo live in the tabletop exercise.

Sources

• Mandiant (Google Cloud) — M-Trends Incident Response Report (2026)
• Unit 42 (Palo Alto Networks) — Annual Incident Response Report (2026)
• Coalition Inc. — Cyber Claims Report and IR Panel Survey (2026)
• Marsh McLennan — Cyber Incident Response Vendor Vetting (2026)
• Stroz Friedberg (Aon) — Litigation-Defensible Forensic Reporting Benchmarks
• CrowdStrike Services — Incident Response Customer Outcomes (2026)
• Force Management — Command of the Message and MEDDPICC Reference (2026)
• Mark Roberge — "The Sales Acceleration Formula" Premium-Pricing Chapter
• Andy Paul — "Sell Without Selling Out" Discovery Cadence
• Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine