Microsoft Launches Incident Response Retainer Service

Microsoft has announced the launch of its Incident Response Retainer service to expand its incident response presence. The new service provides pre-paid blocks of hours for specialised incident response and recovery services before, during, and after a cybersecurity crisis.

It is contracted on an annual basis, and customers can use the retainer hours in any combination of proactive and reactive services.

Importance of Incident Response Retainers

Many organisations don’t have the time, resources, or expertise to build an in-house incident response program.

For customers that want help remediating an especially complex breach (or avoiding one altogether), incident response retainers are increasingly valuable due to market dynamics.

Microsoft IR service

Customers face persistent attacks from a growing number of vectors that cost time and money and impact reputation. Companies that are unprepared to respond to an incident saw a global average breach cost $4.3 million ($9.44 million in the United States) in 2022.

This compares to $3.05 million ($1.3 million or 30% less) for companies with incident response and AI automation.

Capabilities of the Incident Response Retainer

The incident response retainer provides Microsoft’s fastest response times and direct access to its global team of experts. It was designed to work with cyber insurance vendors and has flexible delivery options that meet the unique needs of each customer.

The service provides an assigned Security Delivery Manager (SDM), a named SDM that will work with you throughout the year to proactively schedule services and help you get the full value of your retainer contract.

It also includes an assigned Incident Manager, a Microsoft incident response expert to guide your engagement during an active security attack.

You might be interested to learn more about the following roles within cybersecurity:

Other capabilities of the Incident Response Retainer include intelligence-driven investigation, threat investigation, digital forensics, log analysis, malware analysis support, and attacker containment.

The service also provides assistance in recovery and remediation of critical infrastructure, removing attacker control from an environment, regaining administrative control, and tactically hardening high-impact controls to prevent future breaches.

Proactive services such as Compromise Assessments and Crisis Readiness Exercises will test your team’s defenses, increase your security posture, and improve resilience.

15 Must-Ask Questions Before Taking an Incident Response Retainer
15 Must-Ask Questions Before Taking an Incident Response Retainer

Benefits for Customers

Incident Response Retainer customers can rest assured that Microsoft will do everything it can to help their organization get back to business as usual if they experience a breach.

In alignment with Microsoft’s mission to empower every person and every organization on the planet to achieve more, it helps every organization it can, including new or existing Microsoft customers, customers that don’t use Microsoft Security products (this is a vendor-agnostic service), enterprise, government, education, and non-profit customers on the Microsoft commercial cloud.

Ecosystem Partnership

Microsoft is fully committed to working with an ecosystem of partners and technologies that provide customers with the flexibility to choose what fits their needs.

Microsoft has an extensive security services partner ecosystem for customers across the globe to choose from.

Its incident response and Microsoft-verified MXDR solution partners have world-class capabilities and domain expertise, each offering a broad portfolio of specialised solutions across the Microsoft security product portfolio.

New Partnership with Kivu

Microsoft also announced a new partnership with incident response provider, Kivu. Microsoft and Kivu will jointly work together to utilise existing relationships with cyber insurance providers in responding to customers’ cyber incidents.

Kivu will regard Microsoft as the premier option for post-breach remediation services when Kivu clients need them, and Microsoft will regard Kivu as a trusted partner to handle ransomware negotiations for customers seeking that service.


In May 2021, Microsoft investigated a large-scale cyberattack by the Russian state-sponsored hacking group, NOBELIUM.

The attack involved compromising an email marketing platform and using it to distribute phishing emails to targeted organizations.

Microsoft’s Threat Intelligence Center (MSTIC) discovered the attack and worked to disrupt NOBELIUM’s infrastructure and prevent further damage.

The investigation revealed that NOBELIUM was using new tactics, techniques, and procedures (TTPs) to bypass security measures and gain access to sensitive data.

Microsoft released a detailed report on the attack, which provided insights into the group’s TTPs and recommended best practices for defending against similar attacks.

The incident demonstrated the need for advanced threat intelligence and proactive incident response services, which Microsoft offers through its Incident Response Retainer.


Microsoft’s Incident Response Retainer service is a valuable offering in the cybersecurity landscape, but it’s important to note that there are alternatives available as well.

One such company is Group-IB, which offers a similar retainer service and has a strong reputation in the industry. Other companies providing incident response and recovery services include Trellix, CrowdStrike, and Mandiant.

While Microsoft’s service is vendor-agnostic and can work with customers regardless of whether they use Microsoft Security products, it’s always a good idea to explore multiple options and find the one that best fits your organization’s needs.

20 alternatives to the Windows IR retainer

Incident response retainers are becoming increasingly valuable for organizations that want help remediating complex breaches or avoiding them altogether. While Microsoft Incident Response Retainer is a popular choice, there are also many other providers worth considering.

It’s also worth noting that many cybersecurity insurance providers offer incident response services as part of their policies, so it’s important to check with your provider to see what options are available to you.

Ultimately, the key is to be prepared for a potential cybersecurity incident before it happens.

Whether you choose Microsoft’s Incident Response Retainer service, Group-IB’s offering, or another company’s solution, having a solid incident response plan in place can help minimize the impact of an attack and get your organization back to business as usual as quickly as possible.

You might also like to read:

As we come to the end of this news, we want to hear from you. What factors do you consider when choosing the right incident response service for your organization? Let us know in the comments below!

Share This Message