Skip to main content
Microsoft Security

Microsoft Incident Response Retainer is generally available

The task of securing organizations is constantly changing and getting more complex. Many organizations don’t have the time, resources, or expertise to build an in-house incident response program. For customers that want help remediating an especially complex breach (or avoiding one altogether), Microsoft Incident Response offers an end-to-end portfolio of proactive and reactive incident response services. We operate in 190 countries and our incident responders are seasoned veterans with more than a combined 1,000 years of career experience resolving attacks from ransomware criminals to the most sophisticated nation-state threat actor groups.

Incident response retainers are increasingly valuable due to market dynamics

Customers face persistent attacks from a growing number of vectors that cost time and money and impact reputation. Companies that are unprepared to respond to an incident saw a global average breach cost USD4.3 million (USD9.44 million in the United States) in 2022. This compares to USD3.05 million (USD1.3 million or 30 percent less) for companies with incident response and AI automation.1 Companies that put these proactive measures in place also detected breaches 74 days faster than those without support (249 days compared to 323 days). Compounding these challenges, only 41 percent of chief executive officers (CEOs) believe they are prepared for cybersecurity crises.2 What this tells us is that customers need incident response help, and they need to engage this help proactively before a crisis happens—and Microsoft has taken note.

“My team lives and breathes incident response. I literally have to pull them away from work and make them take breaks—they love what they do, and it shows in the quality of their work,” said Dan Taylor, Head Coach of Microsoft Incident Response. “We are excited for the continued expansion of Microsoft Incident Response and the launch of our service via retainer, which improves the customer purchase experience and allows for deeper, more meaningful customer engagement.”

Overview of the Microsoft Incident Response Retainer service

The Incident Response Retainer provides pre-paid hours for highly specialized incident response and recovery services before, during, and after a cybersecurity crisis. It’s contracted on an annual basis and the retainer hours can be used in any combination of proactive and reactive services. If additional hours are needed, customers can easily uplift extra hours as requirements change.

This service provides our fastest response times and direct access to our global team of experts. It was designed to work with cyber insurance vendors and has flexible delivery options that meet the unique needs of each customer.


Who Microsoft Incident Response helps

We hope you never have to experience a breach. But if you do, you can rest assured that we will do everything we can to help your organization get back to business as usual. In alignment with Microsoft’s mission to empower every person and every organization on the planet to achieve more, we help every organization we can, including:

Ecosystem partnership

One of our core principles at Microsoft Security is security for all. Meeting the needs of all kinds of organizations means offering choice—not only in the types of services customers buy but in who they buy them from. At the end of the day, we know that a single provider can’t meet the unique needs of every organization. That’s why Microsoft is fully committed to working with an ecosystem of partners and technologies that provide customers the flexibility to choose what fits their needs. 

Microsoft has an extensive security services partner ecosystem for customers across the globe to choose from. Our incident response and Microsoft-verified MXDR solution partners have world-class capabilities and domain expertise, each offering a broad portfolio of specialized solutions across the Microsoft security product portfolio. If you are looking for partner services, please go to the Microsoft Intelligent Security Association member directory to find a solution to meet your needs.

In alignment with the expansion of our Incident Response portfolio, we are also announcing a new partnership with incident response provider, Kivu. Microsoft and Kivu will jointly work together to utilize existing relationships with cyber insurance providers in responding to customers’ cyber incidents. Kivu will regard Microsoft as the premier option for post-breach remediation services when Kivu clients need them, and Microsoft will regard Kivu as a trusted partner to handle ransomware negotiations for customers seeking that service.

“Cybercrime will never stop. We have to partner, pool talent, combine intelligence and work together with our public sector colleagues to protect organizations from cyber threats. Our alliance with Microsoft Security combines our strengths to have more impact on almost any imaginable cybersecurity issue,” said Shane Sims, CEO, Kivu Consulting, Inc. 

“Our mission is to secure the world so our customers can thrive.  Security is a team sport, and incident response is one of the most important areas for industry leaders to come together in collaboration,” said Kelly Bissell, Corporate Vice President of Security Services, Microsoft. “We look forward to working with Kivu and other partners to help customers be safe and secure against all cyberattacks. Customers can be confident that their incident response needs will be addressed so their business can thrive.”

To learn more, please visit our website or read our blogs in the Microsoft Security Experts series. For more information on purchasing the service on Unified, contact your account manager. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Cost of a Data Breach Report 2022, IBM. 2022.

2C-Suite Outlook 2023, The Conference Board. 2023.