Market Recommendations For Selecting a DFIR Partner

Delays in response to cybersecurity incidents - from malicious software, compromised identities, or compromised systems - can mean intolerable damage to finances, systems, operations, and even corporate reputations. The details of each response in each environment are unique; there is no one-size-fits-all approach.  

Organizations make significant investments in cybersecurity tools, platforms and vendors to defend their perimeter. But cyber professionals, C-suite executives and boards also know they need to be prepared, night and day, for the possibility of a successful cyber-attack. The difference maker in those moments of crisis is timely, rigorous and strategic incident response (IR). This is why choosing the service provider or vendor is extremely crucial as that will greatly determine whether an organization survives a crisis or is thrown off the deep end. 

Gartner® has put together a Market Guide for Digital Forensics and Incident Response Retainer Services which provides insights that’ll help SRM leaders understand the DFIR market, evaluate trends, refine requirements and identify market players, making it easier to choose the best partners for their organization. 

According to the Market Guide, here are areas to consider as security leaders when evaluating a DFIR provider:

• Realize that security incidents are “when it occurs” situations, rather than “if it occurs” propositions. Therefore, you should have an IR program and institute the correct processes for it, ensuring your organization understands, reviews and regularly tests those processes. 

• Consider selecting a third party to help you review your plan, create a plan for IR and, if necessary, set up an appropriate retainer-based service with an IR services provider. Recognize that your organization faces a high possibility of a breach. 

• If you are already using a provider for either MDR or managed security services, ask whether they offer an IR retainer-based service offering. This could offer faster response times and streamlined communications while actively working through an incident. This is the desired option if you prefer speed over deepest specialization. 

• Obtain evidence from your (potential) IR services provider that their consultants and analysts adhere to proper and strict processes when handling evidence. Their experts must provide clear analysis and reports that depict which data and systems are involved, how and why they are involved, and if possible, what the incident’s specific cause is. They should be able to advise what must be done to contain and eradicate the problem, and provide steps for finding future-related vulnerabilities, such as creating threat hunting use cases. 

• IR retainers are often three-year contracts. Thoroughly review the retainer contract and ensure you have prenegotiated hourly rates and the flexibility to move upfront spend from reactive to proactive services to avoid a “use it or lose it” scenario. Be careful not to buy too many preallocated hours per year, unless these can be carried over to the next year or converted to proactive services. 

• If you have a cyber insurance policy, you should consult your carrier and solicit their guidance before executing an IR retainer with a vendor. Discounts on IR retainers have been noted by clients that use the same provider for multiple security services offerings and by clients that use a recommended vendor from their cyber insurance carrier. 

As a Representative Vendor highlighted in this Market Guide, Cyderes’ Digital Forensics & Incident Response (DFIR) services can be leveraged on an emergency basis, or as an integral part of proactive cybersecurity program through IR retainers. Our team brings world-class tools and a rigorous methodology, not a rigid playbook that forces you to comply with an external definition of your incident. Cyderes DFIR teams are trained to work with your existing security tool stack to maximize the available data and offer supplemental tools as needed. 

For more on incident response and developing an incident response plan that aligns to industry frameworks, take a look at services for Digital Forensics and Incident Response at Cyderes. 

Gartner, Market Guide for Digital Forensics and Incident Response Retainer Services, Carlos De Sola Caraballo, et al, 19 June 2024 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.