Makkari Security +44 (0) 7944 561 004
Retainers · 2027-ready

Three retainers. Pick the posture.

Senior DFIR practitioners, pre-engaged, on the right model for how you actually want to use us. Pay-as-you-go, annual partnership, or annual partnership with managed detection and response layered on. Every retainer includes the Eviction Pledge.

Apply for a retainer Compare the three
The three retainers

Designed for how DFIR will actually be bought in 2027.

Identity-first attacks, sub-24-hour encryption windows, agent-fatigue in the buyer market, insurance carriers demanding evidence of continuous coverage. Each retainer answers one of those pressures.

Standby

Pay-as-you-go IR

No annual fee. Standard hourly rate. Pre-engaged senior team with a contracted callback when you need us.

  • 1-hour callback SLA
  • Standard hourly rate
  • No commitment, no minimums
  • The Eviction Pledge included
See Standby →
Continuum

Annual partnership

Annual retainer fee. Hourly rate reduced by 10%. A known team that already knows your estate when the call comes.

  • Everything in Standby
  • Hourly rate −10%
  • Annual tabletop exercise
  • Quarterly business review
  • Unused hours convert to proactive work
See Continuum →
Vanguard · flagship

MDR + IR, agent-agnostic

Annual retainer + 24/7 managed detection. Hourly rate reduced by 20%. Works with whatever stack you already chose.

  • Everything in Continuum
  • Hourly rate −20%
  • 24/7 managed detection & response
  • Agent and solution agnostic
  • Eyes-on-glass that also handles the IR
See Vanguard →
R-1 · Standby

Senior DFIR on demand.

Standby is the simplest retainer we offer. No annual fee, no minimums, no envelope to commit to. You pay the standard hourly rate when an incident happens, and you get a pre-engaged senior team with a contracted 1-hour callback SLA in return.

Best for organisations that already run mature internal security, have a clear internal SOC, and just want a named DFIR partner ready to pick up when their own team needs reinforcement.

Engage Standby
  • Pre-engaged senior team.
    Same practitioners who would land on day one of an incident. Briefed before the call comes.
  • 1-hour callback SLA.
    Contracted, not best-effort. Senior practitioner on the line, not a triage queue.
  • Standard hourly rate.
    Panel-grade pricing. No surcharges for out-of-hours.
  • The Eviction Pledge included.
    Initial foothold named. Threat actor evicted. 60-day no re-breach window or follow-on response at no additional cost.
  • Pre-authorised scope.
    Engagement letter signed in advance so the first hour goes to response, not legal.
  • Everything in Standby.
    The pre-engagement, SLA, and Eviction Pledge carry through.
  • Hourly rate −10%.
    Across every hour billed, in or out of hours, across every matter.
  • Annual tabletop exercise.
    Run against your real threat model, with the team that would actually respond. Board walk-through optional.
  • Quarterly business review.
    Threat picture, exposure, what changed in your estate, where the next investment buys the most resilience.
  • Unused hours convert.
    Retainer hours you do not spend on incidents convert to proactive work: threat hunting, compromise assessments, hardening reviews.
  • The Eviction Pledge included.
R-2 · Continuum

A known team. A known rate. A relationship that stays warm.

Continuum is the retainer for organisations that want to take the friction out of the relationship before there is an incident to manage. Annual commitment, reduced hourly, and a team that has already walked your estate, run your tabletop, and sat through your board's questions.

When the call comes, the first hour goes to containment, not introductions.

Apply for Continuum
R-3 · Vanguard · flagship

The 2027 retainer. Active defence, on the stack you already own.

Vanguard layers a 24/7 managed detection and response service over the Continuum partnership. Same hands that watch are the hands that handle the IR. No second vendor, no second escalation chain, no second contract. And critically: agent and solution agnostic.

Why agent-agnostic matters in 2027.

The MDR market in 2025 / 2026 was a forced-replacement market. Most MDR vendors only run their own EDR, on their own SIEM, with their own SOAR. The customer paid to rip out what they had and start again.

Vanguard does not do that. We run the SOC on the agent and stack you already chose, whichever combination of CrowdStrike, SentinelOne, Microsoft Defender, Palo Alto, Sentinel, Splunk, Entra, Okta, the cloud-native telemetry your platform team built. We bring the detection logic, the runbooks, and the senior practitioners. You keep the licences.

  • Endpoint telemetry: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender XDR, others on request
  • SIEM / data lake: Microsoft Sentinel, Splunk, Elastic, Chronicle, native XDR data lakes
  • Identity telemetry: Entra ID, Okta, Ping, Google Workspace
  • Cloud telemetry: M365, AWS, Azure, GCP
  • Network and OT where instrumented
Vanguard, in one line

A managed defence service where the analyst watching the alert is the practitioner who runs the IR. No hand-off, no second team, no second story.

  • Everything in Continuum.
  • Hourly rate −20%.
  • 24/7 detection and response.
    Senior-led, human-first triage. No auto-close queue.
  • Agent & solution agnostic.
    Works with the stack you already chose. No lock-in.
  • Identity-first detection.
    Token theft, OAuth abuse, MFA fatigue and conditional access drift are first-class signals, not afterthoughts.
  • Containment pre-authorised.
    Written runbooks, isolation actions ready, no permission round-trip.
  • Insurance-grade evidence.
    Coverage windows, detection times and response actions logged to a standard cyber carriers accept.
  • Same hands handle the IR.
    If the alert becomes a confirmed incident, the DFIR team is already in the tenancy.
  • The Eviction Pledge included.
Side by side

What sits in each retainer.

Standby

  • 1-hour callback SLA
  • Pre-engaged senior team
  • Pre-authorised scope
  • Standard hourly rate
  • No annual fee
  • No tabletop included
  • No QBR
  • No proactive hours
  • No MDR layer
  • Eviction Pledge included

Continuum

  • Everything in Standby
  • Hourly rate −10%
  • Annual tabletop exercise
  • Quarterly business review
  • Unused hours convert to proactive
  • Threat hunting on retained hours
  • Compromise assessments on retained hours
  • Hardening reviews on retained hours
  • No MDR layer
  • Eviction Pledge included

Vanguard

  • Everything in Continuum
  • Hourly rate −20%
  • 24/7 MDR / SOC service
  • Agent & solution agnostic
  • Identity-first detection
  • Endpoint, cloud, identity, network
  • Containment pre-authorised
  • Insurance-grade evidence
  • Same hands watch and respond
  • Eviction Pledge included
What every retainer gives you

Three shared foundations.

Why we built it this way

What the buyer market is going to ask for next.

Cyber buyers in 2027 are tired of being told to rip out their stack. They have already bought CrowdStrike or SentinelOne. They have already moved to Sentinel or Splunk. They have already standardised on Entra or Okta. Most of them are not going to do it again for the privilege of being monitored.

Vanguard is built for that buyer. We bring the senior detection logic, the runbooks, the human eyes and the IR muscle. They keep the licences and the data sovereignty. The carrier gets the evidence it asks for. Everyone gets the eviction guarantee.

It is not the cheapest model in the market. It is the model that admits what the market has been telling vendors for two years.

Choose the posture

Talk to us about which retainer fits.

Quick scoping call, NDA, then a written proposal. No sales engineer in the middle.

Apply for a retainer Or call +44 (0) 7944 561 004