SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
New Zealand
International Women’s Day
385 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Night corporate office cybersecurity team incident response scene
#
Ransomware
#
DevOps
#
APM

LevelBlue unveils flexible funds-based cyber IR retainer

Wed, 4th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

LevelBlue has launched a new incident response retainer, the Resilience Retainer, which provides prioritised access to a network of more than 300 incident response specialists worldwide.

The product uses a funds-based model rather than fixed hourly minimums. Unused funds roll over and can be applied to other security services instead of expiring.

Incident response retainers have become a common way for organisations to secure specialist support during a breach, and they can also streamline procurement once an incident is under way. Many retainers require a minimum spend that is consumed by response hours, which can make it harder to budget for preparedness work.

LevelBlue positions the new model as a shift toward continuous readiness, and links it to the cyber insurance and legal processes that often run alongside technical containment and recovery.

Service model

Service level agreements can be as low as one hour, with the goal of moving from suspicion to active response "typically in under one hour".

Customers can allocate funds across a broader catalogue of services throughout the year, including tabletop exercises, threat hunting, security assessments and offensive security work.

Retainer customers also receive prioritised access during periods of high demand, including mass-scale cyber events that can stretch the incident response market. They also get unlimited access to named resilience experts for onboarding and planning.

Spencer Lynch, Senior Vice President of Professional Services at LevelBlue, said the company wants to move customers away from purely reactive services.

"The industry has long needed a shift from reactive firefighting to continuous resilience. By unifying unmatched depth across incident readiness and response, exposure management, and cyber advisory and transformation, coupled with a full suite of managed security under coherent operational and commercial models, we are giving our clients access to compelling resiliency offerings through a single services provider," said Spencer Lynch, Senior Vice President of Professional Services, LevelBlue.

Insurance alignment

LevelBlue emphasised insurer and legal requirements, which can shape how an investigation is conducted and how evidence is preserved. Cyber incidents often trigger parallel obligations, including notifying regulators, responding to legal demands and managing claims processes.

LevelBlue said it is approved by more than 50 cyber insurance carriers and trusted by hundreds of law firms.

It said the retainer model is compatible with insurance policies and can support reimbursement claims for funds used in response to covered incidents. Reporting is structured around insurer and regulatory expectations.

Demand for this alignment has increased as insurers tighten underwriting requirements and scrutinise incident reporting. For large organisations, external breach counsel has also become a default part of the response process, often coordinating communications, privilege strategy and engagement with forensics teams.

Consolidated teams

The Resilience Retainer packages capabilities LevelBlue has assembled through acquisitions, including Cybereason, Stroz Friedberg and Trustwave. LevelBlue said it has integrated those teams into a unified operational and commercial framework.

LevelBlue linked the retainer to that consolidation, saying it combines digital forensics, ransomware response, readiness services and threat intelligence under one structure.

It also referenced its SpiderLabs threat intelligence unit, noting that findings from active investigations feed into its intelligence and telemetry, which then informs preparedness and response work.

Devon Ackerman, Global Head of Digital Forensics and Incident Response at LevelBlue, said preparation is the deciding factor in limiting disruption during an attack.

"When a cyber incident strikes, the difference between disruption and resilience comes down to preparation. Too many organisations still treat incident response as a last-minute scramble instead of a disciplined business function. Real resilience requires tested controls, executive-aligned playbooks, and tight coordination with cyber insurance carriers and breach counsel long before an incident occurs. The Resilience Retainer brings all of that together, ensuring clients are not only ready to respond within minutes, but positioned to minimise incident impact when it matters most," said Devon Ackerman, Global Head of Digital Forensics and Incident Response (DFIR), LevelBlue.

The launch comes as incident response providers face variable demand driven by ransomware campaigns, software supply chain incidents and waves of vulnerability exploitation. During peaks, some organisations struggle to secure immediate assistance. Retainers are one way buyers secure response commitments in advance.

LevelBlue said the Resilience Retainer is available now, alongside its managed security and advisory services portfolio.

Related stories
Terra Security gains first AWS nod for AI threat tests
Misconfigured Microsoft 365 leaves big firms exposed
Dell email mixes payment-style header with promos
Private equity warned over fragile AI foundations
A resilient security culture is built in the flow of work, not the classroom

Top stories

Sama credential leaks raise fears over Meta glasses data
Hexnode debuts device-aware IdP to fuse identity & UEM
Tufin unveils AI assistants & executive security hub
Endor Labs launches AURI to secure AI-driven coding
ShinyHunters claims Woflow breach in supply chain hack