Sophos Aims To Bring Predictable Costs To Incident Response With New Retainer

The offering seeks to expedite cyber incident response engagements — and to stand out from other retainers with its fixed-cost agreement, Sophos President Joe Levy told CRN.


Sophos President Joe Levy

Sophos announced the launch of a new retainer option that aims to enable greater predictability on cost for its incident response engagements, which provide investigation and remediation in the event of a major attack such as ransomware.

The cybersecurity vendor’s offering stands out from other incident response retainers on predictability through providing customers with a fixed-cost, fixed-term agreement for the IR service, according to Joe Levy, president, CTO and chief product officer at Sophos.

[Related: 10 MDR Security Companies Making Moves In 2023 (So Far)]

Sponsored post

Sophos designed the retainer that way after “customers were telling us they were hesitant to engage with incident response services, because they simply had no idea what it was going to cost them,” Levy said in an interview with CRN. “And they simply had no idea how long [the incident] was going to take and how long it could potentially drag on.”

Ultimately, “we wanted to make that a little easier for them to understand at the outset, so that they knew exactly what it was going to cost and how long it was going to take,” Levy said.

Another unique element of the Sophos Incident Response Retainer is that it comes with 45 days of 24/7 MDR (managed detection and response) coverage, the company said. The goal is to ensure that “we were actually fully successful in neutralizing the threat,” Levy told CRN.

“One of the last things that you want to do in a response is get to the point where you think you’ve evicted the threat actor — and the threat actor actually has some other kind of a persistent foothold that will allow them to come back and do more harm the second time around to the customer,” he said.

All in all, the Sophos Incident Response Retainer is aimed at expediting the access that customers have to response services in the wake of a ransomware attack, data breach or other major cyber incident, according to the company.

Speedy response is key amid a continued reduction in “dwell time,” or the amount of time between initial access by an attacker and the impact of their attack, Sophos said. The median adversary dwell time was eight days during the first half of 2023, down from 10 days in 2022, according to newly released figures in Sophos’ 2023 Active Adversary Report for Tech Leaders.

The incident response retainer is also optimized for Sophos channel partners to bring to their customers, Levy said.

The IR retainer enables partners to help customers “enhance their resilience, by making them much better prepared in the event that there’s some sort of a security incident that actually requires expert response,” he said.

“Resilience doesn’t mean we’re going to stop everything from happening, but rather [it’s about] being able to rebound from some an attack more quickly,” Levy said.

Partner Perspective

The incident response retainer from Sophos should find strong demand from customers because it meets pressing needs, according to Karen Greer, president and CEO of Secure Content Technologies, a Cincinnati-based solution provider and longtime Sophos partner.

“If a customer has an incident, they’re already completely nervous and on edge about it. And not knowing how much that response and remediation is going to cost them just adds to the stress level,” she told CRN. “So having this be [available for] a fixed cost is a very big benefit.”

Greer said that for some customers, she may recommend utilizing Sophos’ incident response retainer as part of a larger package that also includes MDR coverage from the vendor. For customers that don’t have the budget for adopting full-blown MDR, it may still make sense for them to leverage the IR retainer to ensure they can get assistance if they’re hit with a major cyber incident, she said.

The Sophos Incident Response Retainer is being offered through partners in three tiers, with the tiers based on number of devices within the organization, according to the company.

Proactive Security Capabilities

There are also other components included as part of the Sophos Incident Response Retainer that aim to help proactively shore up a customer’s security posture, which should prove valuable to many customers, according to Greer.

The service comes with external vulnerability scanning to provide an assessment of an environment’s security, as well as critical preparedness guidance that’s intended to reduce the likelihood of a major incident.

All in all, “the premise for partners is to get our customers to bolster their security posture,” Greer said.

And in the event that something still ends up happening, “they can react quickly — they’re not scrambling and saying, ‘I don’t know where to go. I don’t know what to do.’ It’s all right there for them and it gives them peace of mind,” she said. “And it gives us peace of mind for them.”

The incident response retainer from Sophos arrives as the company reports fast-growing adoption of its MDR offering, which the vendor has pointed to as the centerpiece of its shift to “security as a service” as its focus and top priority for investment going forward.

In April, Sophos disclosed that its MDR customer base grew by 33 percent over the prior six months, to a total of more than 16,000 customers. “We have more MDR customers than any other vendor that we’re aware of,” Sophos CEO Kris Hagerman said in an interview with CRN in May.