Incident response in an agentic environment looks different from classical IR. The system kept running while it failed; the logs are partial; and the regulator's clock is shorter than the forensics. This retainer exists for the call that arrives at 03:00.
Agentic systems fail in modes the firm's existing IR runbooks were not written for. The first hour of a prompt-injection compromise looks like a quiet anomaly, not an alert.
On-chain and off-chain forensics need to run in parallel during a wallet or tool-execution breach; the firm rarely has both inside the building.
This retainer is structured as a standing relationship: pre-incident readiness, on-call triage, and a written post-incident artifact every regulator now expects.
Three methodology steps from the standing approach, scoped to this brief.
Frame
Read the regulator filings, the codebase, or the internal memo. Write the question that is actually being asked.
Build the artifact
The artifact named in Outputs, above. Working notes during the build are visible.
Hand it off
A meeting, not a link. Six weeks of follow-up Q&A is included.
This retainer is not a substitute for the firm's primary information-security function — it augments it.
I am not registered counsel; where legal advice or formal regulator notification is required, outside counsel leads.
This does not include negotiation with threat actors.
Begin
Send the question.