* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Products and Services](https://origin-researchcenter.paloaltonetworks.com/blog/category/products-and-services/)
* Unit 42 Incident Response...

# Unit 42 Incident Response Retainers Enhance Organizational Resilience

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2024%2F09%2Funit-42-incident-response-retainers-enhance-organizational-resilience%2F)  
[](https://twitter.com/share?text=Unit+42+Incident+Response+Retainers+Enhance+Organizational+Resilience&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2024%2F09%2Funit-42-incident-response-retainers-enhance-organizational-resilience%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2024%2F09%2Funit-42-incident-response-retainers-enhance-organizational-resilience%2F&title=Unit+42+Incident+Response+Retainers+Enhance+Organizational+Resilience&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2024/09/unit-42-incident-response-retainers-enhance-organizational-resilience/&ts=markdown)  
\[\](mailto:?subject=Unit 42 Incident Response Retainers Enhance Organizational Resilience)  
Link copied  
By [Wendi Whitmore](https://www.paloaltonetworks.com/blog/author/wendi-whitmore/?ts=markdown "Posts by Wendi Whitmore")  
Sep 26, 2024  
5 minutes  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)  
[incident response report](https://www.paloaltonetworks.com/blog/tag/incident-response-report/?ts=markdown)  
[incident response retainer](https://www.paloaltonetworks.com/blog/tag/incident-response-retainer/?ts=markdown)  
[Unit 42 retainer](https://www.paloaltonetworks.com/blog/tag/unit-42-retainer/?ts=markdown)

Cyberattacks have increased in speed, scale and sophistication in the past year, as is highlighted in our [2024 Unit 42 Incident Response Report](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report). We have continued to see the threat landscape evolve faster than most organizations can keep pace:

* In about 45% of our cases in 2023, attackers exfiltrated data in less than 24 hours after compromise. This means that organizations must respond within hours to stop them.
* Exploitation of internet-facing vulnerabilities increased to 39% and became the top initial access vector in our incident response cases. This jump is related to several large, automated intrusion campaigns that swept across the internet in 2023.
* Attackers are more organized, with specialized teams for different parts of the attack. They're more knowledgeable and able to use IT, cloud and security tools as weapons of offense. And they're more efficient, using processes and playbooks to quickly achieve their goals.

To illustrate how these dynamics play out in real-world scenarios, let's examine two Unit 42 incident response cases that provide valuable insights into how today's adversaries operate and the strategies that are needed to defend against them effectively.

## **Speed \& Scale**

In just 13 hours, a telecom provider was [devastated by a fast-moving ransomware](https://www.paloaltonetworks.com/customers/telecom-provider-contains-ransomware-attack-and-restores-operations) attack that encrypted files across tens of thousands of systems, exfiltrated sensitive data, and brought half of their business operations to a standstill. The client urgently engaged Unit 42 to contain the attack, prevent further data exfiltration, and help restore their operations. Within 2 hours of being called, Unit 42 began assessing the situation, quickly uncovering that the [Black Basta](https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/) ransomware had been deployed via a phishing email, leading to widespread unauthorized access.

Given the speed of the attack, rapid deployment of Cortex XDR across the impacted environment within 96 hours was critical to containing the threat, allowing [Unit 42's Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response) team to begin 24/7 monitoring and threat hunting. As part of their response, Unit 42 negotiated an 80% reduction from the initial ransom demand and successfully implemented the decryption keys to recover encrypted data. Further investigation revealed gaps in network segmentation, credential control, endpoint security and security visibility. To mitigate future risks, Unit 42 deployed additional firewalls and access control technologies, reinforcing the client's defenses against the speed and agility of evolving threat actors.

## **Sophistication**

During a recent engagement, Unit 42 responded to a [sophisticated cyberattack](https://www.paloaltonetworks.com/customers/global-business-defends-against-multiphased-muddled-libra-cyberattack) orchestrated by the threat actor [Muddled Libra](https://unit42.paloaltonetworks.com/muddled-libra/). Over one week, the client endured five targeted attacks that showcased the adversary's ability to adapt and exploit new pathways, even leveraging the client's own security tools for lateral movement and further compromise.

Unit 42 was swiftly brought in to investigate and respond, focusing on a holistic security approach that included containment and remediation. Drawing on deep knowledge of Muddled Libra's tactics, Unit 42 conducted a comprehensive assessment to identify unauthorized access and determine the full scope and impact of the attacks. The team advised the client on immediate actions, including securing compromised accounts, isolating affected systems, reconstructing Active Directory, changing passwords and hardening firewalls.

With the priority of restoring systems to a secure state, Unit 42 applied patches and reinforced network defenses. This collaboration not only mitigated the immediate threat but also helped the client enhance their long-term security posture through improved practices, awareness training and regular security assessments.

## **What It Means to Have Unit 42 on Retainer**

In today's rapidly evolving threat landscape, organizations need more than just a reactive response strategy. They need a partner who can proactively identify vulnerabilities and provide a quick, strategic response when incidents occur. This is where Unit 42 comes in. By having Unit 42 on retainer, organizations gain access to a wealth of expertise and resources that go beyond simply returning to normal operations; they gain a partner dedicated to transforming their security posture for the long term.

### **Unmatched Visibility and Expertise**

Unit 42 delivers unparalleled visibility into the latest attack trends and tactics, combined with deep expertise in countering them. Backed by extensive telemetry data from more than 80,000 Palo Alto Networks enterprise customers worldwide and one of the industry's largest threat intelligence databases, our team has access to broader telemetry than any other cybersecurity company.

### **Industry-Leading Incident Response**

Our incident response team is recognized as one of the best in the industry, handling more than 1,000 cybersecurity engagements annually. Named a leader in [The Forrester Wave for Cybersecurity Incident Response](https://www.paloaltonetworks.com/blog/2024/06/forrester-wave-for-cybersecurity-incident-response/), Unit 42 is known for its speed, precision and effectiveness in containing and mitigating incidents. But we don't just stop there. Our approach also focuses on helping organizations build resilience by transforming their security strategies and operations post incident.

### **The Power of Palo Alto Networks and Precision AI**

Leveraging the advanced capabilities of [Palo Alto Networks product platforms](https://www.paloaltonetworks.com/why-paloaltonetworks/consolidation), powered by [Precision AI](https://www.paloaltonetworks.com/precision-ai-security), we bring a level of automation and insight that keeps us, and our clients, steps ahead of threat actors every time. This combination of human expertise and AI-driven technology ensures a comprehensive, proactive approach to cybersecurity.

### **Exclusive Offer for Palo Alto Networks Customers**

Recognizing the growing need for rapid, expert intervention in today's threat environment, Unit 42 is pleased to offer our [no-cost](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/Unit42/No-Cost-Unit-42-IR-Retainer-Customer-Qualifications.pdf) Unit 42 Rapid Incident Response Retainer program, exclusively to qualified Palo Alto Networks customers. This retainer ensures that when every second counts, you have a trusted partner ready to jump into action, minimizing impact and helping you recover with confidence.

Having Unit 42 on retainer means more than just access to top-tier incident response; it means having a partner committed to your organization's security success. Don't just react to threats, stay ahead of them with Unit 42.

### **The No-Cost Unit 42 Rapid IR Retainer**

For [qualified](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/Unit42/No-Cost-Unit-42-IR-Retainer-Customer-Qualifications.pdf) Palo Alto Networks customers, the Unit 42 Rapid Incident Response Retainer offers a suite of benefits:

* The initial 250 hours of Unit 42 Incident Response services
* A 2-hour response time SLA for incident response
* 24/7/365 access to the Unit 42 Incident Response team
* Expertise in threat intelligence from Unit 42

Contact your Palo Alto Networks account manager to put Unit 42 on speed dial. If you believe you are under attack, [contact Unit 42 directly](https://start.paloaltonetworks.com/contact-unit42.html).

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023](https://origin-researchcenter.paloaltonetworks.com/blog/2024/11/top-three-ways-organizations-were-unprepared-for-cyberattacks-in-2023/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Unit 42 --- A Leader in The Forrester Wave for Cybersecurity Incident Response](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/forrester-wave-for-cybersecurity-incident-response/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Creating a Security Program with Less Complexity and More Visibility](https://origin-researchcenter.paloaltonetworks.com/blog/2024/05/creating-a-security-program/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Prowling the Wilds --- Upgrade Your SOC and Hunt Down Threats](https://origin-researchcenter.paloaltonetworks.com/blog/2024/05/upgrade-your-soc-and-hunt-down-threats/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Redefine IR with the Unit 42 Incident Response Retainer for No Cost](https://origin-researchcenter.paloaltonetworks.com/blog/2023/11/unit-42-incident-response-retainer/)

### [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Unit 42 Incident Response Retainer for AWS Security Incident Response](https://origin-researchcenter.paloaltonetworks.com/blog/2025/12/unit-42-incident-response-retainer-for-aws/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language