Pentest retainer management
one master record, every drawdown tracked

A fixed block of consultant hours per term (commonly 40, 80, or 160 hours per quarter). The client purchases capacity rather than scope; engagements draw the block down hour by hour with explicit underrun and overrun rules. Best for clients with unpredictable testing needs and a steady appetite for advisory work.

A contracted number of pentests over the term (for example, four web app tests and two infrastructure tests per year). Each engagement consumes one slot regardless of the actual hours. Easiest to invoice, cleanest for compliance audits, and the right shape when scope is predictable and the client wants budget certainty.

A defined coverage tier across the client estate (for example, all production web applications and all external infrastructure assessed once per quarter, with up to three retests per finding). The retainer guarantees coverage rather than a count of engagements. Common for clients with a fast-changing asset list and an internal compliance or assurance commitment.

A baseline of scheduled tests plus an optional advisory hours pool for ad-hoc reviews, threat modelling, scope discussions, and proposal feedback. The hybrid shape protects delivery cadence while giving the client a structured way to consume consulting time outside formal engagements. Track the test slots and the hours pool as two ledgers under the same parent retainer.

The retainer balance lives in a finance tracker that the delivery team never looks at. Engagements proceed without knowing the running balance, the client gets a surprise overrun email two days after term end, and the renewal conversation opens with an apology rather than a delivery summary.

Each pentest is opened as a standalone engagement with no reference to the master agreement. Three months in, the team has to reconstruct which tests were against the retainer and which were paid one-off projects from billing data and Slack history. The audit trail is the inbox.

The contract says nothing explicit about unused hours or overruns and the team handles each case ad-hoc. Identical situations get different answers depending on which partner picks up the call, and the inconsistency surfaces at renewal as trust erosion that nobody can point at a specific cause for.

The retainer runs for a year but each engagement starts from a clean slate because there is no shared finding history. The client sees the same recurring issue flagged across three reports because the team cannot see that they wrote the same finding nine months earlier. Aging risk debt is invisible.

The renewal conversation runs from a template deck rather than the actual delivery record. Hours figures are estimated, engagement counts are guessed, and the client recognises the lack of evidence. The renewal is either undersold or quietly attritted to a competitor that promised the same shape with cleaner numbers.

The contracted block, the running drawdown across the term, and the remaining balance at the renewal window. The figure is the actual sum of engagement-level actuals rather than a finance-team approximation, so the conversation starts from one source of truth.

A list of every engagement run under the retainer with the scope, the hours planned and actual, the headline findings, and the close-out status. The renewal proposal cites delivery rather than describing it.

Across the full term, how many findings were opened, how many were closed, the average time to close by severity, and how many remain open against the client. The aging picture is the strongest argument for continuing the relationship; ignoring it is the strongest signal that the relationship was transactional.

Each retest tied to its original finding so the client sees verified fixes, partial fixes, regressions, and outstanding issues with the same identifiers across the term. The retainer becomes the audit trail of the security programme rather than a series of disconnected attestations.

How many engagements hit the contracted scheduling SLA, response SLA, and report turnaround SLA. Renewal pricing without this data is guesswork; with it, both sides negotiate from the same evidence.

The retainer parents pentest project management for each child engagement and retesting for verification. For always-on programmes, continuous penetration testing is the technical pattern often delivered under a retainer.

New retainers kick off through pentest client onboarding, advisory hours run through the security advisory request workflow so non-pentest consulting time draws against the retainer with a structured intake, and the parent record carries remediation tracking history across the term. At renewal, the report-ready record replaces the recap deck.

Firms that sell quarterly or annual retainers to a portfolio of clients use the master record to keep delivery, billing, and renewal evidence on one timeline. The partner who signed the agreement and the consultant who runs the next engagement see the same balance, the same SLA tier, and the same outstanding findings.

MSSPs running security testing under a managed services umbrella benefit from the parent-child structure: the MSSP owns the retainer, child engagements draw down across services (pentest, retest, advisory), and the branded portal carries one identity per client across the full programme.

Solo and small-team consultants who run retainers with a small number of named accounts get the same record-level rigour as a larger firm: contracted hours, drawdown, invoice cadence, and renewal evidence on the client record rather than across notebook pages.

Internal security functions that bill business units through internal chargebacks model the chargeback as a retainer per business unit: contracted assessment slots, drawdown per request, and an attribution trail that the finance team can reconcile without a separate ledger.

Delivery, finance, and the client read the same balance from the same record. The month-end true-up is reconciliation rather than discovery, and the next engagement is scoped against the actual remaining block rather than against a guess.

Hours consumed, engagements delivered, findings closed, retests run, and SLA performance come straight off the retainer record. The renewal proposal is built on real delivery, not on a recap deck written from memory three weeks before the term ends.