As the prevalence of cybersecurity incidents increases, more organizations have been obligated to keep Incident Response firms on retaining, or hire them at full price in the midst of an intrusion. Many of the most high-profile and lauded firms have reached their maximum capacity and have waitlists for new customers. As a result, many new incident response service providers have moved to fill the gap. Some firms provide exceptional service and boast top talent. Other are unfortunately not prepared to provide quality incident response services and are essentially ambulance-chasing. This presentation will discuss reasonable expectations which a customer should have of their incident response provider, as well as an overview of the proper incident response onboarding process and technical lifecycle. Attendees will learn to recognize key indicators of good quality and warning signs of poor quality incident service.