Want to become an IR provider to carriers?

Written By Dustin Bolander

Getting Carrier Work as an IR Firm: What It Actually Takes

Beltex’s founders regularly get calls from cybersecurity firms wanting to add DFIR services and get work from carriers. Regular, high paid work, and the opportunity to covert those policyholders to long term customers? What is not to like? Here’s the playbook, but it is a steep uphill climb.

Note: this is a VERY simplified orientation and guide for companies taking a first look at the space. The details and processes have much more nuance to them. Consider this merely your freshman orientation to claims, and the start of your degree in claims DFIR work. This article is also acronym heavy, if you are having to look them up…you are probably not prepared to do carrier work.

One important thing to note - each carrier handles their claims team allocations slightly differently. The predominant models are:

  • fully in-house claims team, sometimes will use third parties for overflow

  • panel arrangement with carrier claims team leading/managing

  • panel arrangement with outside legal counsel leading/managing

A full division, not a new revenue line

Carriers want DFIR providers who can take work consistently and deliver consistent quality. Every time. Claims do not care that you are at capacity, short-staffed, or testing a new tool. Carriers reputations live and die by their claims handling, and the DFIR team is the tip of the spear.

This market is crowded and unforgiving, with new players entering every month. One missed IOC, one messy restoration, one surprise invoice, or one poor communication can take you from the top of the list to “never called again.”

Do not assume you earn a real relationship after working a few claims. Many carriers want to see repeatable, strong results over dozens of claims. Some want 100-plus before they treat you like an ongoing partner and reliably send work your way.

Understand the panel reality: approved is not the same as chosen

Most cyber carriers use a panel model. Providers are preapproved, and assignments flow from that list.

In practice there are two tiers:

  • Preferred providers: steady pipeline, regular assignments.

  • Approved but idle: technically allowed, but rarely selected unless claim volume spikes or the insured requests them by name. Often times these providers get the majority of their business from brokers/agencies that prefer them and recommend to customers.

Preferred providers have an excellent track record, capacity to take claim after claim, and often innovative pricing such as fixed fee for blocks of BEC’d mailboxes.

One-off approvals exist, but you still need consent before you touch the claim

Sometimes a policyholder asks to use a DFIR firm because they were recommended, or have an existing relationship. Carriers may allow a one-off approval for that specific claim but it is on a claim by claim basis and requires explicit approval.

Do not confuse that with a green light to begin work. You cannot just do the engagement and invoice later. Carrier consent is part of the claim kickoff, typically with the claims manager or appointed legal counsel. And consent is usually tied to a practical requirement: you will be asked for a quote or estimate up front. If you cannot scope quickly and provide an estimate that looks credible, you are going to lose the opportunity. Speed is of the essence for most cyber claims.

Staffing matters: “Joe knows forensics too” does not count

For carrier work, you generally need true forensics capability on staff. Not a generalist who can do it when needed, even if they are talented.

One carrier’s IR lead says the same thing at every cybersecurity conference: if you are not doing forensics every day, you are not good enough. Carriers need DFIR firms who can produce defensible work, document cleanly, and operate without surprises. If your bench is thin, carriers will figure it out very quickly.

A practical entry point: subcontracting

If you are not getting direct assignments yet, subcontracting with an established panel provider is often the fastest way to build a claims track record. The rates are usually below market, but the trade off is real experience, paid work, and possibly the start of a carrier relationship.

Leverage this experience to approach carriers directly for work.

Key takeaways

This is a VERY difficult path to go down since most carriers have <15 DFIR providers approved, but it can be done with enough time and tenacity.

Dustin Bolander
Next

True or false? Cyber claims are getting denied due to incorrect insurance applications