Security leaders and their teams rely on managed detection and response (MDR) providers to deliver 24/7 security event monitoring, augment internal security operations center (SOC) analyst expertise, assist with or perform response actions, and offer assurance through threat hunting that adversaries are not present in the environment. Sometimes, however, an attack or incident becomes a breach, requiring specialized incident response (IR) services offered through the MDR provider or a third-party IR services firm and covered under attorney-client privilege. Use this report to understand the roles, responsibilities, and decision points when escalating an incident to a breach and invoking IR services.