[meowface]

Security incident response is a very specialized role that the vast majority of not only ordinary tech companies but also security tech companies can't necessarily be expected to do entirely on their own in the event of suspicion of a serious breach.

This isn't hiring an auditor or consultant to recommend better security practices but more like a team of world-class detectives, investigators, and forensicists to figure out exactly what happened and how, what they might have done or taken, if they still have or could regain access, and, potentially, ideas as to who or what the culprits may be and what their objectives were. In particular, you want to have as much confidence as possible in what they may have done when they had access to your systems and that they have been effectively shut out and don't have any other access points/backdoors.

LastPass undoubtedly also has their own security incident response team - most companies probably should - but it's like the local county PD calling in the FBI when a serious or sophisticated crime occurs.