Cost Component: Forensics · Updated May 2026

Forensics and Investigation Cost: DFIR Rates, Scope, and eDiscovery in 2026

Q: How much does DFIR work cost per hour?

Digital Forensics and Incident Response (DFIR) hourly rates vary by firm tier and engagement type. Top-tier firms (Mandiant, CrowdStrike, Kroll, Palo Alto Unit 42, PwC, Deloitte): emergency engagement without retainer at $800-$1,500/hr for senior consultants. Retained engagement: $300-$600/hr. Mid-tier firms: $300-$800/hr emergency, $200-$400/hr retained. Smaller boutiques and regional firms: $200-$500/hr. Sleep-deprivation overnight surcharges of 25-50% are common during active incident windows.

Q: How is eDiscovery cost calculated?

eDiscovery cost is typically calculated per gigabyte of data processed. Industry-standard pricing: collection $50-$200/GB, processing $25-$200/GB, hosting and review $5-$50/GB/month, document review (attorney time) $1-$5 per document at managed-review rates and $25-$200 per document at outside-counsel rates. For a typical 500GB matter, total eDiscovery cost runs $200K-$2M depending on review intensity and review-counsel choice.

Q: What does a PCI Forensic Investigator (PFI) cost?

PCI Forensic Investigator (PFI) work is mandatory after a Compromised Account Reporting (CAR) event involving payment card data. PFI engagements typically run $50K-$300K. PFIs are credentialed by the PCI Security Standards Council and there is a finite list of qualified firms (currently approximately 70 worldwide). Hourly rates run $400-$800 for partners and $250-$500 for senior consultants. The PFI report is delivered to the card brands via the merchant's acquiring bank.

Q: Is a DFIR retainer worth it?

Almost always yes. An IR retainer typically costs $10K-$100K annually depending on hours included. The retainer guarantees response SLA (typically 2-4 hours) and discounts hourly rates 50-65% versus emergency. Without a retainer, response time can be 24-72 hours and emergency rates are 2-3x retained rates. The retainer fee typically pays for itself in a single incident. For organisations with any meaningful regulated-data or business-impact exposure, the retainer is one of the most leveraged dollars in security spend.

Q: How do you scope a forensic engagement to control cost?

Three principal levers. First, define the investigation question precisely upfront (what was accessed? what was exfiltrated? did persistence remain?) rather than open-ended 'figure out what happened.' Second, agree explicit milestone gates with budget reviews; many engagements scope-creep beyond original budget by 50-200%. Third, leverage in-house data preservation (the IR firm does not need to spend hours collecting what your IT team can preserve in a few). Mature organisations with documented IR runbooks reduce DFIR cost 30-50% versus organisations starting from zero during the incident.

$1,500/hr

Top-tier emergency rate

$300/hr

Retained avg

$25K-$2M

Per-engagement range

2-4 hr

Retained response SLA

Forensics and investigation cost is one of the dominant line items in any major incident-cost stack. The cost decomposes into three independent components: Digital Forensics and Incident Response (DFIR) firm hourly time, eDiscovery for litigation-bound data, and expert-witness work for the long-tail litigation that follows most major incidents. Each has its own market pricing, retainer dynamics, and cost-control discipline. The 2024-2026 DFIR market has seen sustained price inflation as enterprise demand has outstripped credentialed-consultant supply; 2026 emergency rates are roughly 30-50% higher than 2020 equivalents.

DFIR Hourly Rate Map

DFIR hourly rates vary across three principal axes: firm tier, engagement type (emergency without retainer versus retained), and consultant seniority. The following ranges are typical 2026 market pricing for US-headquartered engagements; international rates vary somewhat (London and Singapore rates are similar; continental European rates are typically 10-20% lower; Asia-Pacific outside major hubs is 20-40% lower).

Firm Tier	Emergency (no retainer)	Retained Rate	Notes
Top-tier (Mandiant, CrowdStrike, Kroll, Unit 42)	$800-$1,500/hr	$400-$700/hr	Senior consultant rates; partner rates 30-50% higher
Big-Four advisory (PwC, Deloitte, EY, KPMG)	$700-$1,400/hr	$350-$650/hr	Strong on regulatory and Board-level engagements
Mid-tier specialised (Stroz Friedberg, Charles River Associates, Sygnia)	$500-$1,000/hr	$300-$500/hr	Often retained-only; not always available for emergency
Boutique and regional	$200-$500/hr	$175-$350/hr	Variable quality; vet credentials carefully
MDR provider IR (CrowdStrike Falcon Complete, Sophos, Arctic Wolf)	Included in subscription	Included	Typical MDR subscription $100K-$500K/yr includes IR for covered events

Sleep-deprivation overnight surcharges of 25-50% are common during active incident windows. Travel time at half-rate (or full-rate plus expenses for emergency on-site dispatches) is also common. The all-in effective rate for an active multi-day incident frequently runs 30-60% above the base hourly rate when surcharges are factored in.

Scope-of-Work Cost Bands

Total forensic investigation cost is the function of hourly rate and total hours, which in turn is the function of investigation scope. The following bands are typical for 2026 engagements.

Engagement Scope	Total Cost Range	Typical Duration	Notes
Single-endpoint targeted investigation	$25K-$75K	3-10 days	Compromise of single workstation; exfiltration determination
Mid-scope multi-system investigation	$75K-$300K	2-5 weeks	10-50 endpoints, network forensics, persistence sweep
Large enterprise investigation	$300K-$2M	1-3 months	Multi-region, multi-vector; persistence-aware investigation
Nation-state-class long-running investigation	$5M-$25M+	3-12+ months	SolarWinds, Storm-0558-class; adversary-tracking
PCI Forensic Investigator (PFI)	$50K-$300K	2-6 weeks	Mandatory after card-data breach; defined scope per PCI SSC
Cyber-insurance triage	$10K-$50K	1-2 weeks	Initial triage paid by carrier panel firm

eDiscovery Cost

eDiscovery cost is the cost of identifying, preserving, collecting, processing, hosting, and reviewing electronically stored information for legal proceedings. For incidents that go to litigation (which is most major incidents within 2-5 years post-event), eDiscovery cost can equal or exceed the original forensic-investigation cost. eDiscovery work is priced per gigabyte rather than per hour, with separate rates for each phase of the EDRM lifecycle.

EDRM Phase	Pricing	Notes
Identification and preservation	Project-based $10K-$100K	Legal-hold notices, custodian interviews, data-source mapping
Collection	$50-$200/GB	Forensic imaging or remote collection at scale
Processing	$25-$200/GB	Indexing, deduplication, metadata extraction
Hosting and review platform	$5-$50/GB/month	Relativity, Everlaw, Disco; year-long matters incur 12 months of hosting
Document review (managed)	$1-$5 per doc	Managed-review attorneys at lower rates; AI-assisted review continuing to compress cost
Document review (outside counsel)	$25-$200 per doc	Privilege review, key-document review by trial team
Production	$0.05-$0.20 per page	Bates labeling, redaction, format conversion

For a typical 500GB matter (a moderate-size cyber-litigation matter with 5-7 custodians), total eDiscovery cost runs $200K-$2M depending on review intensity. AI-assisted review (technology-assisted review, predictive coding, GenAI-augmented review) has materially compressed review cost since 2022; well-managed AI-assisted review programs can reduce review cost 60-80% versus traditional first-pass linear review while maintaining defensible accuracy.

Expert-Witness Cost

Cyber-incident litigation almost always involves expert witnesses on both sides. Plaintiff and defense each typically retain their own technical expert plus a damages expert, and may add specialist experts on regulatory compliance, threat actor attribution, or cybersecurity standards of care. Expert engagement is one of the most consistently priced services in the cyber-litigation cost stack.

Expert Type	Hourly Rate	Total Engagement Cost
Technical expert (DFIR, security architecture)	$500-$1,500/hr	$200K-$2M typical
Damages expert (economist, financial)	$400-$1,200/hr	$150K-$1M typical
Regulatory compliance expert	$400-$1,000/hr	$100K-$500K typical
Threat-actor attribution expert	$500-$1,500/hr	$100K-$500K typical

Class-action matters involving multiple competing experts can reach $5M+ in expert fees. Major precedent matters (Equifax, Yahoo, Anthem long-tail) have produced expert fees in the $10M+ range. Expert work is typically not capped under defense costs (in cyber insurance terms) so the cost is borne by the defendant in addition to the underlying loss.

Retainer Economics

The DFIR retainer is one of the most consistently positive-ROI investments in any security budget. The arithmetic is robust across firm tier and organisation size.

Annual retainer cost: typically $10K-$100K depending on hours included and firm tier
Hourly rate discount: retained rates run 50-65% lower than emergency rates
Response SLA: typically 2-4 hours from call to active engagement, versus 24-72 hours for emergency without retainer
Pre-engagement value: tabletop exercises, IR plan review, threat-model alignment all included or discounted
Scope-creep control: existing relationship makes scope discussions more efficient and less adversarial

For an organisation with even moderate incident probability (per IBM CODB 2025, organisation-wide incident probability over a 5-year window runs 25-35% across most sectors), the retainer pays for itself on the first activation. The full response cost analysis covers retainer economics in greater depth.

Frequently Asked Questions

How much does DFIR work cost per hour?

Top-tier firms (Mandiant, CrowdStrike, Kroll, Unit 42): emergency engagement $800-$1,500/hr for senior consultants. Retained: $300-$600/hr. Mid-tier firms: $300-$800/hr emergency, $200-$400/hr retained. Boutiques: $200-$500/hr. Sleep-deprivation overnight surcharges of 25-50% are common.

What does a typical forensic investigation cost in total?

Total forensic investigation cost depends on scope: small targeted investigation $25K-$75K. Mid-scope investigation $75K-$300K. Large enterprise investigation $300K-$2M. Multi-month nation-state-class investigations can run $5M-$25M+.

How is eDiscovery cost calculated?

eDiscovery cost is calculated per gigabyte: collection $50-$200/GB, processing $25-$200/GB, hosting and review $5-$50/GB/month, document review $1-$5 per document at managed-review rates and $25-$200 per document at outside-counsel rates. For a typical 500GB matter, total eDiscovery cost runs $200K-$2M.

What does a PCI Forensic Investigator (PFI) cost?

PFI work is mandatory after a Compromised Account Reporting (CAR) event involving payment card data. PFI engagements typically run $50K-$300K. PFIs are credentialed by the PCI Security Standards Council. Hourly rates run $400-$800 for partners and $250-$500 for senior consultants.

What is an expert witness fee in cyber-incident litigation?

Cyber expert witnesses charge $400-$1,500 per hour for analysis, deposition, and trial testimony. Total expert engagement on major cyber litigation typically runs $250K-$2M. Class actions involving multiple competing experts can reach $5M+ in expert fees.

Is a DFIR retainer worth it?

Almost always yes. Retainer typically costs $10K-$100K annually. Guarantees response SLA (typically 2-4 hours) and discounts hourly rates 50-65% versus emergency. Without a retainer, response time can be 24-72 hours and emergency rates are 2-3x retained rates. The retainer fee typically pays for itself in a single incident.

How do you scope a forensic engagement to control cost?

Define the investigation question precisely upfront (what was accessed? what was exfiltrated? did persistence remain?). Agree explicit milestone gates with budget reviews. Leverage in-house data preservation. Mature organisations with documented IR runbooks reduce DFIR cost 30-50% versus organisations starting from zero during the incident.