Reference: IR Firm Pricing · Updated June 2026

Incident Response Firm Pricing: What the Named Firms Actually Cost

Every major DFIR firm routes its pricing to "contact sales." This reference triangulates emergency hourly rates, retainer fees, and per-engagement sizes for the named firms, so you can budget before you call.

Figures marked (est.) are planning estimates from public data sheets, RFP responses, and breach disclosures, not vendor-confirmed list prices. The Coveware ransom figures are verified from Coveware's own marketplace report.

The Firm Pricing Matrix

FirmEmergency rate (est.)Retained / modelSpecialism
MandiantGoogle Cloud$1,000-$1,500/hr$400-$600/hrTier-1 DFIR, authors of the M-Trends report
CrowdStrike ServicesCrowdStrike$900-$1,400/hr$400-$525/hrFalcon-integrated IR and proactive retainer
Kroll$500-$925/hrFlexible retainerCyber risk retainer with breach notification services
CovewareVeeam$553,959$110,890Ransomware negotiation and recovery specialist
Unit 42Palo Alto Networks$850-$1,300/hr$375-$525/hrPalo Alto Networks DFIR and proactive retainer
Arctic Wolf$150K-$400K/yrIR includedMDR with incident response included

Triangulated from public data sheets, RFP responses, and breach disclosures; Coveware ransom figures verified from Coveware Q4 2024 report. Updated June 2026.

Per-Firm Cost Pages

Mandiant (Google Cloud)
$1,000-$1,500/hr
Tier-1 DFIR, authors of the M-Trends report
CrowdStrike Services (CrowdStrike)
$900-$1,400/hr
Falcon-integrated IR and proactive retainer
Kroll
$500-$925/hr
Cyber risk retainer with breach notification services
Coveware (Veeam)
$553,959
Ransomware negotiation and recovery specialist
Unit 42 (Palo Alto Networks)
$850-$1,300/hr
Palo Alto Networks DFIR and proactive retainer
Arctic Wolf
$150K-$400K/yr
MDR with incident response included

How to Read These Numbers

DFIR firms do not publish rate cards because every engagement is scoped individually and pricing is a negotiation lever. The ranges here are triangulated from three public signals: vendor retainer data sheets that describe structure (prepaid units, SLA tiers) without prices, RFP and government bid responses that occasionally disclose rates, and breach-disclosure filings that report total engagement costs.

Treat the emergency rate as the worst case (no retainer, peak demand) and the retained rate as the realistic case for an organisation that has done the procurement in advance. The single biggest cost lever is having a retainer in place before the incident: it cuts the hourly rate by roughly half and the response time from days to hours.

Frequently Asked Questions

How much do incident response firms charge?
Named incident-response firms charge an estimated $500-$1,500 per hour for emergency DFIR with no retainer, dropping to roughly $175-$600 per hour once a retainer is active. Annual retainers run $10,000-$150,000 per year, and MDR providers that bundle IR with 24/7 monitoring charge $150,000-$400,000 per year for mid-market. Per-engagement ransomware and breach responses commonly total $25,000-$1M depending on scope and firm.
Which incident response firm is the cheapest?
Among the named firms, Kroll typically sits at the lower end of the premium tier with an estimated $500-$925 per hour DFIR rate, below Mandiant and CrowdStrike, while still offering enterprise-grade depth. For organisations without a SOC, an MDR subscription from Arctic Wolf can be cheaper than building a SOC plus buying on-demand IR. Regional DFIR firms outside this list are often cheaper still for commodity ransomware cases.
Do I need a DFIR firm and a ransomware negotiator?
Often yes: a full-scope DFIR firm such as Mandiant, CrowdStrike, Kroll, or Unit 42 handles forensics, containment, and eradication, while a specialist such as Coveware handles ransom negotiation, sanctions screening, and payment logistics. The two roles are usually additive in cost, with the DFIR engagement at $60,000-$250,000 for mid-market and the negotiation fee priced separately.
Is an MDR provider cheaper than an IR retainer?
An MDR provider such as Arctic Wolf bundles 24/7 monitoring with incident response for an estimated $150,000-$400,000 per year, which is cheaper than building a SOC plus buying on-demand IR for organisations with no in-house security operations. An IR retainer alone (low five figures per year) is cheaper than MDR but only covers reactive response, not the proactive monitoring that MDR adds.
Related:IR cost models overviewRansomware costIncident Cost IndexSOC / MDR cost
IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.