IR Firm Reference · Updated June 2026

Kroll Incident Response Cost: What You'll Actually Pay

Kroll runs one of the highest case volumes in the industry and is known for a flexible Cyber Risk Retainer that lets unused IR hours convert to proactive services. It also offers breach-notification and victim-services capabilities that many pure-DFIR firms do not. Figures below are triangulated planning estimates.

$500-$925/hr
DFIR rate (est.)
Flexible retainer
Cyber Risk Retainer
Notification add-on
Breach services
$25K-$500K
Per-engagement (est.)

Figures marked (est.) are triangulated planning estimates from public data sheets, RFP responses, and breach disclosures, not vendor-confirmed list prices. Kroll quotes per engagement; always get a written quote.

Pricing Models

ModelCostNotes
Emergency DFIR (no retainer)$500-$925/hr (est.)Often below the very top tier while retaining enterprise-grade depth.
Retained hourly rate$300-$500/hr (est.)Drawn against the Cyber Risk Retainer.
Cyber Risk Retainerlow five figures/yr and up (est.)Unused IR hours convert to assessments, tabletop, and threat hunting.
Breach notification + call centrePriced per record / per projectMailing, call centre, credit monitoring co-ordination.

What You'll Actually Pay: Worked Scenarios

ScenarioEstimateBasis
Mid-market ransomware response$60K-$250K (est.)Forensics, containment, and reporting at mid-tier rates.
Breach with mass notification (100K records)$250K-$500K+ (est.)DFIR plus notification, call centre, and credit-monitoring co-ordination.
Cyber Risk Retainer (mid-market)low-to-mid five figures/yr (est.)Hours sized to expected incident load; convertible to proactive work.

Verified Facts

Kroll markets a Cyber Risk Retainer that goes beyond a typical IR retainer, with flexibility for proactive, response, and notification services. Kroll Cyber Incident Response Retainer page

Kroll provides breach-notification and consumer-victim services alongside DFIR. Kroll cyber services pages

Kroll handles a high annual volume of cyber cases across ransomware and BEC. Kroll public threat reporting

When Kroll Is the Right Pick

Right pick when
  • +You want one firm for DFIR and the downstream breach-notification logistics.
  • +You value a flexible retainer where unused hours become proactive services.
  • +You want enterprise-grade depth without the very top-tier hourly rate.
Wrong pick when
  • You need Falcon/Chronicle-native telemetry integration during response.
  • You only need ransom negotiation (a specialist may be cheaper).
  • You require the single most recognised brand name on a nation-state report.

Frequently Asked Questions

How much does Kroll incident response cost?
Kroll emergency DFIR is estimated at $500-$925 per hour, often slightly below the very top tier while retaining enterprise depth, with retained rates around $300-$500 per hour. A mid-market ransomware response typically runs $60,000-$250,000, and a breach requiring mass notification can exceed $500,000 once call-centre and credit-monitoring logistics are included. These are triangulated estimates.
What is the Kroll Cyber Risk Retainer?
The Kroll Cyber Risk Retainer is a flexible agreement, commonly starting in the low five figures per year, where unused incident-response hours convert into proactive services such as assessments, tabletop exercises, and threat hunting. Kroll markets it as broader than a typical IR retainer because it spans response, proactive, and breach-notification services under one agreement.
Does Kroll handle breach notification?
Yes, Kroll provides breach-notification and consumer-victim services including mailing, call-centre operations, and credit-monitoring co-ordination, which many pure-DFIR firms outsource. This makes Kroll a single-vendor option for organisations that want forensics and the downstream notification logistics handled together, priced per record or per project on top of the DFIR work.
Is Kroll cheaper than Mandiant or CrowdStrike?
Kroll's estimated $500-$925 per hour DFIR rate often sits below the very top tier represented by Mandiant, while still offering enterprise-grade depth, making it a common mid-premium choice. The trade-off is that Kroll does not offer Falcon-native or Chronicle-native telemetry integration during response, so the value comparison depends on whether your stack benefits from that integration.

Compare Other IR Firms

Mandiant
Tier-1 DFIR, authors of the M-Trends report
CrowdStrike Services
Falcon-integrated IR and proactive retainer
Coveware
Ransomware negotiation and recovery specialist
Unit 42
Palo Alto Networks DFIR and proactive retainer
Arctic Wolf
MDR with incident response included

Sources: Kroll Cyber Incident Response Retainer page; Kroll cyber services and breach-notification pages; IncidentCost.com triangulation from RFP responses and breach disclosures. Updated June 2026.

IncidentCost.com is independent and not affiliated with Kroll. All figures are for planning purposes only.

Related:IR Response Cost (overview)All IR FirmsRansomware CostSOC / MDR Cost
IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.