IR Firm Reference · Google Cloud · Updated June 2026

Mandiant Incident Response Cost: What You'll Actually Pay

Mandiant, now part of Google Cloud, is the reference-class DFIR firm: it authors the annual M-Trends report and runs many of the largest nation-state and ransomware response engagements. It does not publish rate cards. The figures below are triangulated from public retainer data sheets, partner price lists, and disclosed engagement sizes, and should be treated as planning estimates only.

$1,000-$1,500/hr
Emergency rate (est.)
$400-$600/hr
Retained rate (est.)
from ~$100K/yr
Consulting retainer (est.)
$50K-$1M+
Per-engagement (est.)

Figures marked (est.) are triangulated planning estimates from public data sheets, RFP responses, and breach disclosures, not vendor-confirmed list prices. Mandiant quotes per engagement; always get a written quote.

Pricing Models

ModelCostNotes
Emergency IR (no retainer)$1,000-$1,500/hr (est.)Top of the market; reserved capacity is scarce during major campaigns.
Retained hourly rate$400-$600/hr (est.)Available once a Consulting Retainer is in place; drawn against prepaid funds.
Consulting retainer (prepaid hours)from ~$100K/yr (est.)Prepaid hours convertible to IR, red team, assessments; unused hours roll within term.
Per-engagement ransomware/breach$50K-$1M+ (est.)Scope-driven; large enterprise breaches with months of dwell time reach the top.

What You'll Actually Pay: Worked Scenarios

ScenarioEstimateBasis
Mid-market ransomware, single environment$150K-$400K (est.)200-400 consultant hours plus forensics tooling and reporting.
Enterprise breach, multi-region, long dwell time$500K-$1M+ (est.)Extended timeline, threat-intel attribution, and regulatory support.
Annual consulting retainer (mid-market)~$100K-$250K/yr (est.)Prepaid hours sized to expected incident load plus proactive services.

Verified Facts

Mandiant authors M-Trends; the 2025 edition reports global median dwell time of 11 days. Mandiant M-Trends 2025

Mandiant was acquired by Google and operates within Google Cloud's security portfolio. Google Cloud (acquisition completed 2022)

Mandiant Consulting offers a prepaid Consulting Retainer convertible across IR and proactive services. Mandiant Consulting retainer data sheet

When Mandiant Is the Right Pick

Right pick when
  • +You face a sophisticated or nation-state-grade adversary and need top-tier attribution.
  • +Your board or regulator expects a recognised name on the post-incident report.
  • +You already run Google Cloud / Chronicle and want integrated threat intelligence.
Wrong pick when
  • You are an SMB with a commodity ransomware case where a regional firm costs far less.
  • Budget is the primary constraint and you have no retainer to discount emergency rates.
  • You need 24/7 monitoring rather than reactive IR (consider MDR instead).

Frequently Asked Questions

How much does Mandiant incident response cost?
Mandiant emergency incident response is estimated at $1,000-$1,500 per hour without a retainer, falling to roughly $400-$600 per hour once a Consulting Retainer is in place. A mid-market ransomware engagement typically lands at $150,000-$400,000, while a large enterprise breach can exceed $1M. These are triangulated estimates, not published list prices; Mandiant quotes per engagement.
Does Mandiant offer a retainer?
Yes, Mandiant offers a prepaid Consulting Retainer, commonly estimated to start near $100,000 per year, that converts to incident response, red teaming, threat hunting, and proactive assessments. The retainer secures a faster response SLA and discounted retained hourly rates versus emergency engagement. Exact pricing depends on the number of prepaid hours and term length.
Is Mandiant worth the premium over a regional IR firm?
Mandiant is worth the premium when you face a sophisticated or nation-state adversary, when a board or regulator expects a recognised name on the report, or when you need deep threat-intelligence attribution. For commodity ransomware at an SMB, a regional DFIR firm often delivers a comparable technical outcome at a materially lower cost.
How fast does Mandiant respond to an incident?
With a retainer in place, top-tier DFIR firms including Mandiant typically commit to a 2-4 hour response SLA. Without a retainer, securing reserved consultant capacity can take 24-72 hours, and availability tightens further during large simultaneous ransomware campaigns when demand spikes across the market.

Compare Other IR Firms

CrowdStrike Services
Falcon-integrated IR and proactive retainer
Kroll
Cyber risk retainer with breach notification services
Coveware
Ransomware negotiation and recovery specialist
Unit 42
Palo Alto Networks DFIR and proactive retainer
Arctic Wolf
MDR with incident response included

Sources: Mandiant M-Trends 2025; Mandiant Consulting retainer data sheet (public); Google Cloud security portfolio pages; IncidentCost.com triangulation from RFP responses and breach disclosures. Updated June 2026.

IncidentCost.com is independent and not affiliated with Mandiant or Google Cloud. All figures are for planning purposes only.

Related:IR Response Cost (overview)All IR FirmsRansomware CostSOC / MDR Cost
IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.