IR Firm Reference · Palo Alto Networks · Updated June 2026

Unit 42 Incident Response Cost: What You'll Actually Pay

Unit 42 is the threat-intelligence and DFIR arm of Palo Alto Networks. It integrates with Cortex XDR/XSIAM telemetry and publishes a widely cited ransomware and extortion threat report. Pricing is not published; the figures below are triangulated planning estimates.

$850-$1,300/hr
Emergency rate (est.)
$375-$525/hr
Retained rate (est.)
Prepaid hours
Retainer structure
$40K-$800K
Per-engagement (est.)

Figures marked (est.) are triangulated planning estimates from public data sheets, RFP responses, and breach disclosures, not vendor-confirmed list prices. Unit 42 quotes per engagement; always get a written quote.

Pricing Models

ModelCostNotes
Emergency IR (no retainer)$850-$1,300/hr (est.)Cortex telemetry can accelerate triage where already deployed.
Retained hourly rate$375-$525/hr (est.)Drawn against prepaid retainer hours.
IR retainer (prepaid hours)from ~$50K-$150K/yr (est.)Converts to IR, compromise assessment, and tabletop exercises.
Per-engagement ransomware/breach$40K-$800K (est.)Scope and dwell-time driven.

What You'll Actually Pay: Worked Scenarios

ScenarioEstimateBasis
Mid-market ransomware with Cortex coverage$80K-$280K (est.)Existing XDR telemetry shortens investigation.
Enterprise breach, multi-region$350K-$800K (est.)Extended timeline, threat-intel attribution, regulatory support.
Annual IR retainer (mid-market)~$50K-$150K/yr (est.)Prepaid hours plus proactive readiness work.

Verified Facts

Unit 42 is the threat-intelligence and incident-response team of Palo Alto Networks. Palo Alto Networks Unit 42 pages

Unit 42 publishes an annual Ransomware and Extortion / Incident Response report. Unit 42 threat reporting

Unit 42 IR integrates with Cortex XDR/XSIAM telemetry during engagements. Palo Alto Networks Cortex / Unit 42 pages

When Unit 42 Is the Right Pick

Right pick when
  • +You run Palo Alto Networks Cortex XDR/XSIAM and want native telemetry during response.
  • +You want threat-intel-led attribution backed by Unit 42 research.
  • +You want IR and proactive assessments under one retainer.
Wrong pick when
  • Your stack is built on a competing XDR and you do not want platform lock-in.
  • You need pure ransom negotiation rather than full-scope DFIR.
  • Budget is the dominant constraint and a regional firm suffices.

Frequently Asked Questions

How much does Unit 42 incident response cost?
Unit 42 emergency incident response is estimated at $850-$1,300 per hour without a retainer, falling to roughly $375-$525 per hour on retained hours. A mid-market ransomware case with existing Cortex coverage typically runs $80,000-$280,000, while a large enterprise breach can reach $800,000. These are triangulated estimates; Palo Alto Networks quotes Unit 42 engagements individually.
Does Unit 42 offer a retainer?
Yes, Unit 42 offers an incident-response retainer, commonly estimated at $50,000-$150,000 per year, that provides prepaid hours convertible to IR, compromise assessments, and tabletop exercises, plus a faster response SLA. The retainer discounts the emergency hourly rate and is the standard way to secure priority access to Unit 42 responders ahead of an incident.
Do I need Palo Alto Networks products to use Unit 42?
No, you do not need Palo Alto Networks products to engage Unit 42, but organisations running Cortex XDR or XSIAM benefit from native telemetry integration that shortens triage and reduces consultant hours. Without that telemetry, Unit 42 deploys its own tooling during the engagement, similar to other DFIR firms, so the integration is a cost advantage rather than a requirement.
How does Unit 42 compare to Mandiant?
Unit 42 and Mandiant are both top-tier, threat-intel-led DFIR teams, with Unit 42 integrating tightly with Palo Alto Networks Cortex and Mandiant with Google Cloud Chronicle. Unit 42's estimated $850-$1,300 per hour emergency rate sits marginally below Mandiant's, so the choice usually comes down to which platform ecosystem you already run rather than a large price difference.

Compare Other IR Firms

Mandiant
Tier-1 DFIR, authors of the M-Trends report
CrowdStrike Services
Falcon-integrated IR and proactive retainer
Kroll
Cyber risk retainer with breach notification services
Coveware
Ransomware negotiation and recovery specialist
Arctic Wolf
MDR with incident response included

Sources: Palo Alto Networks Unit 42 pages; Unit 42 Ransomware and Extortion / IR reports; IncidentCost.com triangulation from RFP responses and breach disclosures. Updated June 2026.

IncidentCost.com is independent and not affiliated with Unit 42 or Palo Alto Networks. All figures are for planning purposes only.

Related:IR Response Cost (overview)All IR FirmsRansomware CostSOC / MDR Cost
IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.