Reference / Trust surface

How we source incident-response cost figures

Cost ranges on this site are based on public reference material across the relevant landscape. The publishers below are representative of the kind of source that informs our positioning, not an exhaustive extraction map per figure. A specific figure on a specific page is not necessarily anchored to a single named publisher.

Sources

  • IR firm public retainer guidance. Mandiant, CrowdStrike Services, Kroll, Stroz Friedberg, Coveware, Arete, Unit 42 (Palo Alto), Sygnia, NCC Group and others where retainer or per-hour rates are publicly disclosed.
  • Public breach-cost research. IBM Cost of a Data Breach Report (annual), Ponemon Institute breach-cost research, Verizon Data Breach Investigations Report (DBIR), Hiscox Cyber Readiness Report.
  • Cyber-insurance market data. Marsh, Aon, Willis Towers Watson, Howden, and Munich Re published cyber-market reports and claims data summaries.
  • Practitioner survey data. Public IR-cost surveys from CSO Online, ISMG, Reddit r/cybersecurity AMAs, and named-organisation breach disclosures with cost detail.

What we deliberately do not publish

  • Specific customer breach costs. Where a specific organisation's breach cost is known to us through public reporting, it is described in band terms only.
  • Ransomware payment recommendations. We do not advise on whether to pay a ransom; we publish published guidance from law enforcement and treasury bodies.
  • Insurance broker recommendations. We publish the market shape but do not recommend specific brokers or carriers.

Update cadence

Site values update only when the underlying reality changes. Triggers:

  • New IBM Cost of a Data Breach Report or DBIR edition
  • Material movement in cyber-insurance market pricing (>15% over 12 months)
  • New ransomware-payment guidance from Treasury / OFAC
  • Major IR firm pricing-model change

Cosmetic date bumps are not made.

Editorial position

This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell incident-response retainers, does not run a forensics practice, does not broker cyber insurance, and does not accept paid placements from any IR firm or cyber insurer. See /about for the operator and the wider network.

Editorial direction is set by Oliver Wakefield-Smith. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication.

Contact

For methodology questions, corrections, or scenarios that don't fit cleanly: [email protected].

IncidentCost.com is an independent educational resource. All cost figures are drawn from published industry research including IBM's Cost of a Data Breach Report, Ponemon Institute Cost of Insider Risks Report, Verizon Data Breach Investigations Report, Atlassian incident management research, and PagerDuty incident surveys. This site is not affiliated with IBM, Ponemon Institute, Verizon, Atlassian, PagerDuty, or any security vendor. Figures are for educational and planning purposes only.

Updated 2026-04-27