Reference: Response Cost · Updated June 2026

Incident Response Cost: Hourly Rates, Retainers, and What You'll Actually Pay

Q: How much does incident response cost?

Emergency incident response without a retainer costs $300-$1,500 per hour for senior consultants from top-tier firms (Mandiant, CrowdStrike, PwC, Deloitte). With a retainer in place, rates drop to $175-$400/hr. A typical mid-market incident response engagement runs $25,000-$500,000 depending on scope, duration, and firm. Annual IR retainers cost $10,000-$100,000/yr, with retained hours discounted against emergency use.

Q: What is an IR retainer and is it worth it?

An IR retainer is a pre-arranged agreement with an incident response firm that guarantees a response SLA (typically 2-4 hours) and discounted rates in exchange for an annual fee ($10K-$100K/yr depending on hours included). It is almost always worth it. Emergency hourly rates without a retainer are 2-3x higher than retained rates, and response time without a retainer can be 24-72 hours versus 2-4 hours with one. The retainer fee typically pays for itself in a single incident.

Q: What is the difference between MDR and IR?

IR (Incident Response) is reactive: you call an IR firm when an incident occurs. MDR (Managed Detection and Response) is proactive: an MDR service provides 24/7 monitoring and detection, and includes IR as part of the subscription when an incident occurs. MDR is more expensive ($100K-$500K/yr) but covers monitoring costs that would otherwise be separate. For organisations without a SOC, MDR typically provides better value than the combination of monitoring tools plus on-demand IR.

$1,500/hr

Emergency max rate

$300/hr

Retained rate avg

$10K-$100K

Annual retainer

$100K-$500K

MDR annual

Pricing Models

Model	Rate / Cost	Best For	Commitment
Hourly emergency (no retainer)	$800-$1,500/hr	One-off incidents; no prior relationship	None; invoice per engagement
Hourly retained	$175-$400/hr	Organisations with annual retainer	Annual retainer fee + hourly draws
Annual retainer (fixed hours)	$10K-$100K/yr	Mid-market with defined IR SLA	Annual; unused hours partially credited
Per-incident fixed fee	$25K-$500K+ per incident	Defined scope ransomware/breach response	Per-engagement; SOW based
MDR subscription (includes IR)	$100K-$500K/yr	No in-house SOC; 24/7 monitoring + IR	Annual; typically 1-3 year contracts
In-house IR team (fully loaded)	$1M-$3M/yr (5-person team)	Enterprise with high incident frequency	Full headcount commitment

What Is Included in IR Services

Detection and triage

Log analysis
Malware analysis
Threat identification
Scope determination

Containment

Network isolation
Account lockdown
Attacker eviction
Persistence removal

Eradication

Malware removal
Backdoor elimination
Credential reset
Patch application

Recovery

System restoration
Backup validation
Service testing
Monitoring setup

Post-incident

Forensic report
Root cause analysis
Lessons learned
Regulatory support

Legal and regulatory

Regulatory notifications
Legal hold support
Evidence preservation
Expert witness

Emergency vs Retained Rates: The Math

Emergency premium: An IR engagement of 500 hours at emergency rates ($1,000/hr) costs $500,000. The same 500 hours with a retainer in place ($300/hr) costs $150,000, plus the annual retainer fee ($30K). Total with retainer: $180,000 vs $500,000 without. The retainer saves $320,000 in the first incident and provides faster response SLAs.

Scenario	Without Retainer	With Retainer	Saving
200-hour engagement	$160,000-$300,000	$35,000-$80,000 + $30K retainer	$50K-$190K
500-hour engagement	$400,000-$750,000	$87,500-$200,000 + $30K retainer	$180K-$520K
Response SLA	24-72 hours to first resource	2-4 hours to first resource	Speed advantage

In-House vs Outsourced IR

Consideration	In-House Team	Outsourced (Retainer/MDR)
Annual cost	$1M-$3M (5 senior IR staff, fully loaded)	$100K-$500K/yr (MDR or retainer)
Response time	Minutes (team on-premise or on-call)	2-4 hours (retained); 24-72 hours (emergency)
Expertise breadth	Limited to team's specialisms	Wide: forensics, malware, cloud, OT, legal
Scalability during major incident	Constrained by headcount	Scalable: firm assigns more consultants
Institutional knowledge	Deep knowledge of your environment	Must onboard and learn environment each time
Best for	Enterprise with 20+ incidents/yr	Mid-market; orgs with 0-5 major incidents/yr

MDR Alternative: 24/7 Monitoring Bundled with IR

Managed Detection and Response (MDR) services bundle continuous 24/7 monitoring, detection, and IR response into a single subscription. This eliminates separate monitoring tool costs, SOC staffing costs, and on-demand IR costs. MDR providers include Arctic Wolf, Huntress, Red Canary, Sophos MDR, CrowdStrike Falcon Complete, and Expel.

MDR Provider	Target Market	Approx. Pricing
Huntress	SMB/MSP market	$10-$15/endpoint/month
Arctic Wolf	Mid-market	$150K-$400K/yr
Red Canary	Mid-market to enterprise	$150K-$600K/yr
CrowdStrike Falcon Complete	Enterprise	$300K-$1M+/yr
Sophos MDR	SMB to mid-market	$50K-$200K/yr
Expel	Mid-market to enterprise	$150K-$500K/yr

MDR pricing is highly variable based on endpoint count, data volume, and contract length. Figures are indicative ranges. Contact vendors for quotes.

Pricing by Named Firm

The ranges above are market-wide. For triangulated emergency rates, retainer fees, and per-engagement estimates by specific firm, see the per-firm reference pages. Each names how that firm prices and when it is the right or wrong pick.

Mandiant CrowdStrike Kroll Coveware Unit 42 Arctic Wolf

See the full IR firm pricing matrix

Frequently Asked Questions

How much does incident response cost?

Emergency IR without a retainer costs $800-$1,500/hr from top-tier firms. A retained rate is $175-$400/hr. A typical mid-market engagement runs $25K-$500K depending on scope. Annual retainers cost $10K-$100K/yr. MDR subscriptions that include IR cost $100K-$500K/yr.

What is an IR retainer and is it worth it?

An IR retainer is a pre-arranged agreement guaranteeing response SLA (2-4 hours) and discounted rates in exchange for an annual fee ($10K-$100K). Emergency rates without a retainer are 2-3x retained rates, and response time without a retainer can be 24-72 hours. The retainer typically pays for itself in one incident.

What is the difference between MDR and IR?

IR is reactive. MDR is proactive: 24/7 monitoring with IR included when an incident occurs. MDR costs more ($100K-$500K/yr) but replaces both monitoring costs and on-demand IR costs. For organisations without a SOC, MDR typically provides better value than separate monitoring tools plus on-demand IR.

How much does a 5-person in-house IR team cost?

A 5-person IR team with senior practitioners costs $1M-$3M/yr fully loaded (salary, benefits, training, tooling). This is cost-effective only for organisations with very high incident frequency (20+ major incidents per year) or unusually high risk profiles (critical infrastructure, high-value targets). Most mid-market organisations are better served by a retainer or MDR.