Reference: Response Cost · Updated April 2026
Incident Response Cost: Hourly Rates, Retainers, and What You'll Actually Pay
$1,500/hr
Emergency max rate
$300/hr
Retained rate avg
$10K-$100K
Annual retainer
$100K-$500K
MDR annual
Pricing Models
| Model | Rate / Cost | Best For | Commitment |
|---|---|---|---|
| Hourly emergency (no retainer) | $800-$1,500/hr | One-off incidents; no prior relationship | None; invoice per engagement |
| Hourly retained | $175-$400/hr | Organisations with annual retainer | Annual retainer fee + hourly draws |
| Annual retainer (fixed hours) | $10K-$100K/yr | Mid-market with defined IR SLA | Annual; unused hours partially credited |
| Per-incident fixed fee | $25K-$500K+ per incident | Defined scope ransomware/breach response | Per-engagement; SOW based |
| MDR subscription (includes IR) | $100K-$500K/yr | No in-house SOC; 24/7 monitoring + IR | Annual; typically 1-3 year contracts |
| In-house IR team (fully loaded) | $1M-$3M/yr (5-person team) | Enterprise with high incident frequency | Full headcount commitment |
What Is Included in IR Services
Detection and triage
- Log analysis
- Malware analysis
- Threat identification
- Scope determination
Containment
- Network isolation
- Account lockdown
- Attacker eviction
- Persistence removal
Eradication
- Malware removal
- Backdoor elimination
- Credential reset
- Patch application
Recovery
- System restoration
- Backup validation
- Service testing
- Monitoring setup
Post-incident
- Forensic report
- Root cause analysis
- Lessons learned
- Regulatory support
Legal and regulatory
- Regulatory notifications
- Legal hold support
- Evidence preservation
- Expert witness
Emergency vs Retained Rates: The Math
Emergency premium: An IR engagement of 500 hours at emergency rates ($1,000/hr) costs $500,000. The same 500 hours with a retainer in place ($300/hr) costs $150,000, plus the annual retainer fee ($30K). Total with retainer: $180,000 vs $500,000 without. The retainer saves $320,000 in the first incident and provides faster response SLAs.
| Scenario | Without Retainer | With Retainer | Saving |
|---|---|---|---|
| 200-hour engagement | $160,000-$300,000 | $35,000-$80,000 + $30K retainer | $50K-$190K |
| 500-hour engagement | $400,000-$750,000 | $87,500-$200,000 + $30K retainer | $180K-$520K |
| Response SLA | 24-72 hours to first resource | 2-4 hours to first resource | Speed advantage |
In-House vs Outsourced IR
| Consideration | In-House Team | Outsourced (Retainer/MDR) |
|---|---|---|
| Annual cost | $1M-$3M (5 senior IR staff, fully loaded) | $100K-$500K/yr (MDR or retainer) |
| Response time | Minutes (team on-premise or on-call) | 2-4 hours (retained); 24-72 hours (emergency) |
| Expertise breadth | Limited to team's specialisms | Wide: forensics, malware, cloud, OT, legal |
| Scalability during major incident | Constrained by headcount | Scalable: firm assigns more consultants |
| Institutional knowledge | Deep knowledge of your environment | Must onboard and learn environment each time |
| Best for | Enterprise with 20+ incidents/yr | Mid-market; orgs with 0-5 major incidents/yr |
MDR Alternative: 24/7 Monitoring Bundled with IR
Managed Detection and Response (MDR) services bundle continuous 24/7 monitoring, detection, and IR response into a single subscription. This eliminates separate monitoring tool costs, SOC staffing costs, and on-demand IR costs. MDR providers include Arctic Wolf, Huntress, Red Canary, Sophos MDR, CrowdStrike Falcon Complete, and Expel.
| MDR Provider | Target Market | Approx. Pricing |
|---|---|---|
| Huntress | SMB/MSP market | $10-$15/endpoint/month |
| Arctic Wolf | Mid-market | $150K-$400K/yr |
| Red Canary | Mid-market to enterprise | $150K-$600K/yr |
| CrowdStrike Falcon Complete | Enterprise | $300K-$1M+/yr |
| Sophos MDR | SMB to mid-market | $50K-$200K/yr |
| Expel | Mid-market to enterprise | $150K-$500K/yr |
MDR pricing is highly variable based on endpoint count, data volume, and contract length. Figures are indicative ranges. Contact vendors for quotes.
Frequently Asked Questions
How much does incident response cost?
Emergency IR without a retainer costs $800-$1,500/hr from top-tier firms. A retained rate is $175-$400/hr. A typical mid-market engagement runs $25K-$500K depending on scope. Annual retainers cost $10K-$100K/yr. MDR subscriptions that include IR cost $100K-$500K/yr.
What is an IR retainer and is it worth it?
An IR retainer is a pre-arranged agreement guaranteeing response SLA (2-4 hours) and discounted rates in exchange for an annual fee ($10K-$100K). Emergency rates without a retainer are 2-3x retained rates, and response time without a retainer can be 24-72 hours. The retainer typically pays for itself in one incident.
What is the difference between MDR and IR?
IR is reactive. MDR is proactive: 24/7 monitoring with IR included when an incident occurs. MDR costs more ($100K-$500K/yr) but replaces both monitoring costs and on-demand IR costs. For organisations without a SOC, MDR typically provides better value than separate monitoring tools plus on-demand IR.
How much does a 5-person in-house IR team cost?
A 5-person IR team with senior practitioners costs $1M-$3M/yr fully loaded (salary, benefits, training, tooling). This is cost-effective only for organisations with very high incident frequency (20+ major incidents per year) or unusually high risk profiles (critical infrastructure, high-value targets). Most mid-market organisations are better served by a retainer or MDR.