Forensic investigation: $200-$2,000 per hour, $100K-$2M typical engagement.

The major incident-response vendors fall into three categories. The first is the Big-Five-equivalent specialist firms: Mandiant (Google Cloud), CrowdStrike Services, Unit 42 (Palo Alto), Kroll Cyber Risk, and Stroz Friedberg (Aon). These firms typically run the largest and most complex breach investigations, with deep specialist capabilities in advanced-threat hunting, malware reverse engineering, and threat-actor attribution.

The second category is the law-firm-affiliated IR practices: Mullen Coughlin, Mullen Coughlin's competitors like BakerHostetler's Digital Risk Advisory and Cybersecurity Group, and smaller firms providing privilege-preserved investigation as part of legal counsel engagement. The privilege benefit is the main reason for using a law-firm-affiliated IR vendor versus a specialist firm directly, particularly for breaches with anticipated litigation.

The third category is the Big-Four consulting firm IR practices (Deloitte, EY, KPMG, PwC) and the systems-integrator IR practices (Accenture, IBM Security, NTT, Verizon, BT). These firms typically focus on the post-detection remediation and process-improvement workstreams rather than the initial investigation, though several have built genuine investigative capability over the past five years.

IR vendor rate cards are typically tiered by level of expertise. Approximate 2026 rate-card ranges for major vendors:

A typical mid-market breach investigation team includes 1 partner (10-30 hours), 1-2 senior directors (50-150 hours each), 2-4 directors (100-300 hours each), 4-8 associates (300-800 hours each), plus expert specialists as needed (malware reverse-engineering, threat intelligence, cloud forensics). Total billed hours run 1,500-4,000 for a mid-market engagement, with blended hourly rate of approximately $400-$550. Mid-market engagement total of $600K-$2.2M is the expected range.

Major breach engagements scale up materially. The Mandiant engagement on a major incident can deploy 30-100+ professionals for 3-12 months, with billed hours in the 30,000-100,000 range and total cost in the $10M-$50M range. The Change Healthcare 2024 engagement, conducted by Mandiant under privilege, was reported to be in the high tens of millions of dollars based on engagement-scope public statements.

Most major IR vendors offer retainer structures that pre-position the vendor for rapid mobilisation in the event of a breach. Retainer terms typically include: pre-negotiated rate card (often 10-25% discount on standard rates), defined service-level commitment (typically 1-4 hour response, 24-48 hour on-site or remote engagement start), pre-prepaid block of hours (typically $50K-$500K worth, with use-it-or-lose-it provisions or rollover terms), and dedicated relationship manager.

The retainer fee is the cost-of-readiness component that organisations with material breach-risk exposure absorb as a regular operating expense. For a mid-market organisation, $50K-$200K annual retainer with a major vendor is typical. For a large enterprise, $200K-$1M annual retainer split across two vendors (primary plus secondary for redundancy) is common. The retainer cost is meaningful but trivial compared to the actual cost of unretained mobilisation under crisis conditions, which can run 50-100% premium over standard rates due to urgency.

The T-Mobile 2021 settlement's $150M security-investment commitment included explicit allocation to expanding the IR retainer to include a secondary vendor for redundancy, with Mandiant as primary and CrowdStrike as secondary. The structure has since become more common at large enterprises, particularly those with multi-cloud estates where vendor specialisation matters.

Major breaches frequently require parallel investigations for different stakeholder audiences. The structural reason is that the PCI Forensic Investigator report (mandatory for card-data breaches) is not privileged and may be discoverable in subsequent class-action litigation. The IR report produced for internal management, regulator engagement, and litigation defence is typically conducted by a separate vendor under legal-counsel-led privileged engagement.

The result is dual-track investigation: a PFI engagement of $200K-$2M conducted to satisfy card-brand requirements, plus a privileged IR engagement of $500K-$10M conducted under legal counsel for management, regulator, and litigation purposes. The two investigations are coordinated but produce separate work product. Total forensic spend in a major card-data breach therefore commonly runs $1M-$15M across the parallel investigations.

For non-card-data breaches, the privilege question still applies but only one investigation is typically conducted. The lead investigator works under legal-counsel engagement to preserve privilege, with the work product designed for internal management and litigation defence rather than for regulator distribution. Regulator-facing reports are typically synthesised from the privileged investigation by legal counsel, with appropriate redaction of privilege-protected material.

The single largest cost-saving lever is detection speed. A breach detected within 200 days of intrusion costs IBM's benchmark $3.87M against $5.01M for breaches detected after 200 days. The forensic-investigation component scales similarly: rapid detection reduces the period that has to be reconstructed, reduces the systems that have to be triaged, and reduces the deletion of evidence by ongoing attacker activity. Organisations with effective continuous monitoring frequently complete forensic investigation at the lower end of the cost range simply because there is less work to do.

The second largest lever is environment instrumentation. Forensic investigation in a well-instrumented environment (centralised SIEM, comprehensive logging retained for 90+ days, endpoint EDR with telemetry retention) runs at the lower end of the cost range because the data needed for the investigation is largely already collected. Forensic investigation in a poorly-instrumented environment requires the IR vendor to either reconstruct what should have been logged (expensive and frequently impossible) or deploy emergency telemetry mid-investigation (also expensive). Investment in baseline instrumentation has substantial pay-back at the moment of breach.

The third lever is scope discipline. The natural tendency in breach response is to expand investigation scope continuously as new questions emerge, which produces scope creep that drives engagement cost. Disciplined IR engagement with clear scope boundaries and regular scope-change reviews produces materially lower total cost than open-scope engagement. The scope-discipline question is typically a legal-counsel-led decision rather than an IR-vendor-led one.