How to Choose an Incident Response Firm
The average breach takes 194 days to detect and costs $4.88 million (IBM Cost of a Data Breach 2024). The IR firm you hire before that day determines how fast you contain it, how much you pay, and whether you survive the regulatory aftermath. This guide gives you the framework to choose the right one.
How fast must an IR firm respond?
Enterprise retainers guarantee an initial response within 1–4 hours; on-demand engagements typically take 8–24 hours to assign a consultant. Every hour of uncontained breach activity expands attacker dwell time and increases total cost — a retainer's SLA guarantee is the single most commercially important term in any IR contract.
Verizon's 2024 Data Breach Investigations Report found that 56% of breaches are contained within days when an IR firm is engaged immediately versus weeks when the organization tries to self-respond first. The practical threshold: if your organization holds PHI, payment card data, or personal data on more than 100,000 individuals, treat anything slower than a 4-hour SLA as disqualifying.
Response time is measured differently across firms. Some clock it from when you call their hotline; others from when a lead consultant is assigned. Ask explicitly: "What does your SLA guarantee — first human contact, or consultant on scope?"
What certifications matter when evaluating IR firms?
The most important certifications are GCFA (forensic analysis), GCIH (incident handling), GREM (malware reverse engineering), and CISSP (security management). Industry-specific engagements require additional credentials: PCI-PFI or PCI-QSA for payment-card breaches, CREST or NCSC CIR accreditation for UK-regulated environments, and GICSP or GRID for operational technology and industrial control systems.
| Certification | What it signals | When it's required |
|---|---|---|
| GCFA | Advanced digital forensic analysis — memory, disk, network artifacts | Every IR engagement; table-stakes for serious firms |
| GCIH | Structured incident-handling methodology across the PICERL lifecycle | General IR; confirms the consultant knows the process, not just the tools |
| GREM | Malware reverse engineering — unpacking, code analysis, IOC extraction | Ransomware, APT, and any case where malware behavior must be characterized |
| CISSP | Broad security management competency; recognized by general counsel and boards | Regulated industries where auditors or regulators will review credentials |
| PCI-PFI / PCI-QSA | Council-authorized to investigate and report on card-data breaches | Mandatory for any breach involving payment card data under PCI DSS |
| CREST / NCSC CIR | UK government-recognized IR competency framework; vetted by NCSC | UK-regulated entities; required by some insurers and law firms in the UK |
| GICSP / GRID | Industrial control system and OT-specific security competency | Energy, utilities, manufacturing, critical infrastructure breaches |
Note: certifications signal individual competency. Ask how many certified staff will actually work your engagement, not just how many the firm employs overall.
Retainer vs on-demand — which do I need?
IR retainers cost $5,000–$15,000 per month and guarantee a response SLA plus 20–30% savings on hourly rates compared to on-demand engagements, which bill at $200–$600/hour with no SLA guarantee. IBM's 2024 Cost of a Data Breach Report found organizations with a retained IR team saved $2.66 million per incident on average versus those without one.
The math is straightforward for most mid-market and enterprise organizations. A retainer at $120,000/year costs roughly one-twentieth of a single mid-range breach. For smaller organizations processing fewer records in lower-risk sectors, an on-demand arrangement — with a pre-vetted firm and pre-signed master services agreement — may be adequate, provided you understand you have no guarantee on response time.
One often-overlooked retainer benefit: pre-engagement scoping. Retainer clients typically receive proactive table-top exercises, environment familiarization sessions, and threat briefings before a breach happens. When an incident occurs, the firm already knows your network topology, your crown-jewel systems, and your escalation contacts. That head start compresses containment timelines materially.
When on-demand is acceptable
Organizations with fewer than 50 employees, no regulated data (HIPAA, PCI, GLBA), and an existing MSP relationship may reasonably start with a pre-signed on-demand agreement rather than a full monthly retainer. Re-evaluate when your headcount, data volume, or regulatory exposure grows.
Does industry specialization matter when choosing an IR firm?
Yes — significantly. HIPAA breach investigations have specific forensic documentation requirements that a generalist firm may miss, triggering HHS Office for Civil Rights findings. PCI DSS card-data breaches require a PCI Forensic Investigator report that only PFI-certified firms can produce. GLBA financial breaches involve FTC Safeguards Rule analysis that requires financial-sector regulatory fluency.
Industry fit affects three things: regulatory compliance of the investigation, the firm's credibility with your sector's regulators, and their speed in your environment. A firm that has investigated 200 healthcare breaches has pre-built HIPAA breach-notification letter templates, HHS reporting workflows, and relationships with OCR. That saves weeks of work at the worst possible time.
For operational technology (OT) environments — energy, utilities, manufacturing — the requirements are more extreme. Standard DFIR tools assume Windows and Linux endpoints. ICS/SCADA networks run proprietary protocols (Modbus, DNP3, IEC 61850) that require GICSP or GRID-certified analysts with OT-specific tooling. Engaging a generalist IR firm in an OT breach can destroy forensic evidence and extend downtime.
Should the IR firm be on my cyber-insurance panel?
Using a panel-approved IR firm means your insurer has pre-vetted their rates, methodology, and claim-reporting process — so you skip the pre-authorization step that can delay engagement by 24–72 hours during an active breach. Non-panel firms are not always excluded, but expect friction and possible rate disputes on the claim.
Most cyber insurers maintain panels of 10–30 approved IR firms. Some policies — particularly for mid-market organizations — require panel use or impose a coverage sublimit for non-panel engagements. Read your policy's "retention of vendors" clause before you sign any IR retainer.
If your preferred IR firm is not on your insurer's panel, there are two paths: (1) ask the insurer to add them — major firms like Mandiant, Kroll, CrowdStrike, and Unit 42 are typically accepted on request; or (2) confirm in writing that your insurer will reimburse non-panel engagements up to your coverage limit.
Action item
Before signing an IR retainer, email your cyber-insurance broker: "Is [firm name] on our policy's approved vendor panel? If not, what is the reimbursement process for non-panel IR firms?" Get the answer in writing.
DFIR vs MDR vs rapid-recovery — what scope do I actually need?
DFIR (Digital Forensics and Incident Response) is a reactive, investigation-led service engaged after a breach is suspected or confirmed. MDR (Managed Detection and Response) is a proactive, subscription-based monitoring service. Rapid-recovery services restore operations from backups without performing a full forensic investigation. Most serious breaches require DFIR at minimum; the others are complementary, not substitutes.
DFIR answers: "What happened, how did they get in, what did they access, and is it over?" It produces the forensic report your lawyers and regulators need. Expect forensic imaging, log analysis, malware analysis, and a timeline reconstruction. Cost: $200–$600/hour; typical engagements run $50,000–$500,000 depending on scope.
MDR answers: "Is anything happening right now?" It's an always-on service running 24/7 monitoring of your endpoints, network, and cloud. It reduces dwell time — the Ponemon Institute found MDR subscribers averaged 29 days to detect a breach versus 197 days for non-subscribers. Cost: $50,000–$250,000/year depending on seat count.
Rapid-recovery answers: "How fast can I get systems back online?" It prioritizes uptime over attribution. Some ransomware victims choose recovery-first when operational continuity outweighs the forensic investigation. The risk: if you restore without identifying the initial access vector, the attacker may still be present in your environment.
What criteria should I use to evaluate IR firms?
The most important evaluation criteria are response SLA, relevant certifications, industry-sector experience, insurance panel membership, and geographic coverage. Use this table to structure your RFP and vendor conversations.
| Criterion | What to ask the firm | Why it matters |
|---|---|---|
| Response SLA | "What is your guaranteed time to first consultant contact, and is that in writing in the retainer?" | Every additional hour of uncontained breach activity increases total cost and attacker dwell time |
| Certifications on-staff | "How many GCFA/GREM-certified analysts will work my engagement? How many PCI-PFI investigators do you have?" | Certifications confirm individual analyst competency, not just firm-level capability |
| Sector experience | "How many healthcare/financial/OT breaches have you investigated in the past 24 months?" | Sector-specific regulatory requirements (HIPAA, PCI DSS, GLBA, NERC CIP) require domain expertise to navigate |
| Insurance panel status | "Which cyber-insurance carriers have you on their approved vendor panel?" | Non-panel firms may require pre-authorization, adding 24–72 hours before engagement can start |
| Geographic coverage | "Can you deploy a consultant on-site within 24 hours to our primary location?" | Some forensic tasks (imaging servers, interviewing staff) require physical presence; remote-only firms are limited |
| Breach types handled | "Have you handled ransomware/supply-chain/insider-threat incidents of similar scale? Can you share sanitized case summaries?" | Breach type complexity varies enormously; APT investigations require different skills than BEC fraud |
| Legal and regulatory support | "Do you provide attorney-client privileged reporting? Do you coordinate directly with law firms and regulators?" | Forensic reports in litigation require specific chain-of-custody procedures; regulatory filings have strict deadlines |
| Threat intelligence integration | "Do you maintain proprietary threat-actor intelligence? How does it accelerate attribution in an active incident?" | Firms with real-time threat intel (Mandiant, Unit 42, CrowdStrike) can attribute attacks faster, compressing the investigation timeline |
10 questions to ask before signing with an IR firm
Use this list verbatim in your vendor conversations. The answers will separate prepared firms from firms that will be learning on your dime during a live breach.
- 01
What is your contractual SLA from my first call to a qualified consultant being assigned to scope my incident?
Accept only written SLAs — verbal guarantees disappear at 2 a.m. on a Sunday.
- 02
Which cyber-insurance carriers have you on their approved vendor panel?
Confirm this matches your actual policy before signing anything.
- 03
How many GCFA, GREM, and sector-specific certified analysts will be assigned to my engagement?
Avoid firms that cite total headcount rather than the team that will actually work your case.
- 04
Can you provide sanitized case summaries of incidents similar to my sector and threat profile in the past 18 months?
Recent, relevant experience matters more than a firm's total years in business.
- 05
What is your process for issuing a forensic report suitable for regulatory submission and/or litigation?
Regulators (HHS OCR, FTC, SEC) have specific reporting requirements; your firm must know them.
- 06
Do you support attorney-client privileged engagements — and can your work product be directed to outside counsel?
This is critical for any breach that is likely to involve litigation or regulatory action.
- 07
What proprietary threat intelligence do you maintain, and how does it shorten investigation timelines?
Firms with real-time adversary tracking (Mandiant, Unit 42, CrowdStrike) can attribute attacks and identify TTP patterns faster than those relying on public intel.
- 08
Can you deploy consultants on-site at my primary location within 24 hours?
Some forensic tasks — physical server imaging, staff interviews — require physical presence. Confirm geographic capacity now.
- 09
What pre-breach services are included in a retainer — tabletop exercises, threat briefings, environment familiarization?
The best retainers include proactive services that compress response time when an incident actually happens.
- 10
How do you handle scope creep in billing — and what does a "not-to-exceed" clause look like in your retainer agreements?
Breach investigations frequently expand. Understand the billing mechanism before you're committed to an open-ended engagement.
Frequently asked questions about choosing an IR firm
These are the questions security leaders and general counsel most commonly ask when evaluating incident response vendors for the first time.
How long does a typical IR engagement last?
Scope determines duration. A phishing-originated email compromise with limited lateral movement may take 1–2 weeks to scope, contain, and remediate. A sophisticated ransomware event with dwell time measured in weeks typically runs 3–8 weeks from initial triage through final forensic report. Nation-state APT investigations can extend 3–6 months. Most firms provide a preliminary scope estimate within 48 hours of engagement.
Should I hire a local firm or a national/global one?
Scale of breach drives the answer. A local breach affecting one office and no regulated data can often be handled by a regional firm at lower cost. A multi-site breach, any regulated-data incident (HIPAA, PCI), or any event with international regulatory implications (GDPR, 72-hour notification clock) requires a firm with the jurisdictional coverage and regulatory relationships to respond across multiple geographies simultaneously. When in doubt, choose coverage over cost.
What is a "master services agreement" and why do I need one before a breach?
A master services agreement (MSA) is a pre-negotiated contract that defines rates, scope, liability, confidentiality, and legal privilege before an incident occurs. Without one, you spend the first 24–48 hours of a live breach negotiating contract terms instead of containing the attacker. All IR firms accept MSAs; most offer standard versions with reasonable terms. Have your legal team review and execute one before you need it.
What is the difference between a retainer "on-call" and a retainer with "pre-purchased hours"?
An on-call retainer pays a monthly fee for guaranteed SLA and rate lock but no pre-purchased hours — you pay for actual work at the retainer rate when an incident occurs. A pre-purchased-hours retainer includes a block of analyst hours (typically 40–200 hours) that you can use for proactive services (tabletop exercises, threat hunts, environment assessments) or incident response. Pre-purchased hours often roll over partially quarter to quarter. For organizations that want proactive IR preparation, the pre-purchased model delivers more value.
Can I use my existing IT vendor or MSSP for incident response?
For minor incidents — a single compromised endpoint, contained malware — yes. For any breach involving regulated data, potential litigation, or regulatory notification obligations, no. Your existing IT vendor has a conflict of interest (their security controls may be implicated), lacks the specialized forensic tools and chain-of-custody procedures, and almost certainly does not have the regulatory expertise to produce a compliant breach report. Use a specialized IR firm for anything beyond routine security events.
Active breach? Don't negotiate contracts under pressure.
Use our directory to find vetted IR firms now — before you need them. Or contact our emergency line if an incident is in progress.