Best Incident Response Companies in 2024: Reviews & Pricing

Finding the right incident response company can be arduous. This is complicated by the fact that many insurers hold the right for approval. So, when it comes to finding the right incident response provider, it is recommended to do the research before the service is needed. If your organization does not have a retainer, it is likely to become extremely tricky to contract with the preferred vendor.

Before getting into rating some of the best IR companies in the market, it is important to understand that this is a nuanced and complicated service. There are many different types of incidents and not all service providers are proficient or offer services for all of them.  For example, the requirement for a ransomware attack is going to be quite a bit different than a data exposure or data security incident.

Another aspect to keep in mind when reviewing service providers is the technology that they work with. Are they a Dell shop? Are they strong in AWS or Azure? Can they work with Cisco?

When discussing services with vendors, not only talk about the types of attacks they can assist with but consider their tool and knowledge of your infrastructure and environment.

Top Incident Response Companies List

BlueSteel Cybersecurity



Wendego I.T. Solutions


Berezha Security Group

Touchstone Security


Iron Range Cyber

The Best Incident Response Companies in the US

With the United States being one of the largest and most mature cyber security vendor markets, it comes with expectations that it will have a strong and mature stable of IR companies. This is very much the case, which provides a long list of vendors to select from for any company looking to contract with a US-based IR company.

When selecting a vendor, keep in mind the technology your organization has, insurer requirements, and travel. While travel or onsite may not be needed in all cases, if you would like to have resources onsite, consider finding a vendor that can guarantee a small window for getting resources to your office.



Crowdstrike has been a leader in incident response since their EDR, and now XDR solution was deployed. They are known for having a strong and deep team that can work across multiple technology stacks and in dealing with a variety of incidents.

Through a combination of tools, both internal IP and commercial, along with strong technical skill sets, Crowdstrike provides a reliable and responsive service. With that in mind, they are also a company that may not have capacity if your organization does not have a retainer with them before an incident, so if you are considering working with them, get a retainer.

NCC Group


NCC Group works as a sub-contractor and a direct contractor for incident response. This group is known for having highly technical and skilled resources, which is why some of the top IR companies leverage them as sub-contractors, when required.

Much like Crowdstrike, a retainer is almost a requirement to work with them in an event of an incident. While they have a very strong IR team, NCC Group also offers up great services across other types of security services, which makes their retainer very valuable.



Kivu is a little different than the others on this list. They are likely one of the strongest in the event of a ransomware attack, due to their ability to facilitate payment. They are registered as a Money Service Business (MSB) to help address potential ransomware attacks.

Just like the others on this list, Kivu has a strong portfolio of internally developed tools and knowledge to provide additional speed and accuracy in the investigation. While they are positioned the best for ransomware, they are very capable with other incidents too.



Mandiant may be the most recognized name on this list for most anyone in the technology field. They made their name in 2013 with the release of their APT research against some of China’s attacks. Since then, they have continued to grow and expand its services.

Mandiant is known for developing and utilizing zero-day and one-day attacks as part of the red team services, which does provide their IR team with additional knowledge that can be leveraged at the time of an investigation. Like the others on this list, they have been involved in some large investigations in the private and government sector.

The Best International Incident Response Companies

Before contracting with an international company, it is best to understand if there are requirements for onsite and where that may be. If your offices are largely in the US, it may be best to engage a firm that has a strong presence in the US.

However, if your organization has locations outside the US, an international firm can not only provide resources close to the location but can also assist with navigating requirements for reporting, evidence, and other incident activities.

Herjavec Group

herjavec group

The Herjavec group is in Ontaria, Canada with a large presence in the US. This firm is known for having a strong suite of solutions in the cyber security space and continues to grow through acquisition and organic growth. This group is recognized by many insurance companies and provides a strong combination of technical and internal IP to assist with an investigation. While not overly known for their IR services, they are still a strong provider and should be considered.



BT Cyber operates across 14 different locations for their Security Operations Centers, which provides a robust and far-reaching footprint in the event of an incident. This group has worked with government entities to assist with incident management and investigations. With their strong global presence, they bring the ability to provide resources and expertise where an organization may need it.



AON has a long history of providing security and insurance services. Much like all the top players in this field, AON has built its own internal tools to help in the event of an incident. One area that is a bit different from the other vendors is their focus on a proactive response to incidents to prepare for potential incidents. AON offers up a retainer that is a zero-dollar commitment to negotiate rates and a master service agreement. This is an uncommon offering for a retainer.

BAE Systems

Bay system

Utilizing in-house developed tools, BAE Systems provides security incident response services and guidance to the private and government sectors. BAE Systems is based out of the UK but has a large global presence, which includes Australia and the US. BAE brings expertise to the table to assist with research and mitigation of cyber security events.

While they may not be known for their cyber services, BAE has quietly built up a strong stable of consultants and tools that have proven to have deep expertise in incident response.

Best Boutique Incident Response Companies

Black Hills Information Security

Black Hills Information Security Incidense Response

BHIS is a small cybersecurity company located in the Midwest. While they offer up strong penetration testing services, they also are well renowned in their IR capabilities.

They offer up a retainer that provides access to consulting and other services to be proactive prior to an attack, as their goal is to not have to respond. However, when they do need to respond, they bring a strong set of tools and highly technical resources that have led Fortune 500 companies' IR and SOC teams.


trusted sec

The TrustedSEC founder started his career in the intelligence industry and has since transitioned to starting up a small security firm that offers up IR and other security services. TrustedSEC has provided insight and input on many of the most current breaches. They bring a small, highly technical team to the table and would be a great firm to work with for initial containment and investigation of an incident.

Fish Tech

fishtech group

Fish Tech is yet another company founded by Gary Fish. Coming from his experience in starting up FishNet, which later became Optiv, Gary focused on incident detection and response with the initial set of offerings. Partnering with Google in the early stages of building their Chronicle SIEM, Fish Tech has built out a world-class security incident response and detection team. Like all the companies on this list, they have strong internal IP and knowledge that they bring an investigation.

Tips on Choosing Incident Response Companies

With so many vendors in the space and many claiming to have mature IR services with little to no experience, it can be extremely difficult to find the right partner. The following can be utilized to help determine the right partner for your IR retainer or incident.

Technology Expertise

This is a question that many vendors may try to step around, but it is important to discuss with them. Before talking to any organization about its services, take the time to gather the primary technologies and vendors with whom your organization is working. A great example of this is around cloud computing vs. on-premise deployment.

How the vendor will gather and what logs will need to be reviewed will vary quite a bit in AWS/Azure vs. infrastructure that your organization owns. These are skills that are not easily learned in the heat of the battle, and your organization should expect that your partner brings these skills to the table.


For many organizations, this may be simple, but if your organization is internationally positioned, understanding where the vendor has resources and can assist could be critical. While your corporate office may be in the United States, it does not mean that an incident will start or even involve the US office.

Having a vendor, or even a stable of vendors, that can assist in the locations that you operate will be critical. Flights and travel are not cheap when dealing with international travel.


When starting to evaluate vendors, discuss with your insurance broker or refer to the terms of your insurance policy. Many insurance brokers require the vendors to be on an approved list. If this is the case, they will often have a list of vendors that can be a great starting point for discussion and evaluation.

Often, this is because the insurance broker has worked with them in the past and are comfortable with rates, capabilities, and ability to efficiently contain an attack.