Incident Response Services

Investigate and remediate computer security incidents

Since 2004, Mandiant has focused on incident response services. It is our primary area of expertise. Mandiant has responded to thousands of breaches across all industries, organization sizes, technical environments, and provided incident response services to mitigate the effects of many of the largest and most impactful cyber breaches in the past several years.



Mandiant Incident Response Services specializes in investigating intrusions and targeted attacks performed by advanced threat groups. Our consultants use proprietary technology, creative investigative techniques and intelligence gathered during each investigation to improve our ability to identify the actions of the attacker, the scope of the breach, the data loss, and the steps required to remove the attacker's access. We also learn how to better re-secure the network.

As part of Incident Response Services, Mandiant consultants have investigated:

State-Sponsored Attacks

State-Sponsored Attacks

These attackers steal sensitive data that supports a nation-state's economic, political, or military objectives.

Insider Threats

Insider Threats

Systems used by employees, board members and other insiders suspected of inappropriate or unlawful activity.

Financial Crime

Financial Crime

Focused on financial gain, these attackers conduct payment card fraud, illicit ACH/EFT cash transfers, and ATM cash draw-downs while targeting payment processors and financial institutions.

Gunslinger Groups

Gunslinger Groups

These attackers tend to be semi-state sponsored and play by their own rules. They are highly sophisticated and financially motivated. These attackers steal sensitive data for personal gain or profit.

What You Get

  • Years of investigative experience
  • Unparalleled threat intelligence 
  • Proprietary tools and technology 
  • Incident management experience
  • Remediation experience

Sluggish Incident Response: Next-Generation Security Problems and Solutions

This IDC study examines current cyber security issues and provides recommendations to help organizations strengthen their incident response programs.

Download Report 

"You need an effective incident response strategy that enables you to fight back. Specifically, you need to prepare for, respond to, and remediate security incidents."

Our Approach

Incident Response Services focuses on helping organizations recover from data security breaches while minimizing the impact of the event on the organization. Major activities performed during an investigation include:

Assessing the Situation

Each investigation begins by gaining an understanding of the current computer security incident. This also includes understanding what steps you have already taken to investigate or address the situation.

Perform Enterprise Investigation

Leveraging Mandiant and FireEye technologies, we quickly search large, complex networks for evidence of attacker activity.

Providing Management Direction

During each incident response investigation our consultants works closely with your management and internal/external legal counsel to provide detailed, structured, and frequent status reports that communicate findings and equip you to make the right business decisions.

Developing Investigative Reporting

We provide a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences, including senior management, technical staff, third party regulators, insurers, and litigators.

Verifying Client Objectives

The next step is to define objectives that are practical and achievable.

Collecting Evidence

Our consultants collect evidence with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.

Performing Analysis

Mandiant draws on skills that range from host and network forensic analysis across all platforms to malware reverse engineering and log analysis to determine the attack vector, establish a timeline of activity, and identify the extent of the compromise.

Developing Remediation Plans

Incident Response Services includes a comprehensive remediation plan that both eliminates the attackers from the environment and implements new security controls to reduce the likelihood of a recompromise.