Mandiant Incident Response Services

Investigate and Remediate Computer Security Incidents

Incident response is Mandiant’s primary focus and area of expertise. Since 2004, we have responded to thousands of breaches across all industries, organization sizes, and technical environments, including many of the largest and most impactful cyber breaches that occurred in the past several years.

Computer Security Incidents


We specialize in investigating intrusions and targeted attacks performed by advanced threat groups. Our consultants use proprietary technology, creative investigative techniques, and intelligence gathered during each investigation to improve our ability to identify the actions of the attacker, the scope of the breach, the data loss, and the steps required to remove the attackers access. We also learn how to better re-secure the network.

Mandiant consultants have performed investigations of:

State-Sponsored Attacks

State-Sponsored Attacks

These attackers steal sensitive data that supports a nation-state's economic, political, or military objectives.

Insider Threats

Insider Threats

Systems used by employees, board members, and other insiders suspected of inappropriate or unlawful activity.

Financial Crime

Financial Crime

Focused on financial gain, these attackers conduct payment card fraud, illicit ACH/EFT cash transfers, and ATM cash draw-downs at merchants while targeting payment processors and financial institutions.

Gunslinger Groups

Gunslinger Groups

These attackers tend to be semi-state sponsored and play by their own rules. They are highly sophisticated and financially motivated. These attackers steal sensitive data for personal gain or profit.

What You Get

  • Years of Investigative Experience
  • Unparalleled Threat Intelligence 
  • Proprietary Tools and Technology 
  • Incident Management Experience
  • Remediation Experience

Sluggish Incident Response: Next-Generation Security Problems and Solutions

This IDC study examines current cyber security issues and provides recommendations to help organizations strengthen their incident response programs.

Download Report 

"...the central narrative stayed the same: far too many organizations were unprepared for the inevitable breach, allowing attackers to linger far too long in compromised environments."

- M-Trends 2015

Our Approach

We focus on helping organizations recover from data security breaches while minimizing the impact of the event on the organization. The major activities we perform during an investigation include:

Assessing the Situation

Each investigation begins by gaining an understanding of the current computer security incident. This also includes understanding what steps you have already taken to investigate or address the situation.

Perform Enterprise Investigation

Leveraging Mandiant and FireEye technologies, we quickly search large, complex networks for evidence of attacker activity.

Providing Management Direction

During each incident response investigation our consultants works closely with your management and internal/external legal counsel to provide detailed, structured, and frequent status reports that communicate findings and equip you to make the right business decisions.

Developing Investigative Reporting

We provide a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences, including senior management, technical staff, third party regulators, insurers, and litigators.

Verifying Client Objectives

The next step is to define objectives that are practical and achievable.

Collecting Evidence

Our consultants collect evidence with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.

Performing Analysis

Mandiant draws on skills that range from host and network forensic analysis across all platforms to malware reverse engineering and log analysis to determine the attack vector, establish a timeline of activity, and identify the extent of the compromise.

Developing Remediation Plans

As part of an incident response we deliver a comprehensive remediation plan that both eliminates the attackers from the environment and implements new security controls to reduce the likelihood of a recompromise.