Incident Response Services Datasheet

Handle critical security incidents, resolve immediate issues and put solutions in place to address systemic causes of the incident

Mandiant specializes in investigating large-scale intrusions performed by the most advanced threat groups. Over the course of hundreds of investigations, Mandiant has developed expertise and intelligence that enables its consultants to identify the actions of the attacker, the scope of the compromise and what data was lost—in some of the world’s largest breaches. Mandiant consultants draw on a range of unique skills, experience, and technology to resolve each incident, remove the attacker and re-secure the network.

The Mandiant Difference

  • Investigative skills
    Technical & investigative skills developed over the course of hundreds of investigations.
  • Threat intelligence
    Profiles of key attack groups including their tools, practices and objectives along with corresponding Indicators of Compromise.
  • Technology
    Proprietary tools that automate investigative tasks and enable network traffic and host-based artifacts to be rapidly evaluated—even across networks that contain hundreds of thousands of systems.


  • Law enforcement relationships
    Long-standing relationships with law enforcement allow Mandiant to collaborate on investigations and share information when appropriate and approved by our clients.
  • Management experience
    Experience providing guidance and advice on the business impact of computer security decisions.
  • Dedicated malware team
    A team focused solely on reverse engineering malicious software and researching the latest exploits.

Experience with Multiple Threat Actors

Different attacks require different approaches. Some of the most common situations Mandiant has faced include:

Insider threats:

Insider threats:

Analyzing systems used by employees, board members and other insiders suspected of inappropriate or unlawful activity.

Financial crime:

Financial crime:

Investigating payment card fraud, illicit ACH/EFT cash transfers and ATM cash draw-downs at merchants, payment processors and financial institutions.

State-sponsored attacks:

State-sponsored attacks:

Addressing the theft of intellectual property, trade secrets and other sensitive data across virtually every industry.

Industry Experience

Security incidents can occur at unexpected times. When organizations are confronted with a critical security event, Mandiant’s experienced consultants will verify the nature of the incident, investigate and scope the intrusion and remediate it. Mandiant has conducted investigations across all major industries including:


Defense Contractors

Financial Services


  • Biotech
  • Defense Contractors
  • Financial Services
  • Healthcare

Law Firms


Oil and Gas






Mandiant’s Incident Response Services handle critical security incidents, resolve immediate issues and put long-term solutions in place to address systemic causes of the incident.      

Our Approach

Mandiant is focused on helping organizations recover from computer security events while minimizing the impact of the event on the organization. The major activities Mandiant performs during an investigation are: 

Assessing the situation
Each investigation begins by gaining an understanding of the current situation. How was the issue detected? What data has been collected? What steps have been taken? What does the environment look like?

Verifying client objectives
The next step is to define objectives that are practical and achievable. The goal may be to identify data loss, recover from the event, determine the attack vector, identify the attacker—or some combination of those objectives. 

Collecting evidence
Mandiant consultants collect information with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.

Performing analysis
Based on the evidence that is available and the client’s objectives, Mandiant draws on skills that range from forensic imaging to malware and log analysis in order to determine the attack vector, establish a timeline of activity and identify the extent of the compromise.

Providing management direction
During each investigation, Mandiant works closely with client management to provide detailed, structured and frequent status reports that communicate findings and equip its clients to make the right business decisions. 

Developing remediation plans
Remediation plans vary depending on the extent of the compromise, the size of the organization and the tactics/objectives of the attacker. As part of an investigation, Mandiant delivers a comprehensive remediation plan and assists with the implementation. 

Developing investigative reporting
Mandiant provides a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences including senior management, technical staff, third party regulators, insurers and litigators.

Unique Experience

Mandiant’s specialized skills and technology have enabled it to resolve some of the most sophisticated attacks including the following situations:

  • Multiple attack groups
    Mandiant frequently faces multiple attack groups working concurrently and independently in the same victim network.
  • Large environments
    Mandiant routinely reviews tens of thousands of systems for evidence of compromise within the first several weeks of an engagement.
  • Extensive compromises
    Mandiant has dealt with compromises that have involved up to 25% of all systems within an environment. 
  • Complex remediation
    Mandiant has implemented remediation approaches in very large networks and in situations where all remediation activities could not occur simultaneously.
  • Targeted supply chains
    Mandiant has investigated intrusions where attackers targeted multiple companies across a supply chain.