HomeIT ServicesCybersecurity ServicesMandiant
Cybersecurity ServicesReston, Virginia, United States

Mandiant Review 2026 — Cybersecurity Services

4.6/ 5.0 from 1,310 verified buyer references
Founded
2004
Headquarters
Reston, Virginia, United States
Employees
~2,500 (part of Google Cloud)
Regions Served
Responders in 22+ countries, clients in 80+
Industries
Financial services, government, energy, healthcare, tech
Typical Engagement
$50K (assessment) to $5M+/year (IR retainer)

Overview

Mandiant was founded in 2004 by Kevin Mandia and built its reputation on nation-state incident response, including the widely cited 2013 APT1 report that publicly linked a cyber espionage campaign to a People's Liberation Army unit. The firm was acquired by FireEye in 2014, separated again in 2021, and acquired by Google in September 2022 in an all-cash transaction valued at approximately US$5.4 billion. Mandiant now operates as Mandiant Consulting inside Google Cloud, with the Mandiant brand retained for services and threat intelligence.

The practice comprises roughly 2,500 personnel, including more than 600 incident responders and over 300 threat intelligence analysts, with dedicated responders in more than 22 countries serving clients in more than 80. Kevin Mandia stepped down as CEO on 31 May 2024 and now serves as an advisor and Ballistic Ventures co-founder. Jurgen Kutscher, VP of Mandiant Consulting, leads the consulting practice and reports into Google Cloud CEO Thomas Kurian. Headquarters remain in Reston, Virginia.

Buyers typically engage Mandiant for incident response, advanced threat intelligence, red-team and tabletop exercises, and pre-breach validation. The firm is consistently ranked at the top of independent IR provider benchmarks alongside CrowdStrike Services, Unit 42, and Kroll. Mandiant is platform-aware but not platform-locked; engagements run across Google Security Operations, Microsoft Sentinel, Splunk, CrowdStrike Falcon, and SentinelOne. Pricing is at the upper end of the IR market, reflecting senior bench composition and threat intelligence depth.

Services Offered

Typical Engagement

Engagement TypeModelTypical Range
Security programme assessmentFixed-fee project$80K–$400K (4–10 weeks)
Compromise assessmentFixed-fee project$150K–$750K (4–8 weeks)
Incident response (emergency)Time & materials at premium rate$500–$1,200/hour, $200K–$5M+ per incident
Incident response retainerAnnual subscription + hours$250K–$5M+/year depending on hours and SLA
Mandiant Threat IntelligenceAnnual subscription$75K–$1M+/year by tier

Pricing ranges verified May 2026 from public Google Cloud Mandiant rate cards, US federal cyber services contract awards, and reference checks with 12 enterprise buyers across financial services and energy. Emergency incident response work commands a premium over retained hours; clients without a retainer typically pay 1.5–2x the retained hourly rate.

Strengths

  • Top-tier incident response reputation built on two decades of frontline nation-state and ransomware investigations
  • Threat intelligence depth — Mandiant Intelligence remains one of the few independently usable sources tracking advanced persistent threat groups by name and TTP
  • Bench composition is unusually senior, with a high proportion of staff who have led major public breach investigations
  • Integration with Google Threat Intelligence (post-acquisition) provides telemetry that competitors cannot match
  • Cross-platform delivery — Mandiant works across Google Security Operations, Microsoft Sentinel, Splunk, CrowdStrike, and SentinelOne rather than locking buyers into one stack
  • Strong reputation among insurers and regulators, which can shorten breach notification and forensic acceptance cycles

Limitations

  • Premium pricing — emergency IR rates routinely exceed $1,000 per hour, and retainers start at $250K per year for low-hour SLAs
  • Capacity constraints during major incident waves — during ransomware spikes (e.g. healthcare and manufacturing campaigns) wait times for un-retained clients can extend to days
  • Increasing alignment with Google Security Operations as the preferred SIEM platform may create perception of bias for buyers running competing stacks
  • Not a managed services provider — Mandiant does not run a 24/7 MSSP or co-managed SOC, so most clients pair Mandiant with a separate MDR provider
  • Light footprint on regulatory and audit-driven cybersecurity programmes (SOX, PCI), which the Big Four typically deliver more cost-effectively

Regions Served

United States United Kingdom Germany Japan Australia Canada Singapore France Netherlands

Alternatives

CrowdStrike Services
Comparable IR depth, Falcon-led telemetry, faster onboarding on CrowdStrike-protected estates
4.5
Unit 42 (Palo Alto Networks)
Strong IR and tabletop practice, integrated with Cortex XSIAM and XSOAR
4.5
Kroll Cyber Risk
Strong on insurance-led IR panels, broader investigations and disputes scope
4.3
Secureworks (Sophos)
Mid-market focus, integrated MDR + IR offering at lower entry price
4.1
NCC Group
European base, deep technical assurance and red-team practice
4.2

Compare Mandiant

Mandiant vs CrowdStrike Services → Mandiant vs Unit 42 → Mandiant vs Kroll →

Frequently Asked Questions

Is Mandiant still independent or part of Google?
Mandiant is part of Google Cloud. Google closed its US$5.4 billion all-cash acquisition in September 2022. The Mandiant brand has been retained for services and threat intelligence, and Mandiant Consulting operates as a distinct practice inside Google Cloud reporting to Thomas Kurian. Kevin Mandia stepped down as CEO on 31 May 2024 and is now an advisor.
What does a Mandiant incident response retainer cost?
Mandiant IR retainers typically start at around US$250,000 per year for low-hour SLAs and extend to US$5 million or more per year for large enterprises with rapid-response SLAs and named senior responders. Retained hours are billed at the discounted retained rate; emergency hours above the retainer are billed at the premium rate (commonly $500 to $1,200 per hour depending on seniority).
Does Mandiant only work on Google Cloud?
No. Mandiant Consulting operates across all major SIEM and EDR platforms including Microsoft Sentinel, Splunk, CrowdStrike Falcon, SentinelOne, and Elastic, alongside Google Security Operations. The firm is platform-aware rather than platform-locked. That said, Google Security Operations integration has deepened post-acquisition and buyers should expect Mandiant to position Google Security Operations on competitive SIEM evaluations.
How long does a Mandiant compromise assessment take?
A typical Mandiant compromise assessment runs 4 to 8 weeks depending on environment size and complexity. Fees range from US$150,000 to US$750,000 for most mid-size to large enterprises. Larger Fortune 100 environments, OT/ICS scopes, or post-merger assessments can run longer and into the seven-figure range.
How does Mandiant compare with CrowdStrike Services or Unit 42?
All three are top-tier IR providers with overlapping pedigrees. CrowdStrike Services tends to be the first call for clients already running Falcon, given the telemetry advantage. Unit 42 integrates tightly with Cortex XSIAM and tends to dominate where the SOC stack is Palo Alto Networks. Mandiant retains an edge on nation-state and complex multi-vector incidents and on independent threat intelligence depth. Pricing is broadly comparable across the three.
Last updated: May 2026

About Mandiant

Founded 2004 by Kevin Mandia. Headquarters: Reston, Virginia. ~2,500 personnel, including 600+ incident responders and 300+ intel analysts. Acquired by Google in September 2022 for US$5.4 billion. Practice lead: Jurgen Kutscher (VP, Mandiant Consulting).

All Cybersecurity Providers → Cybersecurity in United States → Cybersecurity in United Kingdom →

Related Categories

Identity Security Consulting Managed IT Services Cloud Migration AI & ML Consulting DevOps & SRE

Research

Incident Response Retainer RFP Guide 2026 Incident Response Pricing Benchmark Best IR Providers for Financial Services
Last updated: