The Incident Response Market 

The increasing number of security breaches attributed to hacking, cyber terrorism, identity thefts, and money laundering leads to high demand for incident response and readiness (IRR) services. The frequency and sophistication of attacks and the extortion of high ransomware have become a central problem for large and mid-size companies and organizations concerned with losing their reputation and client trust. Having an up-to-date incident response and readiness plan became a strategic necessity as recent multi-million attacks on Colonial Pipeline, Brenntag, JBS Food, and software management vendor SolarWinds show. The current geopolitical tensions and unfolding rapid digitalization might lead to an even more significant number of sophisticated cyber-attacks against organizations and companies. According to various sources, the Incident Response market size is expected to register a revenue CAGR of ~17-21% over the next 5 to 7 years. 

Key Players 

There are three main groups of incident response and readiness service providers:

  • Professional services firms
  • Tech and cyber firms
  • Legal firms and cyber insurance firms

The professional services firms grow their IR capabilities through acquisitions and partnerships rather than in-house solutions. The leading professional services firms offer retainer services in contract models and propose a holistic approach to cyber security with additional solutions and products providing more excellent protection. Although the IRR offering of the Big Four is scattered across geo’s, the solutions and services bear similarities across continents.

Tech and cyber firms offer incident response develop their solutions with the latest technological innovations, including AI. Microsoft, IBM, Mandiant (acquired by Google), CrowdStrike, Kroll, and Protiviti belong to the largest and/or most innovative providers of incident response solutions. Tech and cyber firms expand their capabilities in SOC planning and SOAR capability and heavily invest in IoT IR acquisitions. Expertise in providing security for the cloud has become a critical service.

Legal firms and cyber insurance firms move into the incident response business. Major law firms offer legal services for companies impacted by cyber-attacks, including Baker Hostetler and Hogan Lovells. Preparing documentation and reporting on attacks are a rising trend attracting law firms to assist with providing incident response solutions through third parties. Although some professional services offer insurance claims in their managed services, large insurance companies increasingly offer incident response services through alliances (i.e., AXA XL, Beazley). In 2021 the cyber insurance market was $9B and registers a CAGR of c. 19 % from 2022 to 2027.

Capabilities and services in demand

Advancements in available technologies and the rise of AI and automation lead to new solutions within the incident response and readiness services. The clients’ needs include: 

  • Incident response plan
  • 24/7 emergency support
  • Threat hunting approach with AI

As Harvard Business Review (HBR) emphasizes, the perfect incident response plan must clearly define and split responsibilities during an incident. Additionally, the senior management and leadership must have a strategy that includes legal teams, incident response services, and third parties ready to jump in when an incident occurs. Moreover, 24/7 emergency support with available consultants is a pre-exquisite. Another need is related to frameworks and models that can introduce a threat hunting approach with AI. As the CEPS Task Force report emphasizes, AI becomes a desirable and necessary tool for incident readiness.

Key trends to observe

Geopolitical tensions

As Cybersecurity and Infrastructure Security Agency (CISA) informs, the recent Russian invasion of Ukraine might include a rise in malicious cyber activity against the US. According to predictions, the Russian Government investigates options for possible cyberattacks as an act of revenge for sanctions imposed on the Kremlin. 

Regulatory compliance

Rising costs and threats associated with security breaches lead to new regulations such as The Cyber Incident Reporting for Critical Infrastructure Act of 2022 which was signed into law by President Biden. After further consultations within The Cybersecurity and Infrastructure Security Agency (“CISA”), the act will require certain critical infrastructure companies to report cybersecurity incidents within 72 hours and ransomware payments within 24 hours.


In the past three years, the incident response and readiness category acquisitions have been on the rise. The leading professional services firms and tech giants acquired a set of companies, including Symantec (2020), Context IS (2020), Sentor (2021), Openminded (2021), Elevated Prompt (2019). Moreover, key tech companies acquired RiskIQ (2020), CloudKnox (2021), CyberX (2020), Reaqta (2021), Intrigue (2021), RP Digital Security (2020), and Security Compass (2021). The most remarkable acquisition took place in March 2022 when Google acquired the incident response champion Mandiant for 5.4 bln USD.


The cybersecurity market needs to attract new talent that can face the rising challenges of sophisticated security breaches. Attracting and retaining skills is a pressing challenge for private and public organizations. Organizing workshops, training, and competitions might attract younger professionals with technical backgrounds to join incident response teams.

Cyber risks in the home office 

As the Covid-19 pandemic hit the world, corporations switched to the home office—this new model of work resulted in security breaches and incidents on a larger scale. As a countermeasure, corporations advised their employers to refrain from using media content on company devices, provide secure connections such as VPN and implement the latest antivirus updates. In the new era of digital work, having a proper incident response plan has become a must.