August 9, 2023

Understanding the Costs of Incident Response: Investigation Costs

In the first post for our Understanding the Costs of Incident Response series, we shared a comparison of incident response costs between two peers: a typical ransomware victim where security controls are absent or misconfigured and a well-prepared peer. Now we'll start looking at each of the major cost buckets across the incident response process.

Investigation Costs

The first costs that any victim will incur will be for the investigation – which in our example, accounts for ~$150k of the estimated $2.875 million claim arising from a typical ransomware event. These costs are what a lot of people think of when they think of cyber incident response but are just the tip of the iceberg.

Just think about it: Your infrastructure has been crippled, your network and storage have been ravaged by the attacker. And now, with limited IT resources, you're tasked with collecting artifacts and evidence from potentially thousands of endpoints spread across multiple sites. It's an arduous undertaking that requires speed, precision, and resourcefulness.

The scope of the attack needs to be determined: Is the adversary still present within the network? If so, how can we remove them effectively? Assessing the extent of compromised data and implementing containment measures that minimize further compromise are vital objectives. It's at this point that many organizations begin engaging external specialists across multiple disciplines – forensics, recovery, data mining, legal counsel – to start answering key questions and building a plan for getting back to operational.

Now, it can be tempting for organizations to take a DIY-approach due to the costs associated with outside help. The harsh reality is that this process can be far more intricate and time-consuming than many initially realize and without the right support can become the biggest bottleneck in the entire incident response process. We see it everyday.

The investigation stage will set the foundation for the rest of the incident response process. Getting the actionable information you need to understand the scope of the incident is critical to building a game plan for how you can recover safely, but also as quickly as possible.

<< Previous Post                      Next Post: Ransom Payments >>

Need help now? Contact us at or on our website and talk to one of our technical advisors.

James Gimbi

James Gimbi brings over ten years of breach response, cybersecurity strategy, and public interest technology experience to MOXFIVE. He investigated state sponsored and criminal cyber attacks across defense, finance, healthcare, and government and advanced bipartisan privacy and technology initiatives as a policy advisor in the US Senate. James's blended expertise helps corporate and federal leaders reduce cyber risk and tackle complex threats.

Experts predict there will be a ransomware
attack every 11
seconds in 2021.
from Cybercrime Magazine
Our mission is to minimize the business impact of cyber attacks. 


Incident Response

MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.

Learn More

Business Resilience

With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.

Learn More