Mandiant
Frontline incident response and threat intelligence firm, now part of Google Cloud. Investigates more than 450,000 IR hours per year and publishes the M-Trends report. Premium pricing, no breach warranty, and a multi-cloud independence question to weigh on transformation engagements.
Summary
Mandiant is a Incident Response Leader firm (~1,400-2,000 consultants and analysts) focused on Security and Incident Response across AWS/Azure/GCP, with delivery experience in Financial Services and Government.
Last reviewed: 2026-05-08 · Cloud Intel — independent, no paid placement
Mandiant Analysis
✓ Strengths
- • Industry-defining IR pedigree — 450K+ engagement hours per year, 20+ years of major-breach experience
- • Threat intelligence depth via Google Threat Intelligence Group (Mandiant + Google telemetry)
- • Pre-negotiated 2-hour SLA via the Mandiant Retainer reduces breach-day legal and contract friction
- • Strong OT/ICS practice for energy, manufacturing, and utilities
- • Recognized leader in IDC MarketScape Worldwide IR 2025 and Forrester Wave Cybersecurity IR Q2 2024
⚠ Considerations
- • Premium pricing — not viable for SMB or budget-constrained mid-market buyers
- • No breach warranty (competitors Unit 42 and SentinelOne now offer financial guarantees)
- • Google Cloud integration creates a multi-cloud independence question on transformation work — Cybersecurity Transformation services are increasingly anchored on Google SecOps (Chronicle); AWS- or Azure-heavy buyers may receive equally strong IR but a less platform-neutral roadmap
- • IR retainer and Managed Defense are sold separately — full-stack coverage requires multiple contracts
- • M-Trends statistics are Mandiant-client statistics, not global statistics — useful directional intel, not a census
Best Fit For
- ✓ Enterprises that need a pre-negotiated IR retainer with a 2-hour SLA before the next breach
- ✓ Boards demanding the strongest available threat intelligence brand for regulator and insurer scrutiny
- ✓ Critical-infrastructure operators (energy, manufacturing, utilities) needing OT/ICS-aware IR
Mandiant Cloud Projects
Salesloft Drift OAuth Token Theft (UNC6395) — 2025
Investigated token theft affecting downstream Salesforce and connected SaaS. Mandiant traced origin to a March 2025 GitHub compromise. Engagement spanned cross-tenant SaaS forensics, OAuth token rotation guidance, and customer-notification support across hundreds of impacted organizations.
- → Root cause traced from August 2025 detection back to March 2025 origin
- → Containment guidance issued to ~700 affected organizations
- → Public threat advisory shaped industry response
Multi-Cloud Compromise Assessment — Fortune 100 Bank
Six-week compromise assessment across AWS and Azure estates spanning 200+ accounts. Hunted for known threat actor TTPs (UNC3944 Scattered Spider, UNC2452 patterns). Combined log-based detection with EDR telemetry and identity provider hunt across Entra ID and AWS IAM Identity Center.
- → No active compromise identified — clean assessment supported regulator filing
- → Identified 11 medium-priority hardening recommendations
- → Established baseline detection engineering for ongoing hunt program
OT/ICS Tabletop & Red Team — Critical Infrastructure Operator
Combined tabletop exercise and red-team engagement modeling Volt Typhoon and Sandworm patterns against a North American utility's OT environment. Used Mandiant ThreatSpace cyber range for executive simulation; physical red team tested IT-OT segmentation.
- → Identified two crossable IT-to-OT pivot paths
- → Board-level tabletop completed with named adversary playbooks
- → 12-month remediation roadmap validated by NERC CIP audit team
Mandiant Pricing Indication
Pricing varies based on project complexity, duration, and specific requirements. Contact the partner for a detailed quote.
Questions to Ask Mandiant
Before engaging with Mandiant, here are key questions to help you evaluate fit:
-
→
Retainer Mechanics: " What is the retainer SLA in writing — 2 hours, business hours, or follow-the-sun? Are unused hours convertible to proactive work, and at what conversion ratio?"
-
→
Multi-Cloud Independence: " If our environment is AWS- or Azure-heavy, will the transformation roadmap recommend Google SecOps as the SIEM destination? What is the alternative path if we keep Splunk or Sentinel?"
-
→
Senior Resource Access: " On an active IR, will Charles Carmakal-tier senior consultants be on the engagement, or is that media-only? Who is named in the SOW and what is their dedicated allocation?"
-
→
Breach Warranty Position: " Why is there no breach warranty when Unit 42 and SentinelOne now offer them? What contractual recourse do we have if a covered breach occurs during retainer coverage?"
-
→
Threat Intel Integration: " How does GTIG content flow into our existing SIEM and SOAR tools? What is the integration cost beyond the subscription itself?"
Red flags to watch for:
- ⚠ Reluctance to commit named senior personnel in the SOW
- ⚠ Pressure to adopt Google SecOps before the IR engagement is even scoped
- ⚠ Vague 'follow-the-sun' coverage language without specific time-zone team locations
- ⚠ Multi-product bundling that obscures the actual retainer hours and rates
Similar Partners
Caylent
Cloud-native services company focused exclusively on AWS. Known for high-end engineering and DevOps modernization.
Accenture Cloud
Global systems integrator with deep AWS practice. Strong in enterprise migration and transformation. Brings process maturity and industry-specific solutions but can be expensive relative to boutique firms.
Coalfire
Highest-volume FedRAMP 3PAO assessor and PCI QSA in the US. Strong on multi-framework compliance programs (FedRAMP, PCI, HITRUST, ISO 27001, SOC 2). Cannot serve as both advisor and assessor on the same FedRAMP package — buyers must split the engagement.
Related Research
Mandiant — frequently asked questions
Is Mandiant a good cloud consulting firm?
Mandiant is a Incident Response Leader firm specializing in Security, Incident Response, Threat Intelligence across AWS and Azure and GCP, with delivery experience in Financial Services and Government. Cloud Intel evaluates firms on partner tier, real case studies, and pricing transparency — not paid placement.
How much does Mandiant cost?
Mandiant operates in the $25K-$150K (retainer) · custom for active IR · enterprise-negotiated pricing range. Final cost depends on project scope, duration, and complexity — contact them directly for a tailored quote.
What is Mandiant best known for?
Mandiant specializes in Security, Incident Response, Threat Intelligence with core delivery across AWS and Azure and GCP. Additional competencies include Cloud Security.
Which industries does Mandiant serve?
Mandiant primarily serves clients in Financial Services, Government, Healthcare, High Tech, Critical Infrastructure. Buyers in these verticals are typically well-matched to their delivery experience and existing case-study base.
Who should consider Mandiant?
Mandiant is a strong fit for: Enterprises that need a pre-negotiated IR retainer with a 2-hour SLA before the next breach; Boards demanding the strongest available threat intelligence brand for regulator and insurer scrutiny; Critical-infrastructure operators (energy, manufacturing, utilities) needing OT/ICS-aware IR.
Key Facts
- Headquarters
- Reston, VA (legacy) · Mountain View, CA (Google Cloud)
- Founded
- 2004
- Team Size
- ~1,400-2,000 consultants and analysts
- Industries
- Financial Services, Government, Healthcare, High Tech, Critical Infrastructure
- Data Verified
- May 23, 2026
- Data Version
- Q2-2026
Stay updated on Mandiant
Get notified when this profile is updated with new pricing, ownership changes, or case studies.