OODA loop How to retool incident response best practices for the digital age

10 leading incident response vendors

Incident response vendors offer a variety of specialized tools to help organizations plan and manage their overall cybersecurity posture. Learn about 10 of them here.

When it comes to dealing with an unplanned and potentially disruptive event that affects the security and integrity of an organization's IT infrastructure, incident response plans are the first line of defense. Without an incident response plan in place, an organization's response to an incident -- especially a cyber attack -- could be haphazard and disastrous. Incident response plans can be created and implemented manually -- for example, by using a template such as the one provided by TechTarget. Many organizations, however, are moving beyond this approach and using automated incident response services that address all aspects of an incident response.

Numerous software-based products are available for consideration. These can range in cost from under $200 to several thousands of dollars. Many software-based business continuity and disaster recovery (BCDR) systems include integrated incident response modules, which can help launch or update an incident response initiative. Third-party service companies, such as cloud service providers (CSPs), may offer incident response modules within their service packages. In short, many ways to build incident response plans are available; it becomes a matter of understanding the business and IT security requirements before selecting an incident response vendor's product or service.

Increased use of third-party incident response

Organizations are struggling to keep up with the growing number of cybersecurity threats and the inherent complexities involved with maintaining a proper security posture. In many cases, enterprise security teams offload these duties to a trusted third-party service provider that can plan and handle security incident responses. According to a recent study, 82% of enterprise professionals believe having visibility and insights based on real-time threat data is more necessary today than ever before. Further, 44% of enterprises plan to either implement or expand the implementation of a real-time threat alerting system.

Incident response vendors offer services such as post-breach investigations, ransomware removal and proactive breach response plans. With an active retainer for incident response services, service-level agreements (SLAs) include specific emergency response times. These services also give the customer's enterprise security team access to highly skilled professionals on an as-needed basis. This retainer service strategy is appealing to many organizations because it can help reduce the overall incident response budget.

Considerations when choosing an incident response vendor

If your organization is already using a third-party managed security or risk management service provider, ask the firm what incident response offerings it has. The same should be asked of CSPs. Using services from an existing provider can make the incident response service selection process much easier.

Incident response vendors offer services such as post-breach investigations, ransomware removal and proactive breach response plans.

If no incident response plan is in place or no existing vendors are suitable, complete the following steps to identify a suitable service provider:

  1. Determine the specific incident response requirements of your organization. This could include threat detection, alert notifications and detailed step-by-step procedures for handling an incident.
  2. Research the market for incident response service providers, and review their offerings.
  3. Prepare and present a business case to management for approval and funding.
  4. Prepare a request for proposal or request for quotation to secure pricing and other elements, such as installation, training, warranties, support for SLAs, maintenance costs, testing capabilities, documentation provided, and technical support and assistance provided.
  5. Select a vendor, have contracts reviewed and approved, organize funding, and schedule deployment and training schedules.
  6. Complete installation and deployment, and test the system. If possible, test along with BCDR and cybersecurity testing.
  7. Set up maintenance, performance review and testing schedules.

As with any new technology or process, be sure to prepare and/or update policies and procedures for incident response activities.

The vendors

Using research from TechTarget surveys and analyst firms, such as Gartner and Forrester, TechTarget identified the top 10 incident response vendors, taking into consideration market share and capabilities.


Still the dominant telecommunications provider in the U.S., AT&T is uniquely positioned in the incident response services market with its inline internet and WAN monitoring services. Using its globally distributed security operations centers (SOCs), AT&T offers managed threat detection and response through its unified security management platform. Services include endpoint management, cloud security monitoring and compliance support. Customers can also access the AT&T Alien Labs Threat Exchange, which provides insight into what actions a global community of cybersecurity experts are taking regarding threat identification, actionable insights and reporting.

Image displaying leading incident response vendors
Consider this list when evaluating incident response vendors.

BAE Systems

Founded in 1999, BAE Systems is one of the original cyber incident response vendors in the world. The U.K.-based company offers preemptive threat prevention services, including custom threat intelligence tools, penetration testing and attack preparation tools. If an attack or breach does occur, BAE Systems uses one of three support centers in the U.K., the U.S. or Australia to base incident responses. If required, BAE deploys its experts to the customer's location. The company provides advanced incident response technical support and can assist with the management of PR.


Another U.K.-based incident response service provider, BT operates out of 14 different globally distributed SOCs. Known primarily for its extensive telecommunications services in 180 countries, BT has accumulated a large customer base for security services, including incident response. Cybersecurity features that complement incident response include preemptive threat management, security threat intelligence, vulnerability scanning and managed SIEM. BT has partnered with FireEye to provide consulting services and to serve as the localized resource that works directly with customers with retainers for breach investigations, as well as malware and ransomware remediation. The company also assists with long-term security strategies to help prevent future threats.

DXC Technology

DXC Technology was formed in 2017 through the merger of Computer Sciences Corporation and the services portion of HPE. The U.S.-based company maintains a global network of SOCs and offers a variety of managed services to help customers protect their data, applications, infrastructure, and endpoints and provide proactive security management against cyber risks. Security and incident response services include threat monitoring, endpoint management, managed SIEM, preemptive vulnerability assessments and penetration testing, which provide risk prioritization and mitigation recommendations. DXC successfully survived a ransomware attack in 2020 by using its years of experience in cybersecurity threat management.


As a U.S.-based global IT software and services company, IBM has developed an IT security and incident response division that's managed out of five global 24/7 SOCs. The company's security practice is known as IBM X-Force. IBM uses its QRadar SIEM to monitor all customer threats. The company also provides endpoint management services and advanced security analytics that can be tuned to monitor specific customer deployments. IBM handles all on-site SLA incident response cases and offers customers various security consulting services to help with the planning and ongoing management of a business's security posture.

Nippon Telegraph and Telephone (NTT)

A Tokyo-based company, NTT is a global telecommunications and technology integrator. The company offers telecom, cloud, networking and data center services, along with several technology consulting specialties. These specialized services include security and incident response managed out of the parent company's NTT Security division. Customers with retainers use NTT security experts for incident response services, including SLA-backed incident response, digital forensics, preemptive planning and compliance assessment reviews. NTT Security also offers threat intelligence and endpoint management services. The company currently maintains 17 globally distributed SOCs, including five in the U.S.


Operating out of five globally dispersed SOCs, Secureworks offers a wide range of security incident response services. The company relies on its proprietary Counter Threat Platform to provide advanced security analytics information. Customers can view these analytics through a customizable portal. Secureworks also provides endpoint threat and malware prevention services. In terms of incident response due to an attack, breach or malware infestation, customers with retainers can take advantage of Secureworks professionals either remotely or on-site. Additionally, the company offers proactive security services, including incident preparedness, security assessments and other customizable services.


Symantec, now a division of Broadcom, has long been a staple in the world of consumer and enterprise cybersecurity. Getting its start in antivirus, the company has developed data security products that include advanced threat protection, cloud and endpoint security. Symantec also offers incident response retainers and security readiness services that include global on-site SLAs as low as 24 hours. Other benefits include emerging threat reports, a dedicated service manager and the ability for customers to use the Symantec DeepSight security analytics platform and Symantec Global Intelligence Network. Preemptive services include tabletop exercises, response plan assistance and various readiness assessments. The company's incident response services operate out of six globally dispersed SOCs that offer 24/7 support.


Trustwave is another independent IT service company that has been involved in incident response services longer than most vendors. The U.S.-based company offers on-site incident response support retainers globally with a maximum 48-hour on-site time frame. Managing nine global SOCs, Trustwave also partners with various telecommunication and service providers in strategic locations to provide more localized support and faster incident response. Customers that purchase retainer services receive remote and on-site incident support and can use the company's proprietary threat intelligence services and in-house cybersecurity experts, known as the SpiderLabs team. The company announced its Trustwave Fusion platform in 2019 to provide U.S. government agencies and suppliers threat detection and response services that meet stringent U.S. federal government security requirements.


Like AT&T, Verizon is a global telecommunications giant with a massive presence in the U.S. Operating out of nine global SOCs, rapid response retainer customers can negotiate service contracts with on-site incident mitigation SLAs as low as 24 hours. Other services include preemptive intelligence visibility, monthly intelligence briefings, customizable cybersecurity reports, and endpoint management and threat detection services. The Verizon Network Threat Advanced Analytics platform detects cybersecurity risks before they can affect the customer's business. Verizon security experts can direct a customer's NetFlow data traversing the Verizon backbone. This flow data can then be analyzed to provide more customized threat assessments.

Next Steps

Incident response tools: How, when and why to use them

Comparing EDR tools: Cybereason vs. CrowdStrike vs. Carbon Black

This was last published in March 2021

Dig Deeper on Security operations and management