Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Top 10 incident response vendors for 2019

Leading incident response services include a variety of specialized tools to help organizations plan and manage their overall cybersecurity posture.

Organizations are struggling to keep up with the growing number of cybersecurity threats and the inherent complexities involved with maintaining a proper security posture. In many cases, enterprise security teams offload those duties to a trusted third-party service provider that can plan and handle security incident responses. According to a recent MarketsandMarkets report, many organizations are looking for help in mitigating financial losses from a breach, addressing a rapid uptick in the number of threats and figuring out how to better adhere to increasingly strict compliance regulations.

Incident response vendors offer services such as post-breach investigations, ransomware removal and proactive breach response plans. With an active retainer for incident response services, service-level agreements (SLAs) include specific emergency response times. These services also give the customer's enterprise security team access to highly skilled professionals on an as-needed basis. This retainer service strategy is appealing to many organizations because it can help reduce the overall incident response budget.

Using research from TechTarget surveys and analyst firms such as Gartner and Forrester, TechTarget identified 10 leading incident response vendors, taking into consideration market share and capabilities.


As a dominant telecommunications provider in the U.S., AT&T is uniquely positioned in the incident response services market with its in-line internet and WAN monitoring services. Using its globally distributed security operations centers (SOCs), AT&T offers cyber incident response support. Customers can access AT&T's Threat Manager security event monitoring platform, which provides insight into what actions AT&T's cybersecurity experts are taking regarding threat identification, actionable insights and reporting. The platform also provides a quick way to verify compliance against various regulatory requirements. Full endpoint device management and monitoring, and AWS cloud operability and visibility are optional services that integrate with the Threat Manager platform.

Leading providers of cyber incident response services

BAE Systems

Founded in 1999, BAE Systems is one of the original cyber incident response vendors in the world. The U.K.-based company offers preemptive threat prevention services, including custom threat intelligence tools, penetration testing and attack preparation tools. If an attack or breach does occur, BAE Systems uses one of three support centers in the U.K., the U.S. or Australia to base incident responses. If required, BAE deploys its experts to the customer's location. The company provides advanced incident response technical support and can assist with the management of public relations.


Another U.K.-based incident response service provider, BT operates out of 14 different globally distributed SOCs. Known primarily for its vast telecommunications services in 180 countries, BT has accumulated a large customer base for security services including incident response. Cybersecurity features that complement incident response include preemptive threat management, security threat intelligence, vulnerability scanning and managed security information and endpoint management (SIEM). BT has partnered with FireEye to provide consulting services and to serve as the localized resource that works directly with customers with retainers for breach investigations as well as malware and ransomware remediation. The company also assists with long-term security strategies to help prevent future threats.

DXC Technology

DXC Technology was formed in 2017 through the merger of CSC and the services portion of Hewlett Packard Enterprise (HPE). The U.S.-based company maintains a global network of SOCs and offers a variety of managed services to help customers protect their data, applications, infrastructure and endpoints, and provide proactive security management against cyber risks. Security and incident response services include threat monitoring, endpoint management, managed SIEM and preemptive vulnerability assessments, and penetration testing, which provide risk prioritization and mitigation recommendations. 


As a U.S.-based global IT software and services company, IBM has developed an IT security and incident response division that's managed out of five global 24/7 SOCs. The company's security practice is known as IBM X-Force. IBM uses its QRadar SIEM to monitor all customer threats. The company also provides endpoint management services and advanced security analytics that can be tuned to monitor specific customer deployments. IBM handles all onsite SLA incident response cases and offers customers various security consulting services to help with the planning and ongoing management of a business' security posture.


Incident response vendors offer services such as post-breach investigations, ransomware removal and proactive breach response plans.

A Tokyo-based company, NTT is a global telecommunications and technology integrator. The company offers telecom, cloud, networking and data center services along with several technology consulting specialties. These specialized services include security and incident response managed out of the parent company's NTT Security division. Customers with retainers use NTT security experts for incident response services, including SLA-backed incident response and digital forensics, preemptive planning and compliance assessment reviews. NTT Security also offers threat intelligence and endpoint management services. The company currently maintains 17 globally distributed SOCs, including five in the U.S.


Operating out of five globally dispersed SOCs, Secureworks offers a wide range of security incident response services. The company relies on its proprietary Counter Threat Platform to provide advanced security analytics information. Customers can view these analytics through a customizable portal. Secureworks also provides endpoint threat and malware prevention services. In terms of incident response due to an attack, breach or malware infestation, customers with retainers can take advantage of Secureworks professionals either remotely or onsite. Additionally, the company offers proactive security services, including incident preparedness, security assessments and other customizable services.


Symantec has long been a staple in the world of consumer and enterprise cybersecurity. Getting its start in antivirus, the company has developed data security products that include advanced threat protection, cloud and endpoint security. Symantec also offers incident response retainers and security readiness services that include global onsite SLAs as low as 24 hours. Other benefits include emerging threat reports, a dedicated service manager and the ability for customers to use the Symantec DeepSight security analytics platform and Symantec Global Intelligence Network. Preemptive services include tabletop exercises, response plan assistance and various readiness assessments. The company's incident response services operate out of six globally dispersed SOCs that offer 24/7 support.


Trustwave is another independent IT service company that has been involved in incident response services longer than most vendors. The U.S.-based company offers onsite incident response support retainers globally with a maximum 48-hour onsite timeframe. Managing nine global SOCs, Trustwave also partners with various telecommunication and service providers in strategic locations to provide more localized support and faster incident response. Customers that purchase retainer services receive remote and onsite incident support, and can use the company's proprietary threat intelligence services and in-house cybersecurity experts known as the SpiderLabs team.


Like AT&T, Verizon is a global telecommunications giant with a massive presence in the U.S. Operating out of nine global SOCs, rapid response retainer customers can negotiate service contracts with onsite incident mitigation SLAs as low as 24 hours. Other services include preemptive intelligence visibility, monthly intelligence briefings, customizable cybersecurity reports and endpoint management and threat detection services. The Verizon Network Threat Advanced Analytics platform detects cybersecurity risks before they can affect the customer's business. Verizon security experts can direct a customer's NetFlow data traversing the Verizon backbone. This flow data can then be analyzed to provide more customized threat assessments.

This was last published in June 2019

Dig Deeper on Information security incident response