Incident Response Time & Cost Calculator

Estimate the total labor cost and time required to respond to a security incident based on severity level, team composition, and response phases.

Incident Severity Level

Number of Security Analysts Involved

Analyst Hourly Rate (USD)

Number of Managers / IR Leads Involved

Manager / IR Lead Hourly Rate (USD)

External / Vendor Hours (e.g., MSSP, forensics firm)

External Vendor Hourly Rate (USD)

Overhead / Indirect Cost Multiplier (%) Covers tooling, communication, documentation, management overhead.

Total Elapsed Time (hrs) = Detection + Containment + Eradication + Recovery + Post-Incident Review

Analyst Person-Hours = Number of Analysts × Total Elapsed Time

Manager Person-Hours = Number of Managers × Total Elapsed Time

Direct Labor Cost = (Analyst Person-Hours × Analyst Rate) + (Manager Person-Hours × Manager Rate) + (External Hours × External Rate)

Overhead Cost = Direct Labor Cost × (Overhead % ÷ 100)

Total Incident Response Cost = Direct Labor Cost + Overhead Cost

Phase durations are severity-driven presets based on SANS IR lifecycle benchmarks and can be adjusted via the severity selector.

IR lifecycle follows the SANS 6-phase model: Preparation (excluded — pre-incident), Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity.
Phase durations are severity-weighted estimates derived from SANS Institute IR reports and IBM Cost of a Data Breach Report (2023), where mean time to identify and contain a breach averages 277 days for complex incidents.
P1 (Critical) phase hours reflect a compressed, war-room response scenario with 24/7 engagement assumed.
All team members (analysts and managers) are assumed to be engaged for the full elapsed duration of the incident — adjust headcount to reflect partial engagement.
Analyst rate of $75/hr and manager rate of $120/hr reflect U.S. median compensation per BLS Occupational Outlook Handbook (2023) for Information Security Analysts.
External/vendor rates of $200–$350/hr are typical for MSSP retainer or forensic firm engagement (Gartner, 2023).
Overhead (default 20%) covers tooling activation costs, communication platforms, legal/compliance notification, and management time not directly billed to the incident.
This calculator estimates direct response labor costs only. It excludes regulatory fines, breach notification costs, reputational damage, lost revenue, or remediation infrastructure spend.
References: SANS Institute "Incident Handler's Handbook"; IBM "Cost of a Data Breach Report 2023"; NIST SP 800-61r2 "Computer Security Incident Handling Guide."

In the network