They perform incident response and forensics for organizations that are compromised. Incident response is the highest bill rate infosec consulting you can do. It requires travel (used to, still does some today) and decently high technical skills. They are big and can combine the data their consultants collect into an intelligence platform that they sell as well.
> Incident response is the highest bill rate infosec consulting you can do. It requires travel (used to, still does some today) and decently high technical skills
I take a tiny bit of issue with that.
Cryptography consulting is a higher labor rate, and higher end pen-testing w TS SCI+full poly, and application security gurus are above, or equal to IR.
There are currently poaching wars going on around talented IR folks. A fortune 500 recently hired away an IR colleague with whom I collaborated around tap & agg with a FAANG type offer, RSUs, the whole shebang
By volume. Cryptography consulting is a very lucrative niche but there is an order of magnitude less of it happening based on my wild guesses. I have run a high end boutique for 9 years and been doing infosec consulting for 15 years tho, so my guess is somewhat informed, I hope.
Even high end appsec, seceng, and legit reversing pays below crypto and IR. We just can’t charge as much for it for all but the most niche and demanding environments, which is not the bulk of what’s out there.
I am thinking averages here. I know there is high paying work in each domain, but the skills used are also highly developed, etc. If you wanted to build a high end consultancy with a lot of work IR is a great choice. I know ToB has done awesome in crypto (blockchain/contracts) space, etc. but I think IR work is a little easier to get into and build a business on without having really advanced and niche skills.
This is like saying that Walmart cashiers have a higher bill rate than M&A attorneys, because there are so many more of them --- they're higher "by volume".
Difficult or "gated" specialties (like automotive) command higher bill rates --- so hardware, automotive, cryptography, maybe some kernel work (I don't know anyone that has a formal specialty practice in "kernel", it bleeds into other stuff).
IR is a huge practice area, lots and lots of people do it, and the line-level consulting work here is stuff that isn't at all difficult or specialized (log file analysis, imaging). There's specialty work in IR too, of course (there are firms that specialize in memory forensics, for instance), and that bills higher.
Mandiant is like the PwC of IR firms; Mandiant can get contracts that bill basic log file analysis out at $3k/day, because they're Mandiant. That doesn't mean the person doing that work is seeing proportionally more income themselves, or that a team of people striking out on their own from Mandiant are going to be able to bill comparably.
On the other hand, a team of cryptographers or hardware reversers at a big firm probably could expect to see comparable bill rates after starting up their own firm.
They do the IR retainer work for companies that are serious about security with real threats.
In other words, it is the company that detected a breach of its own systems via dogfooding, that turned out to be the only detection that occurred of a breach of the entire US govt more or less - Solarwinds.
Mandiant got the jump on every US govt agency in detecting arguably the largest espionage event of the digital age.
(security) incident response. most companies have in-house security teams to do a portion or a lot of the IR process. If a serious breach occurs, a security team usually will call in a specialized team of consultants from an IR firm like Mandiant.