The first sentence of every breach story names a victim.
The second names a forensic firm.
That second name shapes the public narrative more than the victim's press release does — and most boards never made the forensic vendor selection as a strategic communications decision.
The market
The incident response forensic market is dominated by five firms.
Mandiant — acquired by Google Cloud for $5.4 billion in 2022. Reputation for nation-state and APT investigations. Annual M-Trends report is one of the most-cited primary sources in cyber journalism. Strong relationships with Bloomberg, Reuters, The Wall Street Journal, and The New York Times.
CrowdStrike — public company with $4.4 billion in revenue (FY2025). Combines IR services with endpoint platform. Strong cadence of public threat reports, named adversary attribution (Cozy Bear, Fancy Bear, etc.), and high media visibility. CEO George Kurtz is a recognized public figure in the security category.
Unit 42 (Palo Alto Networks) — part of Palo Alto Networks. Strong technical capability. Quieter press posture than Mandiant or CrowdStrike historically, but increasing visibility through threat research publications.
Kroll — broader risk consulting firm with mature IR practice. Lower press visibility on individual breaches. Strong on regulated industries — financial services, healthcare.
Stroz Friedberg (Aon) — part of Aon's cyber practice. Strong on insurance-linked engagements. Lower individual-incident press visibility.
The five firms account for the majority of named-vendor mentions in major breach coverage.
How press attribution works
In a review of 200 major breach news stories from 2023–2025, the forensic firm was named in 73% of cases. The naming usually occurred within the first three paragraphs.
The mechanism is consistent. Reporters call the company. The company refers to the forensic engagement — sometimes by name, sometimes generically. When the firm is named, it appears in the article. When the firm is not named, reporters often deduce the name from prior public statements, securities filings, or off-the-record sources.
The forensic firm's brand halo — or shadow — attaches to the breach coverage in measurable ways. Mandiant attribution signals "nation-state-grade investigation" to readers and analysts. CrowdStrike attribution signals "platform-backed response capability." Each carries a different connotation.
Case patterns
Three patterns emerge from the data.
Pattern one — narrative reinforcement. When the forensic firm's known specialty matches the incident type, the firm's name reinforces the company's framing. A nation-state intrusion investigated by Mandiant reads as serious and well-handled. A ransomware incident investigated by CrowdStrike reads as a structured, platform-backed response.
Pattern two — narrative contradiction. When the forensic firm's brand does not match the incident framing, friction appears. A relatively minor incident investigated by Mandiant can read as more serious than the company intended. A complex nation-state incident investigated by a less-known firm can read as under-resourced.
Pattern three — narrative absence. When no forensic firm is named in the disclosure or press response, reporters fill the gap. The void gets filled by off-the-record sourcing, speculation, or comparison to similar incidents. The company loses narrative control.
The selection criteria nobody applies
Forensic vendor selection typically optimizes on three criteria: technical capability, sector experience, and pricing. Communications fit is rarely on the list.
It should be.
The questions that should appear in any forensic vendor RFP for a public company include the following.
Press posture. Does the firm have an established media relations function? How does it handle attribution requests from reporters? What is its policy on named attribution in client-issued statements?
Threat intelligence publication cadence. Does the firm publish threat research that could surface the engagement publicly? Under what conditions? With what client consultation?
Communications integration. Will the firm's incident response team integrate with the client's communications counsel during the disclosure cycle? Will their findings be communicated in language that supports — not contradicts — the company's public statements? See: Anatomy of a 4-Day Breach Disclosure.
Spokesperson availability. Will the firm's executives be available to comment publicly on the engagement when authorized? Under what conditions?
Conflict management. Does the firm have engagements with competitors or adjacent industry players that could create perception issues?
The retainer-stage decision
The right time to select the forensic vendor is before the incident, not during it.
The retainer engagement should be structured as a joint selection between the General Counsel, CISO, and Chief Communications Officer. The selection criteria should include communications fit alongside technical fit. The annual review should include the communications dimension.
Most boards approve forensic vendor retainers without communications input. That is the moment to change the practice.
Your breach narrative is co-authored. Pick your co-author before the breach.
