Roadmap
Incident Response Consultant
The specialist who leads technical investigation and remediation of security breaches. Parachutes into compromised organizations, determines scope, identifies the root cause, contains the attacker, eradicates persistence, and restores normal operations, often on behalf of consulting firms like Mandiant, CrowdStrike Services, Unit 42, or Secureworks.
OPTIMISTIC 3–4 years · REALISTIC 4–5 years
Stage 00
Computer & IT Fundamentals
IR consultants must be immediately effective in any client environment. Broad IT literacy across OS, networking, and enterprise architecture is the foundation.
Complete IT Literacy Required
- All hardware, OS (Windows/Linux/macOS), networking fundamentals from help desk level
- Enterprise architecture — Active Directory, Exchange, cloud environments, enterprise EDR
- Common enterprise software — Microsoft 365, Azure, AWS — these are the environments you will investigate
Security Infrastructure Awareness
- SIEM platforms — Splunk, Sentinel, QRadar, Elastic — you will be querying client SIEMs on engagement
- EDR platforms — CrowdStrike Falcon, Microsoft Defender XDR, SentinelOne, Carbon Black — each has different telemetry and query syntax
- Firewall and proxy logs — Palo Alto, Fortinet, Zscaler, BlueCoat — network evidence sources
- Email security — Proofpoint, Mimecast, Microsoft Defender for Office — phishing investigation starting points
Resources
Stage 01
Security Fundamentals
IR consultants must understand attacker techniques deeply enough to recognize them from evidence left behind.
Full Security Fundamentals Required
- CIA Triad, attack types, malware categories — all from Security+
- MITRE ATT&CK Enterprise — not just awareness but deep familiarity with technique IDs, descriptions, and detection approaches
- Cyber Kill Chain — mapping attack phases to evidence
- Common attack patterns — phishing initial access, credential theft, lateral movement, data exfiltration, ransomware deployment
Active Attacker TTPs — Deep Knowledge
- Initial access — phishing (T1566), exploitation of public-facing applications (T1190), valid accounts (T1078), VPN credential compromise, supply chain
- Execution — PowerShell (T1059.001), WMI (T1047), command scripting interpreters, malicious Office macros, LOLBins
- Persistence — registry run keys (T1547.001), scheduled tasks (T1053.005), services (T1543.003), WMI event subscriptions (T1546.003), startup folder, DLL side-loading, BITS jobs
- Privilege escalation — UAC bypass, token impersonation, service misconfigurations, Kerberoasting, AS-REP Roasting
- Defense evasion — AMSI bypass, PowerShell downgrade, process hollowing, timestomping, log deletion (T1070), Indicator Removal
- Credential access — LSASS dumping (T1003.001), Mimikatz, DCSync (T1003.006), credential managers, browser credentials, SAM dump
- Discovery — network scanning, AD enumeration (BloodHound, ADFind, PowerView), file system enumeration, system information discovery
- Lateral movement — PsExec (T1021.002), WMI (T1021.003), RDP (T1021.001), SMB/admin shares, WinRM, DCOM, Pass-the-Hash, Pass-the-Ticket, Kerberoasting
- Collection — staging to a local directory, archiving (7zip, WinRAR), data compression before exfiltration
- Command and control — HTTP/S (T1071.001), DNS (T1071.004), domain fronting, living-off-the-land C2
- Exfiltration — FTP, HTTPS, cloud storage (T1567), DNS tunneling, physical
Resources
- MITRE ATT&CK (free)
- The DFIR Report (thedfirreport.com, free case studies)
- Mandiant M-Trends report (free download)
- CrowdStrike Global Threat Report (free download)
Stage 02
Digital Forensics Foundation
IR consultants perform forensic analysis during investigations. All digital forensics skills from the Digital Forensics Analyst path are prerequisites.
Required from Digital Forensics Analyst Path
- Windows artifact mastery — registry, event logs, prefetch, shimcache, amcache, browser history, LNK files, shellbags, USN journal, SRUM, Windows Timeline
- Linux artifact analysis — auth.log, bash_history, cron, /proc, journal, SSH artifacts
- Evidence acquisition — FTK Imager, write blockers, chain of custody, hash verification
- Memory forensics — Volatility 3, memory acquisition, process analysis, network connections, injected code detection
- Timeline analysis — multi-source artifact correlation; super-timelines with log2timeline
- Forensic tools — Eric Zimmermann tools, Autopsy, KAPE for rapid triage
KAPE (Kroll Artifact Parser and Extractor)
- Target definitions — which artifacts to collect (registry hives, event logs, browser data, etc.)
- Module definitions — which parsers to run against collected artifacts
- KAPE for rapid triage — collecting and parsing key artifacts in minutes during live response
- KAPE compound targets — combining multiple targets for comprehensive collection
- Remote KAPE — collecting artifacts from remote systems via network shares or PSExec
EDR Investigation Skills
- CrowdStrike Falcon investigation: Activity → Detections — reviewing EDR detections with process tree context; Falcon Insight EDR — raw telemetry queries; ProcessCreate, NetworkConnect, FileWrite events; Real Time Response (RTR) — remote shell for live investigation; Threat Graph — visualizing attack paths and lateral movement; Custom IOC management — adding hashes, IPs, domains from investigation
- Microsoft Defender XDR / MDE investigation: Alert queue — severity, category, affected devices; Device timeline — chronological events per device; Advanced Hunting — KQL queries against 30 days of raw telemetry: DeviceProcessEvents — process creation with command line; DeviceNetworkEvents — connections, DNS lookups; DeviceFileEvents — file creation, modification; DeviceRegistryEvents — registry changes; DeviceLogonEvents — authentication events; Live Response — remote file and command execution
- SentinelOne Deep Visibility — similar capabilities to Defender Advanced Hunting
Resources
- KAPE documentation (free, kape.app)
- CrowdStrike free training (free)
- TryHackMe EDR rooms (free)
Stage 03
SIEM Analysis for IR
During an active incident, IR consultants query client SIEMs to understand the attack scope. Platform flexibility is required; you work with whatever the client has.
Splunk for IR
- IR-specific SPL queries: Authentication anomalies (index=wineventlog EventCode=4624 Logon_Type=10 | stats count by src_ip, dest_host, Account_Name | sort -count); Lateral movement via PsExec (index=sysmon EventCode=1 Image="*PsExec*" OR Image="*PSEXESVC*" | table _time, ComputerName, CommandLine, ParentImage); PowerShell encoded commands (index=sysmon EventCode=4104 | search ScriptBlockText="*-enc*" OR ScriptBlockText="*EncodedCommand*" | table _time, ComputerName, ScriptBlockText); Large outbound data transfers (index=proxy | stats sum(bytes_out) as total_out by dest_ip | sort -total_out | head 20); Credential dumping detection (index=sysmon EventCode=10 TargetImage="*lsass*" | stats count by SourceImage, _time | sort -count); New services installed (index=wineventlog EventCode=7045 | table _time, ComputerName, Service_Name, Service_File_Name)
Microsoft Sentinel KQL for IR
- Authentication investigation: SigninLogs | where TimeGenerated > ago(7d) | where ResultType == "0" | summarize count(), make_set(AppDisplayName) by UserPrincipalName, IPAddress, Location | sort by count_ desc
- Process creation (MDE Advanced Hunting): DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in ("psexec.exe", "wmic.exe", "powershell.exe") | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
- Anomalous logins: SigninLogs | where TimeGenerated > ago(24h) | where UserPrincipalName contains "admin" or AppDisplayName contains "Azure" | where RiskLevelDuringSignIn != "none" | project TimeGenerated, UserPrincipalName, IPAddress, Location, RiskLevelDuringSignIn
QRadar AQL
- QRadar is dominant in financial services and healthcare — expect to encounter it at clients
- AQL (Ariel Query Language): SELECT statements with FROM log_sources, events, flows, assets
- Offense management — investigating aggregated detections
Log Source Prioritization During IR
- Tier 1 (highest priority): Windows Event Logs (Security + Sysmon), EDR telemetry, firewall/proxy logs
- Tier 2: DNS logs, email gateway logs, cloud service logs (CloudTrail, Entra ID)
- Tier 3: Application logs, web server logs, database logs
- What to look for immediately: Accounts involved in the incident — all their activity; Systems involved — all lateral movement from/to; C2 destinations — all connections to identified C2 IPs/domains; Time range expansion — initial compromise is usually before first detection
Resources
- Splunk education (free)
- Microsoft Sentinel Ninja training (free)
- TryHackMe Splunk and Sentinel rooms (free)
- HTB Academy Incident Handling with Splunk (free)
Stage 04
Incident Response Lifecycle
The NIST and SANS IR frameworks define the professional methodology. IR consultants must execute these phases flawlessly, under pressure, for clients who are experiencing their worst security day.
IR Frameworks
- NIST SP 800-61 Rev 2: Preparation — policies, playbooks, tools, communication plans; Detection and Analysis — confirming an incident, scoping, severity assessment; Containment, Eradication, and Recovery — stopping spread, removing attacker, restoring; Post-Incident Activity — lessons learned, improvements
- SANS PICERL: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
Preparation Phase
- IR Plan — documented procedures for common incident types
- Playbooks — step-by-step response for specific scenarios: Ransomware response playbook; Business email compromise (BEC) playbook; Insider threat playbook; Cloud breach playbook; Supply chain compromise playbook
- Communication templates — internal status updates, external stakeholder notifications
- War room setup — secure Slack/Teams channel, call bridge, documentation space
- Evidence preservation tooling — pre-staged acquisition tools, cloud storage for evidence
- Runbooks — specific technical procedures: "how to isolate a CrowdStrike-monitored host"
- Tabletop exercises — simulated incidents testing team and organization readiness
Identification and Scoping
- Initial triage — is this a true positive? What is the initial scope?
- Scope questions: How many systems are affected?; What data was accessible?; Has data been exfiltrated?; Is the attacker still active?; What is the initial access vector?
- Pivoting from initial indicators: From a compromised account → all systems that account authenticated to; From a C2 IP → all systems that communicated with that IP; From a malware hash → all systems where that hash was seen; From a compromised system → all accounts that logged into it + all accounts that logged out of it
Containment
- Short-term containment — immediate actions to stop spread: Host isolation via EDR (CrowdStrike network containment, MDE device isolation); Firewall block of known C2 IPs/domains; Account disable and credential rotation for compromised accounts; DNS sinkholing for known C2 domains
- Evidence preservation during containment: Acquire memory before isolation if attacker may be in memory; Preserve logs before retention expires; Take EDR evidence snapshots before remediation
- Network-level containment: VLAN isolation for compromised segment; BGP blackhole for external C2 IP ranges; Proxy blocking for known C2 domains/URLs
- Long-term containment — sustainable remediation: Patching exploited vulnerability; Revoking all sessions and rotating all credentials; Deploying additional monitoring on affected systems
Eradication
- Complete attacker removal — every persistence mechanism, every backdoor, every compromised credential
- Common persistence mechanisms to check after ransomware/APT: Registry run keys — HKLM and HKCU RunOnce, Run, RunServices; Scheduled tasks — schtasks /query and TaskScheduler event logs; Services — service installed events (7045), currently running services; WMI subscriptions — Get-WMIObject -Class __EventFilter; Get-WMIObject -Class __EventConsumer; Startup folder — C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\; DLL hijacking — applications loading DLLs from writable directories; AD persistence — Golden Ticket, DCSync rights, AdminSDHolder ACL modification, shadow credentials; COM hijacking — HKCU\Software\Classes\CLSID\ entries overriding HKLM; BITS jobs — bitsadmin /list or PowerShell Get-BitsTransfer
- Confirming eradication — deploy additional monitoring; watch for re-compromise attempts
Recovery
- Clean rebuild vs in-place remediation: Rebuild preferred for confirmed malware infection; more reliable; In-place acceptable for limited scope incidents with confirmed persistence removal
- Credential rotation — all accounts with possible exposure: All domain admin accounts — forced password reset, MFA re-enrollment; Service accounts — rotation in password manager; API keys and tokens — revoke all; reissue on need-to-know; Cloud credentials — AWS access keys, Azure service principals; KRBTGT password — rotate twice with 10-hour gap to invalidate Golden Tickets
- Monitoring uplift — enhanced alerting for 30–90 days post-incident: Alerting on any authentication with compromised accounts; Alerting on any connection to known C2 indicators; Alerting on re-infection indicators
Post-Incident
- Timeline of compromise — complete reconstruction from initial access through impact
- Root cause analysis — the actual vulnerability or failure that was exploited
- Attacker attribution — what can be determined about the threat actor
- Regulatory notification decisions — do breach notification laws apply? (GDPR 72 hours, HIPAA 60 days, SEC 4 business days)
- Remediation recommendations — prioritized by risk and feasibility
- Lessons learned — what detection or prevention would have caught this earlier?
Resources
- NIST SP 800-61 Rev 2 (free)
- SANS IR materials (free)
- The DFIR Report (thedfirreport.com, free case studies)
- Mandiant M-Trends (free annual report)
Stage 05
Ransomware Response
Ransomware is the most common engagement type at IR consulting firms. Every IR consultant must be able to lead a ransomware response.
Ransomware Incident Characteristics
- Modern ransomware is a multi-stage operation: 1. Initial access — phishing, VPN credential compromise, RDP brute force, exploitation; 2. Persistence and credential theft — days to weeks of pre-encryption activity; 3. AD compromise — domain admin access obtained; DCSync; Golden Ticket; 4. Discovery and staging — network scanning; identifying backup systems; staging exfiltration; 5. Exfiltration — data theft before encryption (double extortion leverage); 6. Deployment — ransomware pushed via Group Policy, PsExec, WMIC, or CobaltStrike; 7. Encryption and impact — files encrypted; Volume Shadow Copies deleted; ransom note dropped
- Pre-encryption dwell time — attackers typically spend 5–45 days in environment before encrypting
- This dwell time is the investigation window — what did they do before encryption?
Immediate Response Priorities
- Do NOT reboot encrypted systems — decryption keys may be in memory
- Identify patient zero — first encrypted system and first compromised account
- Determine scope — which systems are encrypted vs compromised but not encrypted
- Preserve evidence: Memory acquisition from active systems before isolation; EDR timeline screenshots before network disruption; Log collection from SIEM before retention expires
- Isolate infected systems — using EDR network containment; do not power off
- Prevent further spread — isolate network segments; block identified IOCs
Investigation Workflow
- Timeline reconstruction: When was initial access? (often weeks before encryption); What was the vector? (phishing, VPN, exploit); What was the privilege escalation path?; How did lateral movement occur?; Were backup systems destroyed?; Was data exfiltrated? What? How much?; What encryption keys exist? (ransomware family may have known vulnerabilities)
- Evidence sources: Windows Event Logs — authentication, service creation, scheduled tasks; EDR telemetry — process execution, network connections, file modifications; DNS/proxy logs — C2 communication from attacker's dwell period; Active Directory logs — account creation, permission changes, DCSync; Backup system logs — VSS deletion, backup software events; Email gateway — original phishing email delivery and click
- Ransom note analysis — identify ransomware family; check for known decryptors (nomoreransom.org)
- IOC extraction — file hashes, C2 IPs, domains, mutex names, file paths for detection
Ransomware Negotiation (Consulting Context)
- NOT a technical function — negotiation is handled by specialized negotiators or legal team
- IR consultant role — provide technical findings to inform negotiation team: What data was actually exfiltrated?; Is recovery without paying feasible?; What is the actual encryption quality?; What is the ransomware family?
- Ransomware families — identifying family from note, extension, encryption behavior
- Decryptors — nomoreransom.org; some families have known vulnerabilities
Business Continuity During Response
- Prioritizing recovery of critical systems
- Clean rebuild sequence — domain controllers first, then critical servers, then workstations
- Backup integrity — verifying backups are clean before restoring
- Communication — status updates to leadership, legal, communications team
- Regulatory notification timing — tracking notification deadlines
Resources
- The DFIR Report ransomware analysis posts (free)
- nomoreransom.org (free)
- Coveware quarterly reports (free)
- Mandiant ransomware analysis (free blog)
Stage 06
Business Email Compromise (BEC) and Cloud IR
BEC is the second most common IR engagement type. Cloud incidents are growing rapidly.
Business Email Compromise Investigation
- BEC characteristics: Financially motivated; targets wire transfers, payroll diversion, gift card fraud; Often via compromised accounts, not malware; May involve inbox rules, email forwarding, lookalike domains
- Initial access methods: Phishing for M365/Google Workspace credentials; Password spraying against OWA/EWS; Purchased credentials from dark web; OAuth app permission abuse (no MFA bypass needed)
- Investigation steps: 1. Identify compromised accounts — unusual login locations, time zones, ASNs; 2. Review mailbox activity — inbox rules (deletion, forwarding rules), sent items, delegate access; 3. Check OAuth app consents — unauthorized apps with mail read/send permissions; 4. Review mail trace — emails sent to/from target account during compromise window; 5. Identify all systems accessed — SharePoint, OneDrive, Teams, other integrated apps; 6. Financial impact — were wire instructions sent? To whom?
- Key forensic sources: Entra ID Sign-in Logs — authentication events with location, device, risk level; Exchange/M365 Audit Log — mailbox activity, inbox rule creation, OAuth grants; Message Trace — delivery and read receipts for specific emails; Azure AD Audit Log — MFA registration changes, device registration, app consents; PowerShell commands — Get-InboxRule, Get-MessageTrace, Search-MailboxAuditLog
Cloud Incident Response
- Cloud IR differences from on-premises: No disk images — evidence is in logs, not physical storage; API-centric — attackers use API calls; CloudTrail/Activity Logs are primary evidence; Ephemeral infrastructure — instances may terminate before investigation; Shared responsibility — provider manages some infrastructure; limits forensic access
- AWS IR workflow: 1. Identify affected resources — instances, S3 buckets, IAM accounts; 2. Preserve evidence — enable CloudTrail if not enabled; export logs to separate account; 3. Isolate compromised resources — security group deny-all; preserve instance for investigation; 4. Create EBS snapshot — forensic copy of volume; 5. Memory acquisition — SSM Run Command with WinPmem/LiME; 6. Query CloudTrail — identify all API calls made with compromised credentials; 7. Check for persistence — new IAM users, roles, access keys, Lambda functions, EC2 instances; 8. Rotate credentials — all access keys, instance profiles, secrets
- Key AWS forensic evidence: CloudTrail — every API call; filter by eventSource, eventName, userIdentity; VPC Flow Logs — network traffic to/from EC2 instances; S3 Access Logs — object-level reads and writes; GuardDuty findings — aggregated with severity and context; Config — resource configuration history
- Azure IR workflow similar but using Entra ID Sign-in Logs, Activity Log, Defender for Cloud
Resources
- Microsoft 365 IR documentation (free)
- AWS security incident response guide (free)
- Google Cloud incident response guide (free)
Stage 07
Client Communication & Report Writing
IR consultants are client-facing. Technical excellence alone is insufficient. You must communicate findings clearly under pressure.
Executive Briefing During an Active Incident
- What executives need to know: Are we still under attack?; What was taken?; Who is affected (employees, customers)?; What do we have to disclose?; How long until we're back to normal?
- What executives do NOT need: Technical details of assembly-level malware analysis; MITRE ATT&CK technique IDs; Detailed forensic timelines
- Communication principles: Lead with the most important information; Use business impact language — financial exposure, customer impact, regulatory risk; State what you know, what you don't know, and what you're doing to find out; Give realistic timelines with confidence intervals; Avoid creating additional panic by over-hedging everything
Legal Team Communication
- Attorney-client privilege — IR findings conducted through outside counsel may be privileged
- What legal counsel needs: Notification obligations triggered? Which laws? What timelines?; What data was actually exposed?; Chain of custody documentation; Expert witness qualification information
- Language discipline — "potential" vs "confirmed"; "evidence suggests" vs "we know"; important for liability
Stakeholder Management
- Managing multiple simultaneous stakeholders — IT team, legal, communications/PR, C-suite, insurance, regulators
- Status page / incident tracker — keeping all stakeholders informed without individual calls
- Escalation protocols — knowing when to wake up the CISO vs handle internally
- Media inquiries — always route to communications/legal; IR team does not speak to press
Incident Report Structure
- Executive Summary (1–2 pages): What happened (brief narrative); Impact (data accessed, systems affected, users affected); Root cause (in plain language); Timeline (key dates and events); Current status; Recommended actions
- Technical Findings: Initial Access — how the attacker got in; Timeline of Activity — chronological attacker actions with evidence citations; Attacker Capabilities — tools, techniques, infrastructure observed; Affected Systems and Accounts — comprehensive scope; Persistence Mechanisms — all discovered backdoors and persistence; Data Access and Exfiltration — what was accessed and what was taken
- Indicators of Compromise (appendix): File hashes; Network indicators (IPs, domains, URLs, User-Agents); Host indicators (registry keys, file paths, service names, mutex names)
- Remediation Recommendations: Immediate actions; Short-term (30 days) improvements; Long-term program improvements
- Methodology (appendix): What was examined, how, with what tools
Resources
- Sample IR reports (various consulting firms publish sanitized examples)
- SANS incident handling report templates
- Mandiant public IR reports (free)
Stage 08
Threat Hunting
IR consultants perform proactive threat hunting to find attackers that automated detection missed. This is a growing and differentiating skill.
Threat Hunting Methodology
- Hypothesis-driven hunting: 1. Hypothesis — "An attacker with KRBTGT access may have created a Golden Ticket in the past 30 days"; 2. Data source identification — Windows Event Logs (4768, 4769), Kerberos traffic; 3. Detection logic — Kerberos tickets with lifetime > 10 hours, domain account with unusual encryption type (RC4 when only AES should be valid); 4. Query and investigate — look for the pattern in available data; 5. Triage findings — explain false positives; escalate true positives
- TTP-based hunting — hunting for known attacker TTPs from threat intelligence; Tools: BloodHound historical runs, PowerSploit artifacts, Cobalt Strike IOCs
- Anomaly-based hunting — looking for deviations from baseline; Accounts authenticating at unusual hours; Systems communicating with new external IPs for the first time; Processes running from unusual directories
Hypothesis Sources
- Threat intelligence reports — what TTPs are adversaries currently using?
- The DFIR Report — real-world case studies with attacker behavior
- Mandiant M-Trends — annual incident analysis
- CrowdStrike Global Threat Report — adversary profiles and TTPs
- CISA advisories — government alerts about specific threat actors
- Internal incident history — what have past incidents revealed about attacker behavior patterns?
Common Hunting Queries
- Beaconing detection (consistent interval C2 communication): index=proxy | bucket _time span=1h | stats count by _time, dest_ip | anomalydetection field=count threshold=3
- Living-off-the-land detection (LOLBins executing from unusual parents): index=sysmon EventCode=1 Image="*mshta.exe" OR Image="*regsvr32.exe" | table _time, ComputerName, ParentImage, CommandLine
- Kerberoasting detection: index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17 | stats count by Account_Name, Client_Address | sort -count
- BloodHound collection artifacts: index=sysmon EventCode=1 | search CommandLine="*-CollectionMethod All*" OR CommandLine="*sharphound*" | table _time, ComputerName, CommandLine
Resources
- TaHiTi threat hunting methodology (free)
- Sqrrl threat hunting reference guide (free)
- OpenIOC specification (free)
- The DFIR Report (thedfirreport.com, free)
FAQ
Common questions
How long does it take to become an IR Consultant?
3–4 years optimistic, 4–5 years realistic. Consulting firms (Mandiant, CrowdStrike, Unit 42, Secureworks, Big Four) hire IR analysts who already have deep technical investigation skills and add the consulting layer — client communication, billable structure, multi-engagement context-switching. The fastest internal-to-consulting transition runs through 2–3 years of in-house IR work with documented major-incident leadership.
Which certifications matter for IR consulting?
GCIH is the canonical IR cert. GCFA for advanced forensics depth. GREM for malware reverse engineering. GCDA for cloud forensics. Many consulting firms sponsor SANS progression after hire; the cert path is partly an internal training pipeline. CISSP for senior consulting roles where governance overlap matters.
Do I need a degree?
Most IR consultants hold at least a bachelor's. Some Big Four IR practices require it. CS, computer engineering, or related technical degrees are common; criminal justice or military intelligence backgrounds also appear. Self-taught paths into consulting are harder than into corporate IR because firms hire on credibility and writing quality. Strong portfolio + military or law enforcement IR experience opens doors that civilian self-study alone doesn't.
What separates a hired IR Consultant?
Client-facing communication ability. Technical IR skills get you to the interview; consulting skills get you the offer. Can you brief a frustrated CFO during a ransomware incident? Can you explain technical findings without jargon? Can you write a final report that survives legal review? Other differentiators: ransomware engagement experience, business email compromise patterns, cloud incident response depth. IR consulting is among the highest-paid blue team work because the demand outpaces qualified supply.