SCP-7248 Safe ~ medium confidence
SCP-7248
Expected annual
$1.0M
One-time setup
$1.4M
Annual recurring
$955K
Personnel
4
One-time setup and contingency funding (~$1.39M) dominate initial costs (lab, quarantine build-out, payroll-contingency). Recurring annual baseline costs (~$955k/year) are driven by IR staff, EDR/SIEM licensing, external IR retainers, training, and insurance; per-incident payroll reimbursements and investigations can add hundreds of thousands to millions for outbreaks.
🏗️ One-Time Capital Costs Total: $1.4M
Contingency Fund Initial $1.0M
[#24] Initial contingency / emergency escrow to cover large-scale payroll reimbursements (suggested minimum-level funding).
Payroll System Hardening One Time $100K
[#13] One-time payroll-system segmentation, MFA, JIT approvals and consulting/implementation.
Equipment $90K
[#7, #18, #19] Forensic hardware (write-blockers, disk imagers) + per-site network hardware upgrades (switches/firewalls) + honeypot/sinkhole initial setup.
Initial Research And Lab Setup $50K
[#6] Malware analysis / reverse-engineering lab buildout (air-gapped VMs, sandboxes, teardown bench).
Software Hardening One Time $50K
[#27] One-time development and deployment of application whitelisting / file-handling hardening.
Facilities $30K
[#9] Quarantine facility / secure storage build-out (climate control, locks, cameras, inventory systems).
Siem Initial Setup $30K
[#3] SIEM initial configuration, indexing and retention pipeline setup (professional services).
Offline Backup Initial $30K
[#14] Initial air-gapped/immutable backup infrastructure and initial restore testing.
Custom Ioc Development $6K
[#2] One-off custom IOC/YARA rule creation and deployment for arhg.exe.
Chain Of Custody Initial Setup $5K
[#22] Initial encrypted long-term evidence storage and inventory systems.
🔄 Annual Recurring Costs Total: $955K/yr
Staff Wages $475K/yr
[#4] Incident Response team salaries & benefits (IR lead, two analysts, one malware analyst on-call; 4 FTE total).
External Ir Retainer $100K/yr
[#5] External IR retainer for surge support and expedited forensic services.
Edr Licensing $90K/yr
[#1] Endpoint detection & response (per-seat licensing for ~1,000 endpoints).
Siem Licensing $50K/yr
[#3] SIEM license, index/storage and analyst time (small-to-mid deployment baseline).
Insurance Premium $50K/yr
[#20] Increased cyber insurance premiums / policy adjustments (baseline uplift).
Employee Training $30K/yr
[#17] Annual security training and phishing simulations (~$30/employee for 1,000 employees).
Tabletop And Redteam $30K/yr
[#25] Annual tabletop exercises, red-team campaigns, and audits to validate response.
Replacement And Disposal $22K/yr
[#8] Ongoing replacement/secure disposal and transport of infected endpoints (baseline example: ~10 machines/year).
Legal Retainer $20K/yr
[#12] Annual legal/compliance retainer for advice and minor incident handling.
Enterprise Av Support $15K/yr
[#2] Enterprise antivirus / vendor rapid-response support (annual support contract).
Lab Maintenance $15K/yr
[#6] Malware analysis tool licenses, virtualization host maintenance, sandbox subscriptions.
Forensic Software Licenses $10K/yr
[#7] Forensic software license renewals (EnCase/FTK/etc.).
Payroll System Maintenance $10K/yr
[#13] Annual maintenance for payroll system segmentation and monitoring.
Network Ongoing Management $10K/yr
[#18] Ongoing management of segmentation, firewalls, and VLANs.
Software Hardening Maintenance $10K/yr
[#27] Ongoing maintenance and developer time for whitelisting / hardened file-handling.
Honeypot Maintenance $8K/yr
[#19] Monitoring and storage for sinkhole/honeypot infrastructure.
Offline Backup Ongoing $5K/yr
[#14] Ongoing backup storage costs and periodic integrity/restore testing.
Facilities Maintenance $3K/yr
[#9] Ongoing operations for quarantine/secure storage (power, climate, physical security maintenance).
Chain Of Custody Ops $2K/yr
[#22] Ongoing evidence handling, storage fees and documentation upkeep.
Supplies And Consumables $0/yr
[]
Research And Monitoring $0/yr
[]
Logistics And Transport $0/yr
[]
Cover Story And Legal $0/yr
[]
Payroll Reimbursements $0/yr
[#10] Direct reimbursements to employees for successful charges by SCP-7248 (per-incident; not included in baseline).
Bank Investigations $0/yr
[#11] External forensic accounting / bank liaison expenses (per-incident; baseline set to 0).
Sweep Labor $0/yr
[#15] Department-wide sweeping scans and reimaging labor (per-incident; baseline set to 0).
Emergency Communications $0/yr
[#16] Incident communications/helpdesk overtime (per-incident; baseline set to 0).
Public Relations $0/yr
[#21] PR / information suppression costs (per-incident; baseline set to 0).
Payroll Reconciliation $0/yr
[#23] Payroll ledger/tax corrections post-incident (per-incident; baseline set to 0).
Contingency Fund Replenish $0/yr
[#24] Contingency fund replenishment (only used after large payouts; baseline set to 0).
Productivity Loss $0/yr
[#26] Productivity loss from downtime/user lockouts (per-incident; baseline set to 0).
Cost Scenarios
📊 Baseline (baseline) $955K/yr
90.8% probability / year
Uneventful year with only ongoing prevention, staff, and tooling costs; no successful large-scale charge incidents.
no successful large-scale infections regular operations and maintenance
🚨 Minor Incident $1.4M/yr
8.0% probability / year +$475K vs baseline
Single-department outbreak (order ~50 employees affected) requiring external IR engagement, reimbursements, and modest legal/accounting work.
single-department successful arhg.exe execution payroll charges to dozens of employees need for external IR surge
🚨 Major Outbreak $2.8M/yr
1.0% probability / year +$1.8M vs baseline
Multi-department outbreak (hundreds of employees affected) with large reimbursements, extended forensics, and heavy PR/legal exposure.
cross-department 5: 1multiplication escalates spread large number of successful payroll charges major external investigations and potential settlements
🚨 Public Exposure $2.0M/yr
0.2% probability / year +$1.1M vs baseline
Information leakage or external exposure triggers regulatory action, heavy PR/legal costs, and fines.
press/regulatory exposure data-breach notifications or whistleblower action major legal/regulatory fines
👥 Personnel 4 total
Role Count Notes
IR Lead 1 Senior incident response coordinator included in staff_wages [#4].
IR Analyst 2 Two full-time incident response/monitoring analysts included in staff_wages [#4].
Malware Analyst 1 Malware/sandbox analyst (on-call) included in staff_wages [#4].
📋 Confidence Notes
Line-item costs (licenses, staffing) are reasonably well-bounded, but incident frequency and scale (payroll reimbursements, recoverability of funds, legal exposure) are highly uncertain; scenario probabilities are analyst estimates.
← SCP-7247 ↑ All SCPs SCP-7249 →