The MDR buyer's guide
A practical checklist for narrowing the field, testing vendor claims, and avoiding contracts that are hard to leave.
HOW TO USE THIS
Read it once end-to-end. Then take the question checklist in section 8 into your shortlist call and refuse to leave the meeting until each has a written answer. The vendors who can’t answer in writing tell you what you need to know.
/01Do I need MDR?
The build-vs-buy calculation
In-house 24/7 detection and response requires 4–6 analysts minimum at $120–150K each, plus tooling, training, threat intel feeds, and management overhead. Most organizations below 2,000 employees can’t justify that headcount for one security function.
Self-assessment
If you answer “no” to three or more of these questions, MDR is likely the right path:
- −Do you have 24/7 SOC coverage today (not just on-call)?
- −Can your team investigate and contain a threat within 1 hour at 3 AM?
- −Do you have dedicated threat hunters (not just alert responders)?
- −Can you staff security through inevitable analyst turnover?
- −Do you have detection coverage beyond endpoints (cloud, identity, SaaS)?
- −Can you keep detection rules current against evolving TTPs?
When MDR is not the answer
MDR doesn’t solve everything. If your primary need is compliance checkbox security (just need logs retained and reports generated), a SIEM-as-a-service or MSSP may be cheaper. If you need full IT outsourcing (patch management, helpdesk, infrastructure), you need an MSP, not MDR. And if you already have an established SOC team, co-managed SIEM or threat intel feeds might deliver more value per dollar than handing off detection entirely.
Even with active remediation, MDR covers the technical response: isolating hosts, killing processes, disabling accounts. Your organization still owns the business side: executive communication, legal notification, customer disclosure, system recovery, and post-incident review. If you don’t have those playbooks before an incident, MDR buys you time but doesn’t close the gap.
/02Start here: four questions that narrow the field
These four questions map your situation to a subset of providers before you look at a single datasheet.
Q1: Keep your current tools or start fresh?
This is the first structural decision. Platform-native MDR means you use the provider’s stack. Technology-agnostic MDR means the provider works with tools you already own. The wrong choice here creates years of lock-in or integration friction.
“I’ll use the provider’s stack”
Platform-native MDR. You run their EDR/XDR, their analysts watch it. Deepest integration, fastest response, but you’re locked in.
Look at: CrowdStrike, SentinelOne, Palo Alto, Bitdefender, ESET, WithSecure, Rapid7
“I want to keep my existing tools”
Technology-agnostic MDR. They integrate with your EDR, SIEM, and cloud. More flexibility, but integration depth varies.
Look at: Arctic Wolf, Expel, eSentire, Red Canary, Binary Defense, Deepwatch
Q2: Buy direct or through an MSP?
Some MDR providers sell exclusively through MSPs. The MSP handles billing and first-level support.
“I work with an MSP”
MSP-channel providers are multi-tenant by design and sold through your existing MSP relationship.
Look at: Huntress, Barracuda, N-able
“I’ll buy direct”
Most MDR providers sell direct to your organization. You evaluate, negotiate, and manage the relationship yourself.
All non-MSP providers above sell direct
Q3: What surfaces need monitoring?
Every provider covers endpoints. Treat cloud, identity, SaaS, network and OT as explicit requirements, not assumed coverage. Ask whether each surface is included in the base quote, optional, limited, or unavailable.
Q4: What’s your team’s maturity?
This determines how much authority you need the MDR provider to have. “Active remediation” is too broad to trust on its own; the useful question is what the SOC can do without waiting for your team.
“No dedicated security team”
You need a provider that can act autonomously (isolate endpoints, kill processes, disable accounts) without waiting for your approval. Active remediation is essential.
“Small team, need backup”
Your team handles day-to-day, but you need the MDR provider to cover nights, weekends, and escalations. Configurable approval levels work well here.
“Established SOC, extending coverage”
You have analysts but can’t cover everything. MDR extends coverage to nights, specific surfaces, or threat types your team doesn’t specialize in.
Try the MDR Finder to filter providers by these four answers.
/03How MDR providers are structured
The MDR market includes several distinct provider models that look similar but work differently. The type you’re evaluating changes what questions to ask.
Providers don’t always fit neatly into one category. Some span multiple, and acquisitions regularly shift the landscape. But understanding the general patterns helps you know what trade-offs you’re signing up for.
Platform vendors selling MDR
Companies that built the security platform (EDR, XDR, or SIEM) and now wrap a SOC around it. You run their stack, their analysts watch it.
Pure-play MDR
MDR is their entire business. They integrate with whatever tools you already have and layer detection and response on top.
Some pure-play providers specialize deeply in one ecosystem (e.g. Ontinue and Quorum Cyber focus on Microsoft Sentinel and Defender). They bring flexibility within that ecosystem, but limited value if you leave it.
MSP-channel MDR
MDR sold through managed service providers. Multi-tenant by design, with the MSP as your primary relationship.
Consulting / IR heritage
Consulting and incident response firms (Mandiant, Kroll, Sygnia) with a deep IR bench. MDR is one offering alongside advisory, forensics, and threat intel.
Evolved MSSP / platform company
Evolved MSSPs and platform companies (LevelBlue, Secureworks, Check Point) with broader security portfolios. MDR is bundled alongside other security services like SIEM management, vulnerability scanning, and compliance.
/04What to pressure-test
Stack and coverage are in the decision tree. These four criteria apply once you have a shortlist.
Communication and transparency
The most common complaint across review platforms is that MDR feels like a black box. You send alerts in, but you can’t see what’s happening on the other side.
Ask where urgent work happens: shared Slack or Teams channel, portal ticket, phone escalation, or email. If every update lives in a portal queue, expect slower coordination during an incident.
Data access is the real differentiator. Some providers give you full query access to raw logs. Others only provide dashboards or periodic reports. If your team wants to validate what the MDR is doing, reports-only is a dealbreaker.
Detection quality
The question that separates useful MDR from expensive alerting: did they find things your EDR missed on its own?
MTTD and MTTR are the standard metrics, but only useful if providers publish them and use consistent methodologies. A provider claiming “4-minute MTTD” under MITRE Engenuity test conditions is different from one claiming it on production environments with 10,000 endpoints.
Whether a provider publishes detection metrics at all is a signal. Those who won’t share MTTD/MTTR may have good reasons (client confidentiality) or bad ones (the numbers aren’t competitive). Ask to see them during your POV.
Analyst quality
If 200 analysts cover 5,000 customers, nobody knows your environment. The analyst-to-customer ratio matters, but it’s rarely published. More important: are the analysts direct employees or outsourced contractors?
SOC analyst turnover runs 25–50% annually. Ask about knowledge transfer processes, documentation standards, and whether you get a dedicated analyst or whoever’s on shift.
Night shift quality is where corners get cut. Ask specifically: is it the same caliber of analyst, or a different (possibly offshore) SOC?
Proactive capabilities
Exposure assessment is increasingly part of MDR. Some providers now identify misconfigurations, monitor for leaked credentials, and flag vulnerability exposure alongside threat detection. Most treat it as an add-on, not a default.
Ask your shortlisted providers: what do you do beyond waiting for an attack to start?
/05How to run your evaluation
Building your shortlist
Start with 5–7 providers, then narrow to 3 finalists for deep evaluation. Use the decision tree above to get your initial list: your answers to Q1–Q4 should eliminate half the market before you talk to a single sales rep.
Filter on hard requirements first: stack compatibility, response type, and budget range. These are binary. If a provider doesn’t support your EDR, nothing else compensates.
Running a proof of value (POV)
A POV is a 30-day trial in your actual environment. Unlike demos or cherry-picked references, a POV tests the service against your real threats and alert volume.
A provider that refuses any proof of value deserves extra scrutiny. You need to see alert quality, analyst communication and tuning effort in your own environment before signing.
POV scorecard: what to measure
Rate each criterion 1–5 for every finalist. 1 = poor, 5 = excellent.
Detection quality
Did they find threats your EDR missed? How many net-new detections during the 30 days?
Response speed
Time from detection to containment action. Measure actual incidents, not just SLA claims.
Communication quality
Were alerts clear and actionable? How fast did analysts respond to your questions?
False positive rate
What percentage of escalations required no action? Lower is better, but zero means they're suppressing.
Onboarding experience
How long from contract to full coverage? How much tuning was needed to reduce noise?
Reference call script
References are hand-picked. Go beyond “are you happy?”
- “What surprised you after signing?” This surfaces hidden costs and limitations that don’t come up during sales.
- “Walk me through a real incident they handled.” You want specifics about detection and response, not a retelling of the sales pitch.
- “What would make you switch?” Reveals ongoing frustrations that haven’t reached the breaking point.
- “How long did onboarding take, and what went wrong?” Vendor-stated timelines and reality are often 2–3x apart.
- “What do you wish you’d asked before signing?” One of the best questions for surfacing blind spots in your own evaluation.
- “How responsive are they at 2 AM vs. 2 PM?” Tests whether night shift quality matches daytime coverage.
- “Have you ever had a billing surprise?” Surfaces data overage charges, scope creep costs, and renewal increases.
- “If you could change one thing about the service, what would it be?” Gives the reference permission to share criticism constructively.
Scoring your finalists
Use a weighted scoring framework to compare finalists objectively. Without structured scoring, the provider with the best sales team wins, not the best service.
| Category | Weight | What to Score |
|---|---|---|
| Stack compatibility | 25% | EDR, SIEM, and cloud integration depth |
| Response authority | 20% | Autonomous actions, breach warranty, IR inclusion |
| Pricing | 20% | Total cost including add-ons, growth scenarios, hidden fees |
| Communication | 15% | Channels, data access, portal quality, transparency |
| Coverage | 10% | Attack surfaces covered in base vs. add-ons |
| Lock-in risk | 10% | Data portability, contract terms, exit process |
These weights are starting points. Adjust based on your priorities. If compliance drives the purchase, weight coverage and lock-in higher.
/06Pricing reality
Pricing models
You will encounter four pricing structures across the market. Per-endpoint is the most straightforward to benchmark against competitors. Per-user, common in Microsoft environments, often bundles identity and works well when staff carry multiple devices. Data-volume pricing ties your bill to log throughput, which means costs rise during incidents. Custom-quoted providers require a scoping call before sharing numbers.
The pricing comparison breaks down each model with trade-offs.
Budgeting by organization size
The per-endpoint rate ($8–$35/month) is the starting point, but total spend depends on how many surfaces you monitor. Endpoint-only is the baseline. Each additional surface (cloud, identity, SaaS, network) adds to the bill, and providers charge for these differently: some bundle everything into a flat per-user price, others bill each surface separately.
As a rough guide, multi-surface coverage typically doubles the endpoint-only cost. Use the cost estimator on the pricing comparison page to model scenarios for your environment size.
Hidden costs
During evaluation, ask each finalist: “What is the maximum I could pay in a single month, including during an active incident?” That question surfaces the costs that don’t appear on the quote: data overages, add-on surfaces billed separately, minimum seat counts locked into the contract, and annual escalators.
The pricing comparison lists the hidden cost categories to ask about before signing.
How to negotiate
Your strongest leverage is competing POV results. Providers know when you are testing alternatives, and pricing reflects that. Beyond competitive pressure, focus on three contractual protections: a monthly bill cap (especially for volume-based pricing), a right-sizing clause that lets you reduce seats if your organization shrinks, and escalator caps that limit annual increases.
The pricing comparison has a five-step negotiation checklist with specific questions to ask.
/07Red flags and deal-breakers
Sales process
Deal-breaker: Contracts longer than 3 years. The MDR market is evolving fast. Locking in for 4–5 years means you’re paying for a service that may be outdated by year 3.
Deal-breaker: Pricing only available under NDA. If a provider won’t share pricing until you sign a non-disclosure, they’re making comparison shopping deliberately harder.
Warning: “AI handles everything” without specifics on human analyst involvement. AI automates triage and enrichment, but complex threat investigation and incident response still require experienced analysts. Ask how many human analysts are involved in a typical escalation.
Deal-breaker: Refusing to offer a proof-of-value. If a provider won’t let you test the service in your environment before signing a multi-year contract, ask why.
Warning: Provider was recently acquired. If your MDR provider has been bought in the past 12 months, ask about service continuity, team retention, and whether your contract terms survive the transition. The MDR market saw over a dozen acquisitions in 2024–2025 alone.
Service delivery
Deal-breaker: No autonomous response actions despite claiming “active remediation.” If the SOC can’t isolate an endpoint without your approval, that’s guided response, not active remediation, regardless of the marketing label.
Deal-breaker: Claims “active remediation” but can’t name autonomous actions beyond endpoint isolation. Isolating an endpoint is the bare minimum. If they can’t also kill processes, disable accounts, or execute playbooks, their “active” label is misleading.
Warning: “90% alert reduction” claims. This usually means they’re filtering out 90% of alerts. Ask what happens to the other 10%. Those are often the critical ones. Alert reduction without context is just suppression.
Warning: Unpublished detection metrics. If a provider won’t share their MTTD and MTTR (even under NDA), they may not be confident in the numbers.
Warning: Single SOC location. If the only SOC is in one timezone, “24/7” means overnight shifts, not follow-the-sun coverage. Ask how many SOC locations they operate and where.
Warning: Endpoint-only monitoring marketed as full MDR. If a provider only watches endpoint telemetry but doesn’t cover identity, cloud, or email, they’re selling managed EDR, not MDR.
Contract terms
Deal-breaker: Auto-renewal with a short cancellation window (30 days or less). You should never be trapped into renewal because you missed a narrow cancellation window.
Deal-breaker: Non-portable data. If you leave, your historical log data and investigation records should be exportable. “Data is deleted upon termination” is a lock-in tactic.
Warning: Detection rules stay with the provider. Custom detection content created for your environment should be yours. If they keep it, you’re starting from scratch with a new provider.
Warning: Separate IR retainer for providers who claim “active remediation.” If incident response isn’t included in the base contract, you’re paying extra for the most critical part of the service.
/08Questions checklist: take this into vendor calls
Bookmark: mdrproviders.io/buyers-guide#questions
Response authority
The #1 differentiator: what can they do WITHOUT calling you first?
What specific actions can your SOC take without my approval? Can I configure which actions require approval and which are automatic?
What is your response SLA for critical vs. high vs. medium severity incidents?
Is incident response (breach response) included in the base contract, or is it a separate retainer?
Walk me through what happens when you detect ransomware at 3 AM. What actions do you take before calling us?
Stack compatibility
Reddit’s #1 criterion: “Does it work with my existing tools?”
Does your MDR service work with our existing EDR, or do we need to replace it?
What SIEM integrations are supported? Can you ingest from our current SIEM?
Which cloud platforms are fully supported? Is coverage equal across AWS, Azure, and GCP?
Do you require deploying your own agent, or can you work with telemetry from our existing tools?
What response actions can you take through our existing tools vs. only through your own?
Visibility and transparency
The #1 complaint about MDR: “It’s a black box.”
Can my security team access raw log data, run their own queries, and see exactly what your analysts are doing (investigation timelines, actions taken, evidence collected)?
How do we communicate during an active incident? Slack, Teams, phone, or ticket portal?
Do you publish your MTTD and MTTR? What methodology do you use to measure them?
Coverage beyond endpoints
Coverage varies. Some providers bundle cloud and identity in base pricing, others charge per surface.
What’s included in the base price vs. add-ons for each attack surface (cloud, identity, SaaS, network)?
If we add cloud monitoring in 6 months, what does that cost?
Do you monitor cloud-native services (Lambda, S3, IAM) or only cloud-hosted endpoints?
Detection and analyst quality
The people and technology behind the alerts.
Show me threats you’ve detected beyond what our EDR alerts on — what’s the actual detection delta?
Do you write custom detection rules for our environment, or only use generic content?
Are your SOC analysts direct employees or outsourced? What’s the analyst-to-customer ratio?
Is overnight coverage provided by the same team or a different SOC?
Pricing and hidden costs
The #1 post-purchase regret: unexpected costs.
What is your pricing model? What is the maximum I could pay in a single month?
What is NOT included in the base price? (threat hunting, custom rules, IR, compliance reporting)
What do I pay in year 1, year 2, and year 3 if we grow from current size to 2x?
Do you offer a proof-of-value (POV) or trial period? If not, why not?
Vendor lock-in
“What happens if we need to leave?”
If we cancel, do we retain access to our historical log data? For how long?
Are detection rules and custom content portable, or do they stay with your platform?
What is the typical offboarding/exit process and timeline?
Provider-specific questions: Each provider profile on MDR Providers.io includes 5–8 additional questions targeting known blind spots and common complaints from reviews. Browse providers →
/09Glossary
MDR·Managed Detection and Response. Outsourced 24/7 threat monitoring, investigation, and response.
MEDR·Managed Endpoint DR. MDR focused on endpoint telemetry only (servers, workstations, laptops).
MXDR·Managed Extended DR. Spans endpoints, network, cloud, identity, and SaaS. The broadest coverage model.
EDR·Endpoint Detection and Response. The agent/platform (CrowdStrike, SentinelOne, Defender) that collects telemetry. MDR sits on top of EDR.
XDR·Extended Detection and Response. A platform correlating telemetry across endpoints, network, cloud, and identity.
SOC·Security Operations Center. The analyst team that monitors, investigates, and responds. In MDR, the provider runs it.
MTTD·Mean Time to Detect. Time from threat entry to identification. Lower is better, but methodology matters.
MTTR·Mean Time to Respond. Time from detection to containment action. Measures how fast they act, not just alert.
POV·Proof of Value. A 30-day trial in your actual environment. The most reliable way to evaluate MDR quality.
Active Remediation·Provider takes autonomous actions (isolate, kill, disable) without your approval. Highest response authority.
Guided Response·Provider detects and investigates, then gives instructions. You execute response actions yourself.
Alert Forwarding·Provider filters and sends notifications. You investigate and respond.
Breach Warranty·Financial guarantee ($500K–$3M) covering costs if breached under protection. Read the exclusions.
Brings own platform (platform-native)·Requires the provider’s own EDR/XDR stack. Deepest integration but highest lock-in.
Works with your tools (technology-agnostic)·Works with your existing security tools. More flexible but integration depth varies by tool.
IR Retainer·A separate contract for incident/breach response services. Some MDR providers include IR; others charge extra.
TDIR·Threat Detection, Investigation and Response. Gartner's term for the core MDR function.
CTEM·Continuous Threat Exposure Management. A proactive approach to identifying and reducing threat exposure before attacks happen.
DFIR·Digital Forensics and Incident Response. Deep-dive investigation after a breach. Some MDR providers include DFIR retainers, others sell them separately.
Business Model·How the MDR vendor is structured: platform vendor, pure-play MDR, MSP-channel, consulting/IR heritage, or evolved MSSP. Determines trade-offs.
/10About this guide
Research methodology
Built on 210+ practitioner comments from Reddit (r/msp, r/cybersecurity, r/sysadmin), PeerSpot, G2, and Gartner Peer Insights. We extracted recurring themes, complaints, and decision criteria from real buyers. Cross-referenced against Gartner Market Guide for MDR (2025), Forrester Wave MDR Services (Q1 2025), and MITRE ATT&CK evaluations.
Provider data
Provider profiles are sourced from vendor documentation, product pages, integration guides, and third-party evaluations. See our full methodology for details.
Editorial policy
Sponsored placements are clearly labeled and do not affect data presentation, filtering, or editorial recommendations. This guide contains no affiliate links.