What to Ask Your MDR Provider

20 critical evaluation questions sourced from practitioner research across Reddit, PeerSpot, G2, and CISO evaluation frameworks.

These questions are designed to surface what matters in practice — not what looks good on a vendor datasheet. Each question targets a common blind spot or post-purchase regret identified in our research.

Response Authority

The #1 differentiator: what can they do WITHOUT calling you first?

What specific actions can your SOC take without my approval? (isolate endpoints, kill processes, disable accounts)

Can I configure which actions require approval and which are automatic?

What is your response SLA for critical vs. high vs. medium severity incidents?

Is incident response (breach response) included in the base contract, or is it a separate retainer?

What does "active remediation" mean specifically in your service? Walk me through what happens when you detect ransomware.

Stack Compatibility

Reddit's #1 criterion: "Does it work with my existing tools?"

Does your MDR service work with our existing EDR (CrowdStrike/SentinelOne/Defender), or do we need to replace it?

What SIEM integrations are supported? Can you ingest from Splunk/Sentinel/Chronicle?

Which cloud platforms are fully supported? Is coverage equal across AWS, Azure, and GCP?

Do you require deploying your own agent, or can you work with telemetry from our existing tools?

Visibility & Transparency

The #1 complaint about MDR: "It's a black box."

Can my security team access raw log data and run their own queries?

Can I see exactly what your analysts are doing — investigation timelines, actions taken, evidence collected?

What does your customer portal look like? Can I get a demo before signing?

Do you publish your MTTD and MTTR? What methodology do you use to measure them?

Pricing & Hidden Costs

The #1 post-purchase regret: unexpected costs.

What is your pricing model? Per-endpoint, per-user, per-GB, or flat-rate?

What is NOT included in the base price? (threat hunting, custom detection rules, IR retainer, compliance reporting)

Is there a minimum seat or endpoint requirement? What happens if we grow past our current tier?

Do you offer a proof-of-value (POV) or trial period? If not, why not?

Vendor Lock-In

"What happens if we need to leave?"

If we cancel, do we retain access to our historical log data? For how long?

Are detection rules and custom content portable, or do they stay with your platform?

What is the typical offboarding/exit process and timeline?

Provider-Specific Questions

Beyond these universal questions, each provider profile on MDRProviders.io includes 5-8 provider-specific evaluation questions. These target known blind spots, common complaints from reviews, and areas where that provider’s documentation is vague.

Browse providers to see specific questions →