The decision framework
Buyers who compare every provider on a flat spreadsheet get overwhelmed. The market is simpler if you answer five questions in order. Each question eliminates providers that don't fit.
Question 1: Do you keep your tools?
This is the most important question. It splits the entire market in two:
- “Yes, keep my tools” → You need a BYOT (technology-agnostic) provider. They integrate with your CrowdStrike, Defender, Splunk, etc. About half the market.
- “Open to a new platform” → Platform-native providers are an option. You adopt their EDR/XDR agent and they operate it. Deepest integration, but vendor lock-in.
- “I don't have tools yet” → Platform-native providers are the easiest path. You get the tool and the service in one contract.
Question 2: What do you need covered?
Every MDR covers endpoints. The differentiator is what else they cover:
- Endpoints only is the cheapest, most basic option
- Endpoints + cloud if you run AWS, Azure or GCP workloads
- Endpoints + cloud + identity covers the most common attack vectors (credential phishing through Entra ID or Okta)
- All six surfaces (endpoint, cloud, identity, SaaS, network, OT/IoT). Few providers offer all six well.
Question 3: What response level do you need?
The word “response” in MDR ranges from “we send you an email” to “we contained the breach at 3am while you slept.”
- Alert-only is not really MDR, just alert forwarding
- Guided response means they tell you what to do, step by step
- Managed with approval means they can act but ask first. This is the most common model.
- Autonomous means pre-approved playbooks run automatically, giving the fastest response time
Question 4: What's your organization size?
Not every provider is a good fit for every size. Some have minimum seat requirements of 200+. Others specialize in SMB and struggle with enterprise complexity.
- Under 100 employees: look for providers with low minimums and self-service onboarding
- 100–500 is the sweet spot for most MDR providers
- 500–5,000: look for dedicated account management and custom playbooks
- 5,000+: look for multi-region SOC, enterprise SLAs and API integration
Question 5: Any deal-breakers?
These are optional but can quickly eliminate providers:
- Whether IR is included or sold separately
- Whether a breach warranty is required (not common but growing)
- Compliance requirements like FedRAMP, HIPAA or PCI DSS narrow the field significantly
- SOC region, if you need EU-based analysts for data residency
What to ask during evaluation
- “What happens when you detect a threat at 3 AM on a Saturday?” You want specific actions, not marketing language.
- “What's not included?” Ask about IR retainers, custom playbooks, compliance reporting and onboarding fees.
- “What data do I keep if I leave?” Covers data portability and the exit process.
- “What are your MTTD and MTTR numbers, and how do you measure them?”
- “Can I talk to a current customer my size?” You want references from organizations with similar scale and complexity.
FAQ
What is the most important question when choosing an MDR provider?
“Do you want to keep your existing security tools?” This question separates platform-native providers from providers that work with your current stack.
How many MDR providers should I evaluate?
Aim for 3–5 shortlisted providers. Run proof-of-concept with your top 2–3.
What should I ask MDR vendors during evaluation?
Focus on what happens at 3am, what's NOT included, data portability and real MTTD/MTTR numbers with methodology.
Ready to narrow your options?
For the full evaluation process including POV scorecards, reference call scripts and red flags, see the buyer's guide.