The decision framework
Buyers who compare every provider on a flat spreadsheet get overwhelmed. The market is simpler if you answer five questions in order. Each question eliminates providers that don't fit.
Question 1: Do you keep your tools?
This is the most important question. It splits the entire market in two:
- “Yes, keep my tools” → You need a BYOT (technology-agnostic) provider. They integrate with your CrowdStrike, Defender, Splunk, etc. About half the market.
- “Open to a new platform” → Platform-native providers are an option. You adopt their EDR/XDR agent and they operate it. Deepest integration, but vendor lock-in.
- “I don't have tools yet” → Platform-native providers are the easiest path. You get the tool and the service in one contract.
Question 2: What do you need covered?
Every MDR covers endpoints. The differentiator is what else they cover:
- Endpoints only: the cheapest, most basic option
- Endpoints + cloud: if you run AWS, Azure, or GCP workloads
- Endpoints + cloud + identity: covers the most common attack vectors (credential phishing through Entra ID or Okta)
- Everything: endpoint, cloud, identity, SaaS, network, OT/IoT. Few providers offer all six.
Question 3: What response level do you need?
The word “response” in MDR ranges from “we send you an email” to “we contained the breach at 3am while you slept.”
- Alert-only: not really MDR, just alert forwarding
- Guided response: they tell you exactly what to do, step by step
- Managed with approval: they can act but ask first. Most common model.
- Autonomous: pre-approved playbooks run automatically. Fastest response time.
Question 4: What's your organization size?
Not every provider is a good fit for every size. Some have minimum seat requirements of 200+. Others specialize in SMB and struggle with enterprise complexity.
- Under 100 employees: look for providers with low minimums and self-service onboarding
- 100-500: the sweet spot for most MDR providers
- 500-5,000: look for dedicated account management and custom playbooks
- 5,000+: look for multi-region SOC, enterprise SLAs, and API integration
Question 5: Any deal-breakers?
These are optional but can quickly eliminate providers:
- IR must be included: some providers include incident response, others sell it separately
- Breach warranty required: financial guarantee. Not common but growing.
- Compliance requirements: FedRAMP, HIPAA, PCI DSS narrow the field significantly
- SOC region: if you need EU-based analysts for data residency
What to ask during evaluation
- “What happens when you detect a threat at 3am Saturday?” Get specific actions, not marketing.
- “What's not included?” IR retainer, custom playbooks, compliance reporting, onboarding fees.
- “What data do I keep if I leave?” Data portability and exit process.
- “What are your MTTD and MTTR numbers?” And how do you measure them?
- “Can I talk to a current customer my size?” References from similar organizations.
FAQ
What is the most important question when choosing an MDR provider?
“Do you want to keep your existing security tools?” This single question eliminates roughly half the market.
How many MDR providers should I evaluate?
Aim for 3–5 shortlisted providers. Run proof-of-concept with your top 2–3.
What should I ask MDR vendors during evaluation?
Focus on what happens at 3am, what's NOT included, data portability, and real MTTD/MTTR numbers with methodology.
Ready to narrow your options?
Answer 5 questions and we'll score every provider against your answers.
Try the MDR finder