Red Canary customers woke up to a Zscaler acquisition announcement, Secureworks customers learned Sophos was taking over, and Trustwave customers watched their provider merge with Cybereason then get acquired by LevelBlue. Each deal affects customers differently depending on what the acquirer wants. See our full acquisition tracker for the complete list.
Three types of acquisition and why it matters which one
| Type | Example | Primary risk |
|---|---|---|
| Platform play | Zscaler + Red Canary | MDR becomes a feature inside a larger product. Risk of deprioritization. |
| MDR roll-up | LevelBlue + Trustwave + Alert Logic | Service continues but platform may change. Risk of forced migration. |
| Technology grab | Deepwatch + Dassana | Acquirer wants the tech or talent, not necessarily the customers. Risk of product discontinuation. |
Platform plays are the most common pattern right now. A technology vendor with an existing product suite buys an MDR provider to add managed services capability, and your standalone MDR becomes a module inside a larger platform. The service may continue, but its priority, investment and roadmap now compete with the acquirer's core business.
What changes for customers
People
Analyst attrition is the biggest risk. Retention packages typically last 12 to 18 months, and once they expire, analysts who know your environment may leave. The institutional knowledge they carry about your infrastructure, your escalation preferences and your alert patterns leaves with them.
Platform and tooling
Detection content, integrations, the customer portal and reporting dashboards may be migrated to the acquirer's technology stack or deprecated entirely. In roll-up acquisitions, the acquirer typically consolidates to a single platform over 12 to 24 months, and your existing integrations may break or require reconfiguration during the transition.
SLAs and service terms
Contractual terms are typically honored through your current renewal period, but the next renewal often comes with revised terms, new pricing and different SLA structures aligned with the acquirer's standard agreements.
Communication and escalation
Your account team, TAM and escalation paths will change. In the best cases, the acquirer maintains continuity for 6 to 12 months. In the worst, you lose your primary contacts within weeks and are reassigned to someone who does not know your environment.
Pricing
Renewals post-acquisition often come with price increases. The acquirer may bundle previously standalone features, add platform fees or restructure pricing to align with their model. This is especially common in platform play acquisitions where the acquirer has a different pricing philosophy.
Review your contract before you need to
The time to understand your assignment clause, exit terms and data portability rights is before an acquisition is announced.
- Check whether the provider can assign your contract to another entity without your consent. Many agreements allow assignment during mergers, but if the clause requires your consent you have leverage during a transition.
- Understand your data export rights: detection rules, historical investigation data, incident reports and log archives. Providers with limited export capabilities create significant switching costs.
- Know the termination notice period and penalty. Some contracts require 90 or 180 days notice with substantial fees, and you need to know this number before a transition starts.
- Confirm whether your SLAs are tied to the legal entity, the specific service or the brand. This determines whether the acquirer is legally bound to maintain your service levels.
What to do now
These steps protect your position regardless of whether your provider is in acquisition talks.
- Pull up your contract's assignment and termination clauses. If you cannot find them, ask your provider for the current master service agreement.
- Request documentation on what you can export: detection rules, historical alerts, investigation timelines and raw log data. Test the export process now while there is no urgency.
- Map out which of your tools feed into the MDR provider and which response actions are automated through their platform. This integration inventory becomes your migration checklist if you need to switch.
- Estimate how long it would take to onboard a new MDR provider. Most migrations take 30 to 90 days for full coverage, and adding your contract's notice period gives you your total transition window.
- Our provider profiles include vendor lock-in assessments covering exit process, data portability and contract flexibility for published providers.
Questions to ask when you hear the news
When your MDR provider announces an acquisition, these are the questions that get you useful information quickly.
- Will my current SLA survive the next renewal?
- Who on my current account and analyst team is staying?
- Is my detection content (rules, playbooks, response automations) portable?
- What is the timeline for platform migration, and will I have a choice?
- Will my pricing change at renewal?
- What is the acquirer's track record with previously acquired products and customer bases?
FAQ
Will my MDR service continue after an acquisition?
In most cases, yes, at least through your current contract term. The underlying platform, analyst team and integrations may change during or after the transition. Roll-ups tend to continue service with platform migration, while technology grabs carry higher risk of discontinuation.
Can my contract be transferred without my consent?
It depends on your contract's assignment clause. Many agreements allow assignment during mergers or acquisitions. Check yours now. If it requires your consent for assignment, you have meaningful leverage during a transition.
Should I switch providers after an acquisition?
Not necessarily. Some acquisitions improve the service. Evaluate the acquirer's track record, what has been communicated about continuity, and whether your analyst team is staying. Plan for a potential switch by documenting dependencies and reviewing exit terms, but do not rush a migration that could leave coverage gaps.
What is the biggest risk when my provider gets acquired?
Losing the analysts who know your environment. Post-acquisition, retention packages typically last 12 to 18 months and turnover accelerates once they expire. Ask early about team retention plans and whether your dedicated analysts are staying.