

Binary Defense
Technology-agnostic MDR co-founded by David Kennedy (creator of the Social Engineer Toolkit) with a strong reputation for proactive threat hunting. Binary Defense works with your existing EDR and SIEM rather than replacing them, and consistently earns the highest possible Forrester scores for endpoint detection and threat hunting.
Buyer fit
Good fit when
- ✓Mid-market and enterprise organizations with existing EDR/SIEM investments they want to keep
- ✓Security teams that value proactive threat hunting and want deep technical partnership
- ✓Organizations that prioritize data portability and want to avoid vendor lock-in
Watch out when
- ×Organizations needing global SOC coverage (SOC is US-based only, analysts work remotely)
- ×SMBs looking for a turnkey, low-touch MDR with minimal setup
- ×Companies requiring included IR in the base MDR package
Coverage
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –MDR Plus (managed deception, malware disruption, EDR bypass detection)
- –Co-Managed SIEM (separate service)
- –Digital Risk Protection (separate service)
- –Incident Response retainer (separate service)
Cost caveats
- –MDR Plus features (deception, malware disruption) are add-ons beyond base MDR
- –IR is not included in base MDR, available as separate retainer
- –Requires direct connection to client network, VPN may impact delivery
- –Pricing not publicly disclosed, requires sales engagement
Pricing compiled from public sources. Verify directly with the provider.
Team and access
Certifications
Reputation
Gartner Peer Insights rates 4.6/5 (30 reviews) and PeerSpot 9.2/10. Forrester Strong Performer in Q1 2025 (was Leader in 2021) with highest possible scores for endpoint detection, threat hunting, and community. Praise for technical depth, but Glassdoor employee rating is 2.5/5, and some customers report declining service quality.
What customers praise
- ✓Forrester gave top-scale scores for endpoint detection, threat hunting, and community
- ✓Open XDR approach avoids vendor lock-in and works with existing EDR/SIEM investments
- ✓Transparent portal where every alert, investigation, and containment action is visible
Common complaints
- ×Some customers report declining service quality and value as the company scales
- ×Glassdoor employee rating of 2.5/5 (35 reviews) raises talent retention concerns
- ×Triage alerts sometimes arrive missing context, and portal UX for escalated alerts needs work
Limited Reddit discussion compared to larger MDR providers. Practitioners who mention Binary Defense tend to praise the technical depth and hunting capability but note it's better suited for security-mature organizations.
Questions to ask
- 1.
What specific capabilities are in MDR vs. MDR Plus, and what is the cost difference?
- 2.
What is your P1 30-minute SLA compliance rate over the last 12 months?
- 3.
How many SOC analysts cover our time zone, and what is the overnight staffing model?
- 4.
If we leave, do we keep the custom detection rules and playbooks your team built for us?
- 5.
What is the average time from detection to customer notification for P1 incidents?
- 6.
How does co-management work in practice? What actions does your team take vs. ours?
- 7.
What is your current employee retention rate, and how has SOC staffing changed in the past year?
- 8.
Can you share triage efficiency metrics for environments similar to ours?
Evidence
Sources reviewed
Main public source used for the provider profile.
Formal SLA documentation for monitoring and detection services
Partnership announcement for Cortex XSIAM MDR services
Case study demonstrating MDR implementation for healthcare organization
Public-data caveats
- –SLA caveat: Published SLA at binarydefense.com/slas: P1 Critical within 30 minutes, P2 High within 4 hours. 95% compliance target measured monthly over a rolling 3-month period. Service credits: 5% for 90-94%, 10% for 85-89%, 15% below 85%.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
Also consider
Information compiled from public sources. Verify details directly with the provider before making decisions.