

DirectDefense
Technology-agnostic MDR and MSSP combining 24x7 SOC operations with bundled incident response retainer hours. Built on the ThreatAdvisor 3.0 SOAR platform, which uses automated playbooks to standardize triage and investigation workflows. Founded by offensive security practitioners, so pen testing and red team experience informs detection engineering. Two-tier service model (CORE and MAX) targets mid-market organizations wanting an advisory partnership rather than pure technology reselling.
Buyer fit
Good fit when
- ✓Mid-market organizations with an existing SIEM (Rapid7, Tenable, Sentinel) wanting managed SOC operations on top
- ✓Industrial and OT/ICS environments needing Claroty, Dragos, or SCADAfence monitoring wrapped into an MDR contract
- ✓Organizations that want IR retainer hours bundled from day one rather than buying separately
- ✓Teams with existing security tool investments who want an advisor-level partner, not a platform replacement
Watch out when
- ×Organizations wanting turnkey MDR without existing SIEM or security tool investment
- ×Buyers who need published detection benchmarks, MITRE validation, or community-verified performance data
- ×Teams wanting autonomous containment and remediation (DirectDefense recommends, your team executes)
- ×Enterprise organizations needing identity or SaaS monitoring as part of the MDR service
Coverage
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –OT/ICS security monitoring (Claroty, Dragos, SCADAfence)
- –Advanced cloud workload monitoring beyond basic coverage
- –Identity threat protection (Security Essentials tier only, not part of MDR CORE/MAX)
- –SaaS application monitoring
- –Penetration testing and red team engagements
- –Strategic security planning and compliance assessments
Cost caveats
- –Requires existing SIEM or purchase of SIEM platform (Rapid7, Tenable, Microsoft Sentinel)
- –Technology-agnostic model means you need to own the underlying security tools
- –OT/ICS coverage requires separate Claroty, Dragos, or SCADAfence licensing
- –Third-party estimates (Getlatka) suggest ~$55K average deal size, which is mid-market territory, not SMB-friendly except for the Security Essentials tier
- –No published pricing on the website makes cost comparison difficult before engaging sales
- –Identity threat protection and vCISO are only in the Security Essentials tier (separate from MDR), not in CORE or MAX
Pricing compiled from public sources. Verify directly with the provider.
Team and access
Certifications
Reputation
Almost no public practitioner reviews. No presence on G2, PeerSpot, Gartner Peer Insights, or Reddit as of March 2026. Industry recognition includes MSSP Alert Top 250 (#128, 2024), CRN MSP 500 Security 100 (4th consecutive year), Inc. 5000 (#3924, 2024), and Globee Silver for Best Cybersecurity Service Provider (2025). Awards show vendor credibility but tell you nothing about day-to-day service quality from a buyer's perspective.
What customers praise
- ✓Pen testing and offensive security background (founded by security assessment practitioners)
- ✓Technology-agnostic: works with existing CrowdStrike, SentinelOne, Rapid7, Tenable investments
- ✓OT/ICS partnerships with Claroty, Dragos, and SCADAfence fill a niche many MDR providers skip
Common complaints
- ×Zero public reviews on G2, PeerSpot, Gartner Peer Insights, or Reddit. No way to validate service quality before buying.
- ×No published MTTD/MTTR metrics. The 8-minute triage claim is vendor-reported, not independently validated.
- ×Requires existing SIEM investment (Rapid7, Tenable, or Sentinel). Not turnkey.
No Reddit discussions found about DirectDefense MDR services as of March 2026. Complete absence of practitioner chatter is itself a data point.
Questions to ask
- 1.
How many IR retainer hours are included in CORE vs. MAX, and what triggers their use vs. standard SOC operations?
- 2.
Your 2024 threat report claims 8-minute average triage on critical events. What is the actual MTTD and MTTR for customers in our size and industry?
- 3.
What specific response actions can your analysts take without our approval, if any? Or is every remediation step guided?
- 4.
What happens to our ThreatAdvisor investigation data and playbook history if we leave? Can we export it?
- 5.
With ~107 employees total, how many are dedicated SOC analysts, and what is the analyst-to-customer ratio?
- 6.
We have no public reviews to reference. Can you provide 2-3 customer references in our industry who will speak candidly about detection quality?
- 7.
For OT/ICS monitoring via Claroty/Dragos/SCADAfence, what is the additional licensing cost, and does your SOC have dedicated OT analysts?
- 8.
What SIEM platform do you recommend for our environment, and what is the additional cost of that SIEM on top of the MDR contract?
Evidence
Sources reviewed
Public-data caveats
- –SLA caveat: 30-minute SLA-driven incident response time, published on their website. DirectDefense monitors 24x7 and provides triage, investigation, and response recommendations. Both CORE and MAX tiers include incident response retainer hours.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response workflows are described, but exact standard containment actions are not public.
Also consider
Information compiled from public sources. Verify details directly with the provider before making decisions.