

Expel MDR
API-first, vendor-agnostic MDR that connects to your existing security stack via 160+ integrations without deploying a proprietary agent. Founded by former Mandiant/FireEye executives, Expel's Workbench platform provides full transparency into every SOC analyst action. Threat hunting and incident response are separate add-ons, not included in the base MDR service.
Buyer fit
Good fit when
- ✓Mid-market and enterprise organizations with existing security tools wanting vendor-agnostic MDR
- ✓Security teams that value transparency and want to see every SOC action in real time
- ✓Multi-cloud environments needing broad integration coverage including Oracle Cloud
Watch out when
- ×Organizations wanting platform-native MDR from a single vendor (Expel requires existing security tools)
- ×Companies needing OT/ICS coverage
- ×Budget-constrained SMBs, pricing starts at $11,640/year and scales with coverage
Coverage
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –Threat hunting (add-on to all MDR tiers, not included in base)
- –Phishing response (priced by email count)
- –Additional SIEM/data lake coverage
- –Oracle Cloud Infrastructure monitoring
- –Advanced identity threat detection
- –Incident response (separate, not included)
Cost caveats
- –Threat hunting is NOT included in base MDR, it is a separate add-on
- –Incident response is NOT included and must be obtained separately
- –Premium tier required for direct Slack/Teams SOC communication
- –Pricing scales significantly based on number of integrations and coverage areas
Pricing compiled from public sources. Verify directly with the provider.
Team and access
Reputation
Forrester Wave MDR Leader Q1 2025 (5/5 in 15 of 21 criteria). Gartner Peer Insights 4.6/5 (142 reviews). G2 4.8/5. PeerSpot 9.0/10. Widely praised for transparency, integration breadth, and speed. Primary criticism: threat hunting and incident response are add-ons, not included.
What customers praise
- ✓Full transparency into every analyst action via Workbench platform
- ✓Rapid API-first onboarding (hours, not weeks) with 160+ integrations
- ✓Configurable auto-remediation with full customer control over what gets automated
Common complaints
- ×Threat hunting is an add-on, not included in base MDR
- ×No breach warranty, unlike some competitors
- ×Limited APAC/global SOC presence, North America primary
Generally very positive. Expel frequently recommended alongside Red Canary and CrowdStrike Falcon Complete for organizations with existing security investments wanting a transparent, collaborative MDR partner.
Questions to ask
- 1.
Threat hunting is an add-on. What is the additional cost, and what specific hunt frequency and methodology will our environment receive?
- 2.
What are the exact auto-remediation actions available for our specific tool stack, and can we see a demo of the configurable approval workflows?
- 3.
How does pricing scale as we add more integrations, coverage areas, or cloud resources beyond the initial contract?
- 4.
What is the data retention period for our security data in Workbench, and how do we export all data if we leave?
- 5.
Since incident response is not included, what IR partners do you recommend, and how does the handoff work during a major incident?
- 6.
What SLA commitments can you provide in writing beyond published MTTR metrics?
Evidence
Sources reviewed
Public-data caveats
- –No public contractual response-time SLA is recorded for this profile.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
Also consider
Information compiled from public sources. Verify details directly with the provider before making decisions.