Kroll
Responder MDR
Kroll Responder's unique advantage is the depth of real-world incident response experience from 3,000+ annual breach investigations feeding directly into MDR detection and response. The 'Complete Response' methodology and complimentary $1M breach warranty set it apart from pure monitoring-focused MDR providers.
Best For / Not Ideal For
Ideal for
- +Organizations wanting IR expertise built into MDR (not just monitoring)
- +Enterprises needing full threat eradication including forensics and root cause analysis
- +Companies in regulated industries needing compliance reporting and breach warranty
- +Organizations already invested in or open to CrowdStrike Falcon platform
- +Global enterprises needing multi-region SOC coverage and multi-language support
Not ideal for
- −Organizations that strongly prefer vendor-agnostic EDR platforms (given CrowdStrike migration)
- −Budget-sensitive SMBs wanting transparent, published pricing
- −Companies wanting to avoid any platform consolidation or lock-in
- −Teams needing a primarily self-service, portal-first experience
What They Actually Do
Approval: Configurable — You choose which actions need approval
Incident Response: Included in contract
Response SLA: Contact for specifics
Kroll's 'Complete Response' methodology goes beyond containment to active threat eradication, including removing persistence, reverse-engineering malware, and full remediation. SOAR-powered custom playbooks automate routine threats under analyst oversight. Seasoned IR experts (not just monitoring analysts) handle the response. Includes full digital forensics and incident response capabilities from 3,000+ annual breach investigations.
Stack Compatibility
EDR
SIEM
Cloud
Ticketing
Other Integrations
Attack Surface Coverage
Endpoint
included
Cloud Workloads
included
SaaS Apps
included
Identity
included
Network
included
OT/ICS
included
Pricing & Total Cost
- Pricing Model
- Custom pricing based on environment size and complexity
Contact provider for pricing details
What costs extra
- $Managed SIEM (separate service)
- $MXDR for Microsoft (separate package)
- $Penetration testing and red teaming
- $Digital risk protection
- $Cyber risk advisory services
Hidden cost warnings
- Warning:Migration to CrowdStrike Falcon may require new licensing if not already a CrowdStrike customer
- Warning:Named TAM support (vs. Shared TAM) likely incurs additional cost
- Warning:Full DFIR engagement beyond MDR scope may have separate pricing
- Warning:Office 365 / Microsoft-specific coverage is a separate Responder package
✗No trial available
✗No POV offered
Breach Warranty — up to $1,000,000
Caveat: Complimentary $1M Incident Protection warranty included for all Responder clients. Covers ransomware, BEC, compliance/regulatory failure, and business income loss. Not dependent on client size.
Service Details
Contract Terms
Contact for specifics
Data Retention
Contact for specifics
Dedicated Analyst
Yes
Portal Access
Yes
Custom Reporting
Yes
Quarterly Reviews
Yes
Communication & Visibility
Communication Channels
Escalation Method
Redscan platform provides centralized interface. SOC team investigates and hunts deeper before escalating high-severity incidents to elite IR team. Named or Shared TAM provides ongoing strategic support.
Data Access
Dashboard Access
Visual dashboards but no raw log queries
What to Ask Kroll
Based on common blind spots and real-world evaluation patterns
- 1.
How does the CrowdStrike Falcon migration affect customers who already use a different EDR?
- 2.
What specific actions does 'Complete Response' cover that competitors' containment-only approach does not?
- 3.
Is the $1M breach warranty truly no-strings-attached, and what are the exact coverage exclusions?
- 4.
What is the difference in service level between Named TAM and Shared TAM, and what are the cost implications?
- 5.
How is frontline intelligence from IR engagements fed back into detection content, and how quickly?
- 6.
What data and detection logic can we retain if we terminate the Responder service?
- 7.
How does Kroll handle response for non-CrowdStrike endpoints in hybrid environments?
Compare With Similar Providers
Browse Related
Information compiled from public sources. Verify details directly with the provider before making decisions.