Buyer fit
Good fit when
- ✓US federal and state agencies that need FedRAMP/StateRAMP-authorized MDR with deep compliance credentials
- ✓Regulated industries (financial services, healthcare) needing PCI DSS QSA and MDR from one provider
- ✓Large enterprises wanting technology-agnostic MDR with OT/ICS coverage options and global SOC presence
Watch out when
- ×Organizations that prioritize vendor stability. Five ownership changes and a 15% launch-day layoff are red flags.
- ×Buyers who need clear SLAs upfront. Base MDR tier commitments are not disclosed, and the product lineup is confusing.
- ×SMBs or budget-constrained teams. Custom pricing starting around $44K/year and a fragmented product portfolio.
Coverage
3 of 6 attack surfaces in the base price — the rest are separately priced.
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –DFIR retainer (SpiderLabs: 2-hour remote triage, 24-hour on-site. Also via Stroz Friedberg.)
- –Co-Managed SOC (separate product from MDR)
- –MXDR for Microsoft Sentinel (specialized offering)
- –OT security services (Nozomi, Claroty, Dragos integrations)
- –Technical Case Manager (optional paid support tier)
- –Cybereason XDR platform (separate from Trustwave MDR)
Cost caveats
- –Non-EDR telemetry priced by MEPD (millions of events per day), which is hard to estimate upfront and can spike
- –Service-level scope varies by product and tier. Confirm whether the Trustwave service-level document applies to the quoted MDR service.
- –MDR, MXDR, Co-Managed SOC, MTDR, and Cybereason XDR are still separate products at different price points. Ask exactly which product you are being quoted.
- –Five acquisitions and a 15% launch-day layoff. Ask about contract continuity and staff retention.
Verify pricing directly with the provider.
Team and access
Reputation
G2 4.4/5 (120 reviews, primarily USM Anywhere). Gartner Peer Insights 4.3/5 (Trustwave MDR). Frost & Sullivan MDR Growth Index Leader 2025. Cybereason achieved 100% detection in MITRE ATT&CK 2024. SpiderLabs and FedRAMP authorization are genuine differentiators. Main concern is integration risk from five acquisitions in two years.
What customers praise
- ✓First pure-play MDR to earn FedRAMP authorization, a real differentiator for government buyers
- ✓SpiderLabs is a large, legitimate offensive security operation (1,000+ staff, 2,100+ pen tests/year)
- ✓Cybereason scored 100% detection in MITRE ATT&CK Enterprise 2024, adding real detection credibility
Common complaints
- ×Five acquisitions in two years with a 15% layoff at launch. Glassdoor 3.5/5 with 55% recommend and reports of high attrition
- ×Multiple unintegrated platforms (Fusion, USM Anywhere, Cybereason, Alert Logic). Promised unified platform not yet delivered.
- ×Base MDR tier SLAs and response times are not disclosed. Only Elite gets the published metrics.
Very little LevelBlue or Trustwave MDR discussion on Reddit. When mentioned, ownership churn is the recurring concern. MSP community sentiment is lukewarm.
Questions to ask
- 1.
After five acquisitions in two years, what specific contract continuity guarantees exist if the product we buy gets deprecated or merged?
- 2.
Which specific product are we being quoted: Trustwave MDR, MDR Elite, MXDR, MTDR, Co-Managed SOC, or Cybereason XDR? What do we lose by choosing one over another?
- 3.
What are the exact SLA commitments for base MDR? The published 15-min MTTA and sub-30-min MTTR only apply to Elite.
- 4.
How is MEPD calculated for our environment, and what happens to pricing if our event volume spikes?
- 5.
What is the current staff retention rate across the combined entity? Glassdoor reviews cite high attrition in some teams.
- 6.
When will the unified platform be available, and what happens to our current platform (Fusion, USM, Cybereason) if we sign today?
Evidence
Sources reviewed
Public-data caveats
- –SLA caveat: Trustwave's public service-level document lists a 15-minute Security Incident notification SLA. MTTA and MTTR objectives have narrower scope for MDR Elite and MDR U.S. Government; confirm the applicable service description and credits in the order form.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
Also consider
Independent research. Verify details directly with the provider before making decisions.
