

Red Canary Managed Detection and Response
Pure-play MDR built to work with whatever EDR you already have, covering 9 platforms including CrowdStrike, Microsoft Defender, SentinelOne, and Carbon Black. Founded 2014 in Denver, acquired by Zscaler August 2025 for $675M. Detection-as-code methodology with MITRE ATT&CK mapping across all detections, AI Investigation Agents trained on 10+ years of data, and Slack-native SOC communication.
Buyer fit
Good fit when
- ✓Organizations with existing EDR investments (CrowdStrike, Microsoft, SentinelOne, Carbon Black, Cortex XDR, Trend Micro, Jamf) wanting MDR layered on top
- ✓Linux-heavy environments needing purpose-built Linux EDR for containers and Kubernetes
- ✓Security teams wanting Slack-native SOC communication with configurable automated response playbooks
Watch out when
- ×Global organizations needing follow-the-sun SOC coverage, only Denver SOC confirmed
- ×Organizations wanting included incident response, IR is via partner network and not part of base service
- ×Buyers concerned about long-term vendor-agnostic independence under Zscaler ownership, elevated churn disclosed Feb 2026
Coverage
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –OT/ICS monitoring via Dragos Platform (optional integration)
- –Security Data Lake storage beyond included allocation
- –Advanced incident response retainer (partner network)
- –Per-cloud-resource and per-user charges beyond base endpoint pricing
- –Red Canary Linux EDR agent (may be priced separately)
- –Managed Phishing Response
Cost caveats
- –Resource-based pricing (endpoint + user + cloud) can scale unexpectedly as environments grow
- –Elevated customer churn post-Zscaler acquisition disclosed in Feb 2026 earnings, market mindshare declined 4.2% to 2.9% year-over-year
- –Single SOC location in Denver with no follow-the-sun model documented
- –Enterprise tier required for dedicated support and custom features
- –Vendor-agnostic positioning may erode over time under Zscaler ownership per Forrester
Pricing compiled from public sources. Verify directly with the provider.
Team and access
Reputation
Forrester Wave MDR Leader Q1 2025. G2 4.7/5 (127 reviews, #1 customer satisfaction). Gartner Peer Insights 4.6/5 (131+ reviews). PeerSpot 9.0/10. Product quality remains strong post-Zscaler acquisition, but Zscaler disclosed elevated customer churn in Feb 2026 earnings with market mindshare declining from 4.2% to 2.9% year-over-year.
What customers praise
- ✓Broadest EDR integration in MDR (9 platforms) with vendor-agnostic approach maintained post-acquisition
- ✓Detection-as-code methodology with all detections mapped to MITRE ATT&CK
- ✓Slack-native SOC communication with responsive Threat Response Engineers
Common complaints
- ×Elevated customer churn post-Zscaler acquisition, market mindshare declined 4.2% to 2.9% (Zscaler Q2 FY2026 earnings, Feb 2026)
- ×Single Denver SOC with no follow-the-sun model for global organizations
- ×Pricing not publicly disclosed, resource-based model can scale unexpectedly
Limited direct Reddit discussion. Generally mentioned favorably alongside Expel and CrowdStrike Falcon Complete as a top-tier MDR option in cybersecurity communities.
Questions to ask
- 1.
Given the elevated customer churn Zscaler disclosed in Feb 2026 earnings, what commitments can you provide about maintaining vendor-agnostic EDR partnerships over our contract term?
- 2.
What is the total cost for our environment including per-endpoint, per-user, and per-cloud-resource charges?
- 3.
With a single SOC in Denver, how do you provide 24/7 coverage and what is the overnight staffing model?
- 4.
What happens to our detection rules and SOAR playbooks if we leave Red Canary?
- 5.
Is the Palo Alto Managed XSIAM partnership still active under Zscaler ownership?
- 6.
What is the FedRAMP certification timeline for government sector customers?
Evidence
Sources reviewed
Public-data caveats
- –No public contractual response-time SLA is recorded for this profile.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
Also consider
Information compiled from public sources. Verify details directly with the provider before making decisions.