Buyer fit
Good fit when
- ✓Mid-market and enterprise organizations committed to existing EDR platforms who want SOC expertise without rip-and-replace
- ✓Companies with experienced IT teams who can execute remediation actions based on analyst guidance
- ✓Organizations requiring global SOC coverage across UK, Middle East, APAC and Africa
Watch out when
- ×Teams wanting transparent pricing and published SLA credits upfront
- ×Organizations needing active remediation where the MDR provider executes containment autonomously
- ×Buyers who rely on public reviews and validated customer references before evaluation
Coverage
3 of 6 attack surfaces in the base price — the rest are separately priced.
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –Identity monitoring requires separate scoping
- –SaaS monitoring is optional add-on
- –OT/ICS coverage not offered
Cost caveats
- –IBM QRadar SIEM licensing may be a separate cost depending on whether SecurityHQ hosts it or you bring your own. Clarify who pays for SIEM infrastructure.
- –No published pricing at all. AWS Marketplace lists private offers only, so you will not see a price until you engage sales.
- –Identity monitoring and SaaS coverage are scoped separately, which could increase costs significantly depending on your environment.
- –Multi-year contracts are typical in the MSSP market. Ask about early termination terms and auto-renewal clauses.
Verify pricing directly with the provider.
Team and access
Certifications
Reputation
Thin public review presence compared to larger MDR vendors. MITRE 2024 managed services evaluation showed strong detection with low alert noise. IDC MarketScape Leader for Middle East MDR in 2024 and 2025. Technology-agnostic approach appeals to customers with existing EDR investments, but no published pricing and few customer references make independent evaluation difficult.
What customers praise
- ✓MITRE 2024 managed services evaluation: 100% step detection, 77% technique coverage, low alert noise
- ✓Vendor-agnostic model works with existing EDR rather than forcing platform lock-in
- ✓Global SOC coverage across seven locations with follow-the-sun operations
Common complaints
- ×Minimal public reviews or customer references make independent verification difficult
- ×No published pricing. You are evaluating blind until you talk to sales.
- ×Guided response means your team executes remediation, slower than providers that take action directly
No significant Reddit discussion found on r/msp, r/cybersecurity or r/sysadmin. Low market visibility compared to Arctic Wolf, CrowdStrike or Expel.
Questions to ask
- 1.
The AWS Marketplace listing says 15-minute P1 notification. What are the SLA terms for P2/P3, and are there SLA credits if the 15 minutes is missed?
- 2.
What is the total cost for our environment including SIEM licensing, analyst services and platform fees? Are there data volume limits or overage charges?
- 3.
Which remediation actions will your analysts execute directly vs. which require our IT team? What is the typical time lag between recommendation and containment?
- 4.
How does the IBM QRadar deployment work? Cloud-hosted by SecurityHQ, on-premise, or hybrid? Who pays for SIEM licensing and manages tuning?
- 5.
Your MITRE evaluation showed 77% technique coverage. How do you handle the 23% of techniques you did not detect? What compensating controls exist?
- 6.
Can you provide customer references in our industry and company size who can speak to day-to-day operations?
- 7.
What happens to our detection rules, playbooks and historical data if we leave? Is there a documented exit process?
Evidence
Sources reviewed
Public-data caveats
- –SLA caveat: 15-minute SLA for P1 notification confirmed via AWS Marketplace listing and IDC MarketScape 2024. This covers detection, analysis and notification of critical events, not remediation. Standard MDR also includes 40 hours of DFIR services per client (IDC MarketScape). No published SLA credits or financial guarantees.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response workflows are described, but exact standard containment actions are not public.
Also consider
Independent research. Verify details directly with the provider before making decisions.
