Managed Detection and Response (MDR) is a core component of enterprise cybersecurity, and its adoption is growing rapidly. The global MDR market is projected to rise from $1.89 billion in 2024 to $8.59 billion by 2032, at a compound annual growth rate of 20.8%. This is a great signifier of cybersecurity’s rising emphasis in corporate strategy and board room discussions.
However, not all MDR services deliver the meaningful protection sought by buyers. Some may offer limited coverage, automated alerts without context, or rigid prepackaged solutions. The most important consideration is fully understanding the scope, limitations, and options within your MDR agreement. This article aims to make CISOs and cybersecurity directors aware of the gray areas that may be ill-defined, so that during the evaluation process you know which questions to ask and which potential issues to watch for.
The MDR market is rapidly evolving with a growing number of vendors and service models. Organizations increasingly rely on these services to handle threat detection, initial containment, and alert triage. Despite this growth, evaluating MDR offerings can be challenging due to the lack of transparency and the varying levels of service provided.
As Erik Montcalm, Senior VP of Security Services and Technologies, explains, “I think it's a difficult market full of confusing and contradictory terms, a lot of gray areas.” This complexity underscores why CISOs and security directors must approach MDR contracts with careful scrutiny and clear evaluation criteria.
As Montcalm notes, “Some MDR contracts will include alert forwarding instead of actual response.” This means the security provider may provide sufficient monitoring but leave the investigation and containment to the internal team. If this division of responsibility is not well understood and accounted for, it can result in delayed responses or missed incidents entirely.
A significant pitfall occurs when your MDR provider whitelabels their security service, reselling another vendor’s solution without adding its own expertise. Montcalm explains this common scenario:
“If your MSSP is basically a middleman to Sophos or another solution, it’s hard for you to talk to the real people actioning your alerts. The MSSP, in this case, is not the security expert, which is worse than if you just went to Sophos directly.”
This arrangement creates confusion on who to contact and introduces delays between the detection of a security event and the people actually addressing it. Your organization may receive alerts, but the human expertise required for decision-making becomes diluted and outsourced.
Rigid, prepackaged agreements often prevent meaningful customization. Even small adjustments to alerting, playbooks, or logging may be difficult or impossible to implement.
Montcalm notes the importance of planning for growth and flexibility. “As your maturity grows, you may need more and more customization and what doesn't seem like a big deal in year one may become a very big deal in year two or three.”
Organizations must confirm in advance whether adjustments, custom playbooks, or alert tweaks are offered and what the associated costs are. Otherwise, you may be stuck with a standardized service that does not align with your environment as it evolves.
Effective MDR requires visibility across endpoints, identity systems, cloud services, and SIEM tools. Gaps in integration can leave critical blind spots in your security posture. Montcalm explains how to parse this limitation:
“Most MDR providers will take any log you send them. That doesn't mean they'll parse them and do anything useful with them. Logging is now cheap in a cloud-first world. So the better question to ask is what are you going to do with these specific log sources for me?”
Your evaluation should include questions about which logs are actionable, correlated across systems, and actively used in monitoring, not just stored for potential forensics.
MDR services vary widely in cost, human involvement, and automation. Higher automation reduces price but may compromise judgment on complex threats. Conversely, human-led analysis is more expensive but provides nuanced insights. Montcalm states a key indicator:
“Hypothesis-driven proactive threat hunting is very important but it is also more expensive. If you see a vendor that's four times cheaper than the other vendors, I would start asking those pointed questions.”
Automation is valuable for repetitive tasks, but human analysts remain critical for investigation, containment, and contextual threat assessment. You must understand where one ends and the other begins. Montcalm warns, “If you don't see the people in the process, it is worth further inquiry.” The effectiveness of MDR often hinges on the skill of these human operators, not just the tools. Ultimately, however, clarity is the goal.
“I think the problems start when you assume one thing but receive another. Threat hunting may not be threat hunting, monitoring may not be monitoring, and automation may not be automation as you understand it. There are several permutations of each, but as long as you know what you're getting, I don't think it's a problem.”
When evaluating MDR vendors, use these questions to pierce through marketing claims and understand the real service being offered.
The MDR market is filled with ambiguous terms and standardized offerings that may not align with your organization's needs. In this complex environment, ensuring clarity is the most important step a security leader can take. Fully understanding what your MDR provider is delivering, what is standardized versus customizable, and where human expertise is applied ensures you can avoid pitfalls and make an informed decision.
Evaluate providers not by price alone, but by asking precise questions, verifying their capabilities, and clarifying all expectations. A clear understanding of scope, limitations, and options will help you identify a partner that truly strengthens your cybersecurity posture.
To help buyers find the best MDR service for their needs, read the SecureOps Buyer’s Guide to Co-Managed MDR Services.