Managed Detection and Response (MDR) is a core component of enterprise cybersecurity, and its adoption is growing rapidly. The global MDR market is projected to rise from $1.89 billion in 2024 to $8.59 billion by 2032, at a compound annual growth rate of 20.8%. This is a great signifier of cybersecurity’s rising emphasis in corporate strategy and board room discussions.
However, not all MDR services deliver the meaningful protection sought by buyers. Some may offer limited coverage, automated alerts without context, or rigid prepackaged solutions. The most important consideration is fully understanding the scope, limitations, and options within your MDR agreement. This article aims to make CISOs and cybersecurity directors aware of the gray areas that may be ill-defined, so that during the evaluation process you know which questions to ask and which potential issues to watch for.
The MDR market is rapidly evolving with a growing number of vendors and service models. Organizations increasingly rely on these services to handle threat detection, initial containment, and alert triage. Despite this growth, evaluating MDR offerings can be challenging due to the lack of transparency and the varying levels of service provided.
As Erik Montcalm, Senior VP of Cybersecurity Services, explains, "I think it's a difficult market full of confusing and contradictory terms, a lot of gray areas." This complexity underscores why CISOs and security directors must approach MDR contracts with careful scrutiny and clear evaluation criteria. The same principles that guide effective security services provider selection apply across all managed security services, making a systematic evaluation approach essential.
Here are five red flags Montcalm advises security leaders to watch out for when evaluating MDR contracts:
As Montcalm notes, “Some MDR contracts will include alert forwarding instead of actual response.” This means the security provider may provide sufficient monitoring but leave the investigation and containment to the internal team. If this division of responsibility is not well understood and accounted for, it can result in delayed responses or missed incidents entirely.
A significant pitfall occurs when your MDR provider whitelabels their security service, reselling another vendor's solution without adding its own expertise. Understanding the MSP vs MSSP distinctions helps clarify these service delivery models and their implications for security outcomes. Montcalm explains this common scenario:
“If your MSSP is basically a middleman to Sophos or another solution, it’s hard for you to talk to the real people actioning your alerts. The MSSP, in this case, is not the security expert, which is worse than if you just went to Sophos directly.”
This arrangement creates confusion on who to contact and introduces delays between the detection of a security event and the people actually addressing it. Your organization may receive alerts, but the human expertise required for decision-making becomes diluted and outsourced. Understanding the MDR force multiplier benefits helps clarify why direct access to security expertise is crucial for maximizing your investment.
Rigid, prepackaged agreements often prevent meaningful customization. Even small adjustments to alerting, playbooks, or logging may be difficult or impossible to implement. This rigidity becomes especially problematic when MDR must integrate with infrastructure security as your first line of defense, where the underlying environment demands tailored detection logic and coordinated response.
Montcalm notes the importance of planning for growth and flexibility. "As your maturity grows, you may need more and more customization and what doesn't seem like a big deal in year one may become a very big deal in year two or three." This maturity curve mirrors the broader security journey many organizations face—conducting a Zero Trust implementation maturity assessment can help CISOs benchmark where they stand and anticipate which MDR capabilities they'll need as their program evolves.
Organizations must confirm in advance whether adjustments, custom playbooks, or alert tweaks are offered and what the associated costs are. Otherwise, you may be stuck with a standardized service that does not align with your environment as it evolves.
Effective MDR requires visibility across endpoints, identity systems, cloud services, and SIEM tools. Gaps in integration can leave critical blind spots in your security posture. This is why many organizations pair their MDR with managed firewall solutions to ensure consistent visibility and control across network boundaries. Montcalm explains how to parse this limitation:
“Most MDR providers will take any log you send them. That doesn't mean they'll parse them and do anything useful with them. Logging is now cheap in a cloud-first world. So the better question to ask is what are you going to do with these specific log sources for me?”
Your evaluation should include questions about which logs are actionable, correlated across systems, and actively used in monitoring, not just stored for potential forensics.
MDR services vary widely in cost, human involvement, and automation. Higher automation reduces price but may compromise judgment on complex threats. Conversely, human-led analysis is more expensive but provides nuanced insights. This distinction becomes especially critical as threat actors increasingly weaponize AI—understanding the AI ransomware detection your MDR must handle helps set the right expectations for both automation thresholds and analyst involvement. Montcalm states a key indicator:
“Hypothesis-driven proactive threat hunting is very important but it is also more expensive. If you see a vendor that's four times cheaper than the other vendors, I would start asking those pointed questions.”
Automation is valuable for repetitive tasks, but human analysts remain critical for investigation, containment, and contextual threat assessment. Organizations looking to mature their security operations should focus on process-driven automation strategies that enhance rather than replace human decision-making. Many organizations find themselves struggling with accumulated technical and operational challenges in their security operations centers, making addressing SOC debt through strategic partnerships a critical consideration when selecting an MDR provider. You must understand where one ends and the other begins.
Montcalm warns, "If you don't see the people in the process, it is worth further inquiry." The effectiveness of MDR often hinges on the skill of these human operators, not just the tools. Ultimately, however, clarity is the goal. For organizations looking to go beyond vendor evaluation and strengthen their own security operations infrastructure, building a next-generation SOC provides a practical framework for developing the in-house capabilities that complement a well-chosen MDR partner.
“I think the problems start when you assume one thing but receive another. Threat hunting may not be threat hunting, monitoring may not be monitoring, and automation may not be automation as you understand it. There are several permutations of each, but as long as you know what you're getting, I don't think it's a problem.”
When evaluating MDR vendors, use these questions to pierce through marketing claims and understand the real service being offered.
The MDR market is filled with ambiguous terms and standardized offerings that may not align with your organization's needs. In this complex environment, ensuring clarity is the most important step a security leader can take. Fully understanding what your MDR provider is delivering, what is standardized versus customizable, and where human expertise is applied ensures you can avoid pitfalls and make an informed decision. For CISOs ready to move beyond vendor evaluation and into a broader security strategy, building cyber resilience through MSSP partnerships offers a practical framework for translating MDR selection into long-term organizational security maturity.
Evaluate providers not by price alone, but by asking precise questions verifying their capabilities, and clarifying all expectations. Similar MSSP value assessment questions can guide your evaluation process. A clear understanding of scope, limitations, and options will help you identify a partner that truly strengthens your cybersecurity posture. For organizations with regulatory requirements, selecting a compliance-focused MDR provider can deliver additional value by streamlining audit preparation and maintaining continuous compliance monitoring.
To help buyers find the best MDR service for their needs, read the SecureOps Buyer’s Guide to Co-Managed MDR Services.
Here are five red flags Montcalm advises security leaders to watch out for when evaluating MDR contracts: alert forwarding instead of true response, whitelabeling and middleman risks, lack of flexibility and overstandardization, poor integration across systems, and an imbalance between automation and human analyst expertise.
If your MSSP is basically a middleman to Sophos or another solution, it's hard for you to talk to the real people actioning your alerts. The MSSP, in this case, is not the security expert, which is worse than if you just went to Sophos directly. This arrangement creates confusion on who to contact and introduces delays between the detection of a security event and the people actually addressing it.
Most MDR providers will take any log you send them. That doesn't mean they'll parse them and do anything useful with them. Logging is now cheap in a cloud-first world. So the better question to ask is what are you going to do with these specific log sources for me? Your evaluation should include questions about which logs are actionable, correlated across systems, and actively used in monitoring, not just stored for potential forensics.
Hypothesis-driven proactive threat hunting is very important but it is also more expensive. If you see a vendor that's four times cheaper than the other vendors, I would start asking those pointed questions. Automation is valuable for repetitive tasks, but human analysts remain critical for investigation, containment, and contextual threat assessment. If you don't see the people in the process, it is worth further inquiry.
When evaluating MDR vendors, use these questions to pierce through marketing claims and understand the real service being offered: On Response — When a threat is detected, what specific actions will your analysts take to contain it and within what timeframe? On Service Delivery — Is your security operations center staffed entirely by your direct employees? On Flexibility — What is the process for creating a custom detection rule or response playbook for our specific environment, and what are the associated costs? On Integration — Can you explain how you analyze and correlate those logs with endpoint data to identify an active threat? On Expertise — What is the structure of your analyst team, and what level of access will we have to advanced analysts for proactive engagements?