How to evaluate MDR vendors: a CISO's practical guide

MDR (Managed Detection & Response) purchasing is one of the highest-stakes security buying decisions a CISO makes. You are outsourcing your eyes and hands to a third party — which means the vendor's quality of detection, response speed, and communication will directly determine your security outcomes.

What you actually need to evaluate

Most MDR RFP processes focus on the wrong things: feature lists, analyst certifications, and customer logos. Here is what actually matters:

1. Detection engineering quality Ask to see a sample of their detection rules. Ask how many custom rules they write per month for a customer of your size. Ask who writes them — is it the same team that does IR?

2. Mean time to respond (MTTR) Not time to detect. Not time to notify. Time to *contain*. Get contractual SLAs, then ask for references from customers who have actually had incidents.

3. Analyst escalation paths At 2am on a Sunday, who answers the phone? What is their experience level? Can you call them directly or do you always go through a portal?

4. Scope of response authority Can they isolate an endpoint without your approval? Under what conditions? This matters enormously for ransomware scenarios.

Questions to ask every vendor

• What is your analyst:customer ratio?
• What percentage of alerts do you auto-close vs escalate?
• Show me the last three escalations from a customer of comparable size.
• What EDR/SIEM do you use, and can I use my own?
• What are your contractual MTTR SLAs, and what happens if you miss them?

The open source alternative reality check

Wazuh + DFIR-IRIS can replicate some MDR capabilities — but you become the SOC. That is a 1–2 FTE ongoing commitment at minimum, plus the cost of analyst tooling, threat intel feeds, and 24/7 coverage. For most organisations, commercial MDR is cheaper when fully costed.

See our [MDR category page](/categories/mdr) for current vendor scores and comparisons.