April 16, 2024

Essential Guide for First-Time Buyers: Investing in Managed Detection and Response Services

Total Article Read Time: 2 min


 For many small and medium-sized enterprises (SMEs), investing in Managed Detection and Response (MDR) services offers a cost-effective strategy to meet compliance standards and mitigate risks associated with cyber threats, including phishing, ransomware, data breaches, and business interruptions.

As a first-time buyer of Managed Detection and Response (MDR) services, navigating the complex market requires careful consideration. Here are essential questions to guide your decision-making process:

Security Infrastructure Assessment

Existing Tools: Evaluate your current cybersecurity infrastructure. Do you have the following tools in place?

  • Endpoint Detection and Response (EDR)

  • Firewall

  • Single Sign-On Services

  • Phishing Protection

  • Cloud Detection and Response

  • Network Detection and Response

  • Vulnerability Management

  • Data Loss Prevention

  • SIEM (Security Information and Event Management)

Strategic Risk Management Planning:

  • Identify the top three cybersecurity risks your business faces.
  • What specific threats do you aim to mitigate through MDR?

Objectives and Metrics:

  • Define your key objectives and success criteria for an MDR solution. How will you justify the investment internally?
  • What metrics will demonstrate the value of MDR over 3, 6, and 12 months?

Operational Considerations

Onboarding Process:

  • Who will provide the MDR provider with necessary access to your systems?
  • Are all the necessary stakeholders onboard and ready to facilitate the change?

Escalation Protocols:

  •   Establish clear escalation paths. Who is your primary contact for urgent issues?
  •   What are the expected check-in frequencies with your MDR provider?
  •   Define your standard operating hours and procedures for after-hours incidents.
  •   Determine your preferred communication methods (e.g., email, Slack, phone, case management system).

Alert Triage, Investigation, and Response 

Volume and Types of Alerts:

  • Events: Your security tools are likely producing a massive volume of events daily, which may range into the billions for a company with around 1000 employees. These events are significant from a security perspective but not all require immediate action.
  • Alerts: Suspect activities that warrant closer examination, with a 1000 person company generating dozens to a few hundred alerts per day.
  • Incidents: High-confidence indications of malicious activity that demand an immediate response to prevent damage. A company of this size should encounter fewer than hundreds of such incidents weekly.

Visibility and Accountability:

  • Assess your ability to monitor all alerts to ensure no threat goes unchecked. Can you differentiate why some alerts are escalated over others? Without clear visibility, your risk assessments might rely too heavily on assumptions rather than concrete analysis.

Detection Optimization:

  • With all alerts from existing tools managed properly, evaluate your detection coverage. Expanding detection capabilities might reduce risks but also incurs costs related to development, maintenance, and infrastructure.
  • Use frameworks like the MITRE ATT&CK to identify and address gaps in your detection strategy. Consider whether expanding these capabilities justifies the cost and effort, ensuring that detections align with key business risk areas.

Incident Response Strategy:

  • Determine who in your organization has the authority to approve actions that might negatively impact operations.
  • Establish clear protocols for handling recommended actions that your internal team cannot directly address. Define who these tasks are assigned to, along with expected response times and the method of communicating



In my experience, for companies with fewer than 250 employees implementing an MDR for the first time, the questions outlined above provide a solid foundation. As your business expands, however, the initial investment in detection and response may no longer suffice to mitigate increasing risks. This progression will necessitate advancing to a more robust level of detection and response capabilities, a subject I will explore in a future blog post.

Kumar Saurabh
AUTHOR: Kumar Saurabh

Kumar Saurabh is the CEO and co-founder of AirMDR. He's leveraged his 20+ years of experience in enterprise security to develop an AI-powered virtual assistant for security operations to help address shortages in cybersecurity talent resources. Kumar's expertise spans from his engineering leadership at ArcSight to co-founding a company that offers cloud SIEM services and his role as CEO of LogicHub, where he focuses on SOAR/MDR.

Let's Talk

Ready to supercharge your incident
investigation capabilities?