Research Report: MDR Buying in 2025 – What Buyers Demand and Why

Research-backed guidance to update RFPs: require audit trails, minutes-fast SLAs, and seamless integration across your current stack

The MDR market has exploded – but how do you choose the right provider? AirMDR surveyed 260 security leaders to understand how buyers really evaluate MDR vendors. What emerged is a clear shift in expectations – away from black-box promises and toward audit-ready evidence, transparent AI + human workflows, and fast, measurable outcomes. This blog breaks down the most important research findings, why they matter, and what to ask vendors as you evaluate your next MDR provider.

Here’s what the research found, why it matters, and what to look for in your next evaluation.

1) Trust now means “show your work”

Finding: 85% say they’re more likely to trust an MDR provider when every decision is documented.

Why it matters: Boards, auditors, and business stakeholders don’t accept “because the tool said so.” Documented reasoning with data citations makes investigations explainable, defensible, and repeatable – especially as AI takes on more routine work. Evidence turns claims into an auditable record for post-incident reviews and compliance.

What to look for:

• A real sample case with a timestamped timeline (alert → enrichments → actions → approvals → closure).
• An audit-ready case file (case log, evidence list with hashes, approvals).
• Clear data citations showing where each conclusion came from.

2) Organization want to keep the stack

Finding: 77% want MDR that works with the tools they already own – no rip-and-replace required.

Why it matters: Re-plumbing pipelines delays value and introduces risk. Compatibility preserves existing investments and lets you measure MDR impact without confounding changes. Integrations also determine how safely actions execute in your environment.

What to look for:

• Native integrations with your security stack, including ticketing and collaboration.
• Support for data ingestion and actions through your tools, not the vendor’s proprietary replacements.
• No rip-and-replace required for visibility or orchestration.

3) Hybrid is the operating model

Finding: 85% prefer a hybrid AI + human approach: AI handles routine, high-confidence work; humans govern edge cases and sensitive actions.

Why it matters: Pure “AI-only” can miss context; pure “human-only” can’t scale. A hybrid model reduces toil while keeping explainability, control, and accountability intact.

What to look for:

• Confidence thresholds that route auto-resolve vs human-in-the-loop.
• Named approval roles and clear guardrails for high-impact steps.
• A versioned change log for policies/playbooks.

4) Results in minutes, not hours

Finding: 71% expect investigations to complete in under 10 minutes – “minutes-fast” is the new baseline.

Why it matters: The threat containment window is unforgiving. Faster triage shortens dwell time, reduces blast radius, and preserves business continuity. Minutes-level SLAs also build trust with executives who track time-to-respond as closely as outcomes.

What to look for:

• Precise definitions for timing (when the clock starts/stops).
• Recent distribution, not just a single average.
• SLA adherence over the last 30 days, with outlier handling explained.

5) Beyond Coverage: Prove Outcomes with Evidence

Finding: 24×7 coverage and compliance often start the MDR buying conversations – but buyers stay for transparent, explainable investigations with exportable evidence.

Why it matters: “We watch alerts all night” checks a box; evidence earns trust. Transparent cases show what happened, why it was done, and who approved it – so you can satisfy regulators and internal leaders without slowing the business.

What to look for:

• Post-alert artifacts: timeline + audit-ready case file for a recent investigation.
• Proof that minutes-fast investigations actually occur (recent data, not promises).
• Clear fit with your stack: how actions, logging, and handoffs work in your environment.

6) Operational gaps still dominate

Finding: Many teams still investigate fewer than 30% of alerts; 60% report 5+ unattended hours/day; and 84% track incidents in spreadsheets.

Why it matters: Throughput, coverage, and data hygiene are where risk hides. If investigations don’t keep up, blind spots grow—especially during unattended windows—and spreadsheet sprawl fragments evidence, hurting audits and learning loops. MDR should raise coverage and consistency, not just add another queue.

What to look for:

• The vendor’s coverage math (investigated alerts ÷ total alerts) before/after MDR.
• A plan to reduce unattended hours (overnights/weekends) with metrics.
• A standardized, exportable audit-ready case file generated for every case.

Today’s MDR buyers are more demanding – and more precise.
It’s no longer enough to say “we respond fast” or “we use AI.” Security leaders want proof: case logs, timestamps, approvals, audit-ready case files. They want MDR that runs in their stack, under a governed autonomy model. And they expect results in minutes, not hours.

As you evaluate vendors – or renew existing services – use these research-backed findings to sharpen your RFP, ask tougher questions, and raise the bar.

Today’s MDR buyers are more demanding – and more precise.

It’s no longer enough to say “we respond fast” or “we use AI.” Security leaders want proof: case logs, timestamps, approvals, audit-ready case files. They want MDR that runs in their stack, under a governed autonomy model. And they expect results in minutes, not hours.

As you evaluate vendors – or renew existing services – use these research-backed findings to sharpen your RFP, ask tougher questions, and raise the bar. 

Quick buyer checklist

• Can you see a sample case with timestamps, approvals, and exports?
• Does it run in your stack without rip-and-replace?
• Does it use a hybrid approach of AI + humans, with governed autonomy (thresholds, approvals, change log)?
• Are investigations measured in minutes with clear definitions and recent distribution?

About the study

AirMDR commissioned an independent firm to survey 260 cybersecurity leaders at midmarket (100–5,000 employees; 86%) and large enterprise (5,001+; 14%) organizations. Responses spanned 15 industries including: technology (computer hardware & software), business services, financial services, telecommunications, manufacturing, retail and healthcare. Topics included MDR selection criteria, operating expectations, and AI’s role in scaling investigations. 

• Read the full research summary (report landing page)

Explore how AirMDR meets these new criteria