Know the Right Answers to Your MDR Provider Questions

Eighty-three percent of organizations experienced at least one data breach between March 2021 and March 2022, according to IBM Security’s Cost of a Data Breach Report 2022. With such a high likelihood of attack, organizations are looking for answers. Many have turned to managed detection and response (MDR) services as a comprehensive solution to defend against the increasing threat of data breaches. Technological research and consulting firm Gartner projects that 50% of all organizations will use MDR services by 2025. 

Modern MDR combines advanced technology and experienced cybersecurity professionals who can leverage it. The technology should include a complete tool set, and the professionals should capture, integrate, and analyze data from networks, endpoints, logs, and cloud environments and respond to cyberattacks. 

However, not all MDR providers are the same. Choosing a modern MDR provider can seem like a daunting task, and organizations are having to sort through the confusion to find the right MDR provider for their needs. Most likely, you have a long list of questions you want to ask a provider. But do you know what the right answers to those questions would be? 

We break down the main topics that you should discuss with potential MDR providers, offer the important questions you should ask, and most importantly, reveal the answers you want to hear from a qualified MDR provider.


Organizations are at different stages of the cybersecurity maturity journey. Your organization may already have tools and teams in place or may be newly starting the trek. Either way, technology plays an important role in keeping your data and customers safe from cyber threats.

Can I keep my current technology or do I need to use yours?

You shouldn’t have to throw out your existing tools or be locked into only one approach. After all, you spent good money on the technology you currently have. A modern MDR provider should build on the technology you have and bring any additional technology you need.

The provider should integrate your existing infrastructure and controls into its monitoring and response platform.

What technology do you use to provide the MDR solution?

You want to know that the MDR provider offers more than management of alerts and firewalls using an outdated SIEM architecture and approach.

Modern MDR providers should be equipped with tools to combat today’s cybercriminals. Some of these advanced tools include a cloud-based monitoring and response platform, machine learning-supported analysis and detection solutions, and advanced endpoint detection and response tools.

Can you provide the visibility I need for my logs, endpoints, network, and cloud?

For visibility, an MDR provider with superior detection capabilities should have a broad and deep view into your systems and resources, including logs, endpoints, networks, and the cloud. The provider’s visibility should support advanced detection, not just rule-based detection. In addition, you want to know that the provider offers fine-grained visibility, meaning the ability to control who has access to specific data under specific criteria. Ideally, your provider should offer complete access to your log data to members of your organization.

Your organization may not need all of this visibility now, but you want to know that the provider can continue to support you as your cybersecurity needs evolve.

Will I have the same access to my data as you do?

When you use MDR services to protect against cyberattacks, the technology burden shifts from your cybersecurity team to the provider’s team.

Yet, your in-house team should still have access to the same technology as the provider, and you should retain access to your data at all times.

How are you planning to evolve your operation to combat new threats?

Cybercriminals constantly find novel ways to attack organizations. To combat these new threats, an MDR provider must evolve its technology and processes as the threat landscape evolves. Make sure the provider has a plan for staying ahead of cybercriminals and can talk about investments it has made to keep pace. You want to know that the provider will evolve as your organization’s cybersecurity needs mature.

  • Cybercriminals constantly find novel ways to attack organizations. To combat these new threats, an MDR provider must evolve its technology and processes as the threat landscape evolves.


Incident logs and alerts can accumulate fast, and the best MDR providers can properly handle the flow of information. You need to find the MDR provider with the processes that best fit your organization’s needs.

Is the service during business hours or 24/7?

You should expect 24/7 service, including live support, from your MDR provider. The cybersecurity professionals will be working during and after business hours — even at night while your employees soundly sleep.

How will the provider respond to an alert?

Alerts will be monitored and analyzed, identified as false positives or actual threats, and resolved in a way that fits your needs rather than just fitting the needs of the provider. With an MDR provider, the cybersecurity professionals can sort through and analyze the logs and also organize them to comply with industry or state regulations as needed. The provider should notify your organization when software vulnerabilities are discovered and help you quickly resolve any problem. A strong MDR provider should have the tools to remediate threats and have the detection capabilities to support its efforts.

Can I determine which alerts I will receive and how I will be alerted?

Communication is key when assessing an MDR provider. A provider should be open to working with you to determine which alerts you will receive and how you will be alerted. Taking your wishes into account, the provider should create a comprehensive plan for the notification of alerts. Methods such as chat, text, or phone calls are preferred ways to be conveniently and instantaneously contacted. Steer clear of providers that want to notify only by email because prompt notification of an attack is critical.

  • Communication is key when assessing an MDR provider. A provider should be open to working with you to determine which alerts you will receive and how you will be alerted.


Modern MDR providers know that human attackers must be confronted by human defenders. Without experienced cyber professionals on your team to leverage security tools, attackers will work around your defenses.

Unfortunately, there’s a global cybersecurity talent shortage, making it difficult for organizations to hire and retain employees. A recent Forrester Consulting study found that 53% of small and midsize businesses rely on external partners such as MDR providers to fill the talent gaps and keep their security operations centers (SOCs) up and running. The solution may be a good one for your business as well.

Does the provider have people on staff 24/7?

Cybercriminals work around-the-clock, and your MDR provider should too. The right MDR provider for your organization will be staffed 24/7 with seasoned cybersecurity professionals.

How is the provider recruiting, developing, and retaining talent?

The MDR provider should be able to communicate its strategy for hiring, training, and keeping talent. The provider should be comfortable discussing the current employee retention rate and specifically where it is focusing its efforts. You want to know that the provider carries the responsibility for recruiting, developing, and retaining talent.

How experienced are the people supporting your team?

People are the foundation of a good security program. If you don’t have experienced security staff in your organization to leverage security tools, attackers will not have much trouble penetrating your network. You want an MDR provider that is fully staffed and has senior-level people on your team with a long track record with the company. Look for a provider that values its employees and has a supportive mentoring program where the young professionals have access to the senior-level people. With the talent shortage, make sure the provider’s staff is not stretched thin and avoid any provider with a revolving door of employees.

What levels of expertise does the provider’s SOC team have?

The MDR provider should have talented professionals at all levels, from executives to senior level to entry level. The provider should be fully staffed with seasoned analysts, threat hunters, incident responders, forensic and malware specialists, and other security experts. In addition, if your organization needs a chief information security officer (CISO) to meet compliance requirements, the provider should be able to act as a virtual CISO for your organization.

How will the provider’s team work with my internal team?

A quality MDR provider integrates with your existing tools and fits with the people and policies of your organization. The provider’s security professionals should be readily accessible to your team to answer any questions and participate in conversations about the cybersecurity program 24/7. The provider should allow you to retain full access to your data and be transparent about the activity of the team.

Is threat hunting included with the MDR service?

You may expect threat hunting to be a basic MDR service, but many MDR providers only offer threat hunting as an add-on service. Be sure threat hunting is included in your package before moving forward with any MDR provider.

  • Cybercriminals work around-the-clock, and your MDR provider should too. The right MDR provider for your organization will be staffed 24/7 with seasoned cybersecurity professionals.

Incident Response

Modern MDR providers help organizations respond to cyber threats to minimize damage and reduce recovery time and costs. A provider should help you update your existing incident response plan — a set of instructions that can be implemented to prepare your organization to respond to a cyberattack — or create a new incident response plan so you know how to handle cyber incidents in the event of an attack.

Will the provider respond to a threat based on predetermined rules?

An MDR provider should rapidly take action against an attack using predefined parameters and a 24/7 team of incident responders, incident handlers, and forensic and malware specialists who can coordinate a full incident response from the moment the threat is identified.

Will the provider be responsible for containing or stopping a threat in the network?

The incident response life cycle must be as thorough and fast as possible, and MDR providers have the capability to significantly reduce dwell time. A provider should be capable of quickly identifying and detecting an incident, stopping the incident and reducing the impact, eliminating the threat and preventing recurrence, helping return your organization to normal operations, and conducting a post-breach investigation if necessary.

Is the provider capable of digital forensics and incident response?

Many MDR providers offer incident response plans, but the combination of incident response and forensic services is crucial to a strong security posture. Detailed forensic reports are an important part of any security infrastructure. A good MDR provider should maintain open communication about security incidents and follow-up analysis.

  • The incident response life cycle must be as thorough and fast as possible, and MDR providers have the capability to significantly reduce dwell time.


One cybersecurity package does not fit every business, so modern MDR providers need to allow for flexibility in their solutions. Most providers offer services that are customized to your organization’s specific industry and operational needs, but not all MDR providers do so. Look for an MDR provider that offers services and pricing tailored to your exact business needs.

Do I need to buy a full package of solutions?

You’ll want to know whether the provider will customize its package of services for your organization and, if so, what the package includes and at what cost. Ideally, an MDR provider should tailor a customized package of security services to meet your specific needs across multiple vectors, including endpoints, networks, logs, and the cloud. The provider should understand what cyber risks your organization faces, what existing technology systems and controls you have in place, and what your budget is. Then, the provider can customize a right-sized solution that works for your organization.

Can you tailor the services I need now and let me add more services as needed in the future?

An MDR provider should meet you where you are in your cybersecurity journey and customize solutions for your specific business needs. As your cybersecurity needs mature over time, you and the provider should work together to scale up (or down) the services you need to keep your business safe from an attack and in compliance.

How do you price your services?

Most likely, your organization has an allocated cybersecurity budget that you want to invest as wisely and cost effectively as possible. Using an MDR provider can be a more economical option than hiring a full security team and purchasing the technology tools needed to make it work. An MDR provider should never ask you to agree to or pay for more security services than you actually need. Many offer bundled services with few options for customization. This may be more than your organization needs or can afford. The provider should work closely with your organization to offer only the expertise and tools needed to protect your data from cyber threats.

  • An MDR provider should never ask you to agree to or pay for more security services than you actually need.


Cyber threats pose a challenge for businesses in every industry, and many organizations must comply with more than one security standard. Keeping up with compliance requirements calls for in-depth knowledge and competency. Modern MDR providers must understand the needs of organizations in various industries and know how to keep those organizations in good standing with cyber laws and regulations.

Do you have cybersecurity experience in my industry?

Every industry has its own unique challenges, such as privacy issues, compliance regulations, and prevalence of cyber events. A MDR provider should be knowledgeable of your industry and able to present case studies on how it successfully handled detection, response, and remediation efforts for those specific clients. When faced with a cyberattack, you want to know that the provider has the experience to safeguard your business or remediate any problem that arises.

Do you have experienced compliance experts in-house?

Compliance experience is important for any organization that works within a regulated industry. You want to know that the MDR provider has experience navigating the compliance landscape, can keep up with any changes in legislation, and is available to take immediate action 24/7 in the event of a breach. The MDR provider should offer cyber risk and regulatory compliance assessment services that include a focused review of the IT systems environment to identify areas of risk and maturity as they relate to applicable regulations and rules. At a minimum, the provider should map its services to the National Institute of Standards and Technology framework.

Can I get a specific demonstration of the reporting tool?

Incident reporting is important for compliance, and heavily regulated industries are not the only ones that can benefit from comprehensive reporting. Most organizations perform more efficiently with the proper handling of incident logs and alerts. When an MDR provider builds the reports, it lifts the reporting burden off of your organization and shifts it to the provider’s more experienced security professionals. The MDR provider should be eager to demonstrate the reporting tool.

When “one size fits all” cybersecurity really doesn’t fit for you, it’s time to try on Pondurance’s customized managed detection and response (MDR).

Isn’t it time to request your personalized demo?