How to Evaluate an MDR Provider: 7 Questions to Ask Before You Sign
MDR providers are good at the sales process. The demonstrations show clean dashboards, fast response times, and confident analysts explaining how they would handle a ransomware event. What the demonstration does not show is what happens at two in the morning when a junior analyst picks up your alert, cannot reach your on-call contact, and makes a conservative decision to log and escalate rather than contain.
The buying process is designed to build confidence. The right questions break that process down and surface the operational reality of what you are actually buying. Here are seven questions worth asking before you sign anything.
Questions About Analysts and Coverage
1. Who actually monitors my environment, and what is their experience level? Many MDR providers have tiered analyst teams. Junior analysts handle initial triage. Senior analysts handle escalations. Understanding which tier monitors your environment day-to-day, what their qualifications are, and what escalation criteria move an alert to a more experienced analyst tells you more about real service quality than any SLA document. Ask for specifics, not general descriptions of the team.
2. What are your coverage hours and what changes outside them? "24/7 monitoring" can mean different things. It can mean a fully staffed operations centre around the clock. It can mean overnight coverage handled by a reduced team in a different geography. It can mean automated monitoring with on-call analysts who are paged for confirmed incidents. None of these is necessarily unacceptable, but you should know which model you are buying and whether the reduced-staff periods align with your highest-risk windows.
Questions About Detection and Response
3. Show me examples of real detections from clients in my sector. Marketing material describes what the provider can detect in theory. Examples of actual detections show what they find in practice in environments like yours. Ask for anonymised case studies that describe the initial signal, the investigation process, and the response action. A provider who cannot produce these examples, or who produces only high-profile case studies that do not resemble your environment, is telling you something about their detection coverage.
4. What response actions can you take without asking us first, and what requires our approval? Response authority is one of the most important and least discussed aspects of MDR contracts. If the provider must get your approval before taking any containment action, response time depends on your on-call contact answering their phone. If the provider can act without approval for defined categories of threat, you need to know exactly what those categories are. Understand the pre-authorisation model before you sign, not after the first incident.
Questions About SLAs and Measurement
5. How is your mean time to respond measured, and does that include investigation time? Response time metrics in MDR are rarely standardised. Some providers measure from alert trigger to first analyst acknowledgement. Some measure from confirmed threat to notification. Some measure from notification to containment action. A 15-minute MTTR that ends at "we sent you an email" is different from a 15-minute MTTR that ends at "we isolated the affected endpoint." Get the precise definition in writing and compare it against what you need.
6. What happens to alerts that do not meet your threshold for escalation? No MDR provider escalates every alert. They triage, and lower-confidence or lower-severity signals get logged rather than acted on. Understanding what the provider does with these signals, whether they are reviewed periodically, whether they are available for your own investigation, and whether the provider has visibility over them when investigating a later incident, matters for understanding the actual detection programme you are buying.
Questions About Fit and Transition
7. How do you tune detections to my environment, and what does that process look like in the first 90 days? Default detection rules produce default false positive rates. An MDR provider who does not tune to your environment will generate noise that erodes confidence in the service and eventually leads to alert fatigue on both sides. Ask for a specific description of the onboarding and tuning process: what information they need from you, what the expected false positive rate looks like initially and at steady state, and who is responsible for the tuning work. The answer will reveal whether tuning is a genuine operational commitment or a polite mention in the proposal.
To discuss MDR evaluation and selection for your organisation, contact Cyberlinx at info@cyberlinx.com.au.
Related Articles







