Can an MDR run my custom detection rules?

Sometimes, but rarely with full investigation. Most MDR providers run their own managed detection library, so custom rules you authored in your SIEM either sit outside the service scope or are ingested as low-priority alerts. Some providers onboard custom detections at a higher tier or as professional services. Confirm in writing whether your provider runs, tunes, and investigates your rules, or only its own.

Why don't MDRs handle custom detections?

Because the MDR model depends on standardization. A provider runs the same detection content across many customers, and that shared economy is what keeps the service affordable. Detections written for one environment do not generalize, so they fall outside the default scope. It reflects how managed detection and response is priced and run, and it holds across vendors rather than singling any one out.

What is the difference between an MDR's detections and custom detections?

An MDR's detections are vendor-managed content designed to generalize across many customers. Custom detections are rules your own team writes for threats specific to your environment, such as abuse of an internal application or an unusual access pattern in your identity system. The provider operates the first set. The second set, and the alerts it generates, typically stays with your in-house team.

Do MDRs tune custom detections to reduce false positives?

Usually not as part of standard service. Detection tuning is ongoing work, and providers prioritize the library they run across their customer base. Custom rules you authored are often left at the precision you shipped them with, which means false positives accumulate unless your team keeps tuning them. Ask whether tuning of your own detections is included or billed separately.

How can I get custom detections investigated 24/7 without hiring?

An AI SOC platform can investigate every alert your custom detections generate, around the clock, without adding headcount. It queries your connected data sources, applies your environment context, and produces an evidence-backed verdict for each alert. That lets a small team cover the custom-detection cohort at full depth instead of triaging it between other duties.

What should I ask an MDR vendor about custom-detection support?

Ask four direct questions. Will you run the detections my team authored in my SIEM? Will you investigate their alerts with full context, or close them at tier-1? Will you tune them over time? And is any of this standard, or billed as a higher tier? The answers tell you how much of your custom-detection coverage remains yours to staff.

Why Your MDR Won't Cover the Custom Detections You Built

Detection engineers tend to keep the detections they write in their own SIEM rather than route them to a Managed Detection and Response (MDR) provider. Those rules are built for one environment's specific threats, and the alerts they generate land back on the internal team to investigate. The reasons are structural, and so is the cost.

Why mature teams build their own detections

Custom detections are the rules a team writes for its own environment: logic that catches abuse of an internal application, an access pattern that only makes sense against the organization's identity model, a data movement that is routine elsewhere and a problem here. Most large organizations run at least some; far fewer back them with a disciplined detection-engineering program of ownership, tuning, and testing. These custom detection rules earn their place by covering ground vendor detections cannot: the crown jewels, the business logic, the unusual identity patterns, the custom applications specific to the organization. The measure that matters is which incidents a team would miss without them, not what share of the queue they fill.

Those alerts are also the hardest to judge. A vendor detection firing on a known-bad hash is quick to adjudicate; a custom rule firing on a subtle deviation is not, because judging it means knowing why the rule exists and what normal looks like around it. That context sits with the SecOps engineer who wrote it.

Why custom detections sit outside an MDR's scope

Managed detection and response is a standardized service. A provider runs its own detection library across hundreds of customers, and the economics depend on content that generalizes. The service covers that library and the tier-1 triage of the alerts it generates. The rules a single team wrote sit outside that scope, or move a buyer into a higher tier that often ingests the rule as another alert source without investigating its output with depth. These are MDR limitations of a shared-service model, not of any one vendor: MDRs investigate the detections they ship, not the ones the customer wrote, so the alerts from custom detections stay the in-house team's responsibility.

The cost of covering the rest yourself

Those alerts do not stop firing at night or on weekends, and they cannot be safely bulk-closed, because a custom rule firing is the case where a fast close is most dangerous. An MDR sells around-the-clock coverage of its own library, which is much of why teams buy it; the custom-detection cohort needs the same attention, and it is now the internal team's to provide. In a mature enterprise that cohort can run 10 to 30 percent of alert volume, a meaningful, high-context share rather than an edge case.

Around-the-clock coverage does not scale down. One hire cannot staff nights, weekends, and days; continuous human coverage of a single seat takes four to six people once shifts and turnover are counted. Headcount is only half of it: an overnight analyst, in-house or outsourced, can read a custom-rule alert but not the intent behind it, which still lives with the engineer who wrote the rule. Teams adopt an MDR partly to avoid building a 24/7 investigation function; their custom detections push them right back toward it.

How an AI SOC platform covers these alerts

An AI SOC platform covers those alerts directly, at any hour, without adding headcount. Rather than running a fixed playbook, it investigates each one against the specific environment: it queries the connected data sources, including the SIEM, EDR, identity provider, and cloud, gathers the context the alert depends on, and follows the evidence as a senior analyst would. A custom-rule alert gets the same depth as any other, with a documented trail from query to evidence to verdict an analyst can confirm rather than rebuild.

It runs on the team's terms. The team sets which assets and detections are critical and how particular situations should be handled, including the reasoning behind a given rule, and the platform applies that guidance with human approval gates where required. It can also surface which rules are noisy and where MITRE ATT&CK coverage has gaps, so a team's engineers handle detection tuning from evidence, the kind of detection engineering we cover separately. In one side-by-side against a customer's own analysts, the platform matched their determinations on 99.8 percent of more than 12,000 investigations.

A custom detection firing is usually a real signal about something specific to your environment, and it is the kind of alert you cannot afford to leave in a queue until someone is back at a desk. These are the alerts that most deserve a full, context-rich investigation the moment they arrive. An AI SOC platform delivers exactly that, on every one of them and at any hour, so the cohort your MDR leaves behind is no longer the part of your coverage that waits. If the custom detections in your SIEM are the coverage you most want eyes on, the next step is to see what a complete investigation of their alerts looks like in your own environment.

For the bigger picture, our comparison of MDR and an AI SOC platform and our criteria for evaluating MDR providers go into more depth.

70% of SOCs will pilot AI Agents. Only 15% will see results

This Gartner research arms security operations leaders with a list of specific questions to ask vendors during evaluation

Download Gartner Report

Download Ebook

Frequently Asked Questions

Insights

Text Link

Ajmal Kohgadai

AUTHOR

As the Director of Product Marketing at Prophet Security, Ajmal drives marketing and growth strategies and helps security professionals see how AI is transforming security operations.