What Your MDR Isn't Telling You

Augusto Barros
Augusto Barros
July 13, 2026

Your quarterly business review looks good. The dashboard shows alerts monitored, incidents escalated, and a healthy set of green checkmarks. Your Concierge or named analyst team walks you through the trend lines, and the story is reassuring: coverage is working, threats are being handled, the service is doing its job.

The problem is that the QBR narrative and what actually happens at the alert level are two different things. Most of the variation between MDR providers shows up at the alert level, not on the dashboard. Here are four things your MDR almost certainly isn't telling you.

1. How many of your alerts it never actually investigated

Every MDR contract implies a simple promise: alerts come in, analysts look at them, real threats get escalated. What the model quietly depends on is triage math that never survives contact with volume.

Prophet Security research puts roughly 40% of alerts as never investigated at all. On top of that, a majority of organizations (around 57% in recent surveys) suppress or tune out detection rules specifically to cut noise, which means the alerts that might have mattered were filtered before anyone made a decision about them. Your MDR's reporting shows you what it worked. It doesn't show you the queue it drained with blunt triage criteria where low- and medium-severity signals are ignored, or the custom detections it treats as second-class because they don't fit its standard playbooks.

"We investigated everything that mattered", they say. But is their definition of "what matters" the same as yours? The ugly truth is that it is a definition set by their staffing economics, not your risk tolerance.

2. How long it actually took

Time to respond is where the concierge model and the SLA language diverge most sharply. Contracts tend to promise acknowledgment or notification within some window. They rarely promise investigation, and almost never promise resolution.

In practice, an alert sits in a queue, waits for an available analyst, gets partially enriched, and if necessary (another point open for interpretation), gets handed back to your team for action or with a request for more context. Typical numbers look like an hour of queue dwell before anyone touches an alert, plus over an hour of investigation once they do. Every handoff between the provider's tiers and your team adds latency on top of that.

The gap becomes obvious side-by-side. In one evaluation, a customer's MDR took roughly ten hours to flag a case that an AI-driven investigation surfaced in about fifty seconds. A gap like this is the difference between catching something while it's contained and catching it after it's moved.

3. What it's quietly charging you extra for

MDR pricing is usually framed as a clean per-endpoint or per-seat subscription. The real cost shows up in what falls outside that envelope.

The clearest example is high-volume, low-complexity work like phishing investigations. One customer found their MDR was effectively charging around ten times more per phishing message investigated than what it costs to do it with an AI SOC platform. Multiply that pattern across email triage, added data sources, extra log retention, and incident-response retainers, and the "predictable" subscription becomes a floor, not a ceiling.

The question worth asking at renewal isn't "what's the annual price?", but "what am I paying per investigated outcome, and how much of my volume is priced à la carte?"

4. What's actually in the black box

This is the one the category is structurally built to avoid telling you. When an incident lands back on your team's plate, what shows up in the ticket? Often it's a verdict and a short summary. It does not include the evidence chain, the queries run, nor the reasoning that connects the alert to the conclusion.

There are two costs to that opacity. The first is trust: you're accepting "this is benign" or "this is malicious" without the ability to check the work. The second is knowledge. In the concierge model, the institutional understanding of your environment, such as which service account behaves strangely on Thursdays, which engineer tests tools from a VPN or which alerts you've explicitly deprioritized, lives inside the provider's walls. When you leave, or when your named team turns over, that knowledge leaves with them. The context used by your detection and response processes was never really yours.

That's also why switching feels so heavy. The lock-in goes beyond the contract and includes the accumulated context you can't easily export.

{{ebook-cta}}

What a straight answer looks like

None of this means MDR was a bad decision. For most teams it solved a real problem: 24/7 coverage without hiring a full SOC. The issue is that the delivery model puts a hard ceiling on transparency, speed, and cost. All of them are functions of human analyst hours, and human analyst hours don't scale down in price or up in speed the way the threat volume demands.

An AI-native SOC changes the underlying economics rather than repackaging them. When AI agents act as the primary investigators, a few things become possible that the managed-hours model can't offer:

  • Every alert gets investigated, because the investigation cost is no longer associated with the analyst headcount. 
  • Investigations complete in seconds to minutes, with the evidence chain attached, so verdicts are auditable instead of asserted.
  • The context stays yours. Investigation logic, tuning, and institutional knowledge live in a platform you control, not in a provider's staff you rent.
  • Costs track outcomes, not per-message surcharges for the noisy, high-volume work MDRs price as add-ons.

For teams that want the assurance of oversight during the transition, like having someone watching while they build confidence in autonomous investigation, a service layer like Watchtower provides that bridge.

The questions to bring to your next renewal

Before you re-sign, ask your MDR to show you, at the alert level:

  • What percentage of alerts received last quarter were fully investigated versus enriched-and-handed-back or auto-closed?
  • What is the median time from alert receipt to investigation completion (not just acknowledgment)?
  • Which detections are currently suppressed or deprioritized on your account, and who decided that?
  • Can they produce the full evidence chain for a closed investigation from last month?
  • What does it cost per phishing or identity alert investigated, outside the base subscription?

The answers you get, or the ones you can't get, will tell you everything about the gap between the dashboard and reality.

If you want to see what alert-level transparency looks like in practice, take a look at the Prophet AI platform and how it shows its work on every investigation.

Definitive Guide to AI SOC Agents

This guide breaks down how AI SOC agents work and how to build an agile security operation around agentic AI

Download eBook
Download Ebook
Definitive Guide to AI SOC Agents

Frequently Asked Questions

Google Preferred Source Badge
Insights