MDR · 6 MIN READ · SCOUT SCHOLES · APR 11, 2025 · TAGS: AI & automation / Integrations / Threat hunting / vulnerability prioritization
TL;DR
- Expel achieved a perfect score (5/5) in 15 categories in the latest Forrester Wave™: Managed Detection and Response Services, Q1 2025
- This list highlights the specifics of those 15 scores
- It also includes a complimentary playlist for evoking the feelings associated with each!
Last month, The Forrester Wave™: Managed Detection and Response Services, Q1 2025 was published, and Expel was named a Leader. We achieved a score of five out of five in 15 of their service-related criteria, and those five out of five scores are 15 reasons why we know choosing Expel as your next MDR provider is the best choice you can make.
And for the full experience while you read this, listen to Expel’s Greatest Hits on Spotify. Let’s rock n’ roll!
1. Detection Surface: Extended Detection
Expel’s “bring your own tech” (BYOT) approach to cybersecurity provides customers with maximum flexibility for their tech stacks. Most of the telemetry we ingest comes from security providers, and we’re able to enrich that data and transform it into meaningful threat intelligence. We offer 130+ integrations across your attack surfaces with native, enriched, high-fidelity alerts (and a human touch via our SOC analysts) for our customers so they can focus on what matters, not just what’s making the most noise.
Sounds like:
- “Endpoint” by Vincent Rubinetti
- “Red Sun” by Anoushka Shankar
- “I Can See for Miles” by The Who
- “Limitless” by Martin Garrix & Mesto
2. Detection Surface: Cloud
Expel provides MDR cloud services across the control plane, Kubernetes, container agents, cloud security tools, CNAPPs, cloud apps, and more. We have 15+ cloud partners, and are experts in protecting cloud infrastructure like AWS, Azure, Google Cloud, and Oracle, and cloud security platforms like Wiz, Orca, and more. We’re always creating and updating cloud detections for new threats and activities we see in real-time to keep your cloud environment secure at every level.
Sounds like:
- “Cloud” by Surfaces
- “Release” by Rich Aucoin
- “Head in the Clouds” by Arrows in Action
- “Just A Cloud Away” by Pharrell Williams
3. Detection Surface: Identity
Expel is built to protect your entire IaaS/PaaS/SaaS tech stack. We use raw telemetry from SaaS tools, IGA/PAM providers, CASBs, the cloud control plane, Kubernetes, CNAPP, and more to to track authentication, user identifiers, device info, IP metadata, permissions, entitlement management, user activity, and patterns to create efficient identity detections and create high-fidelity alerts. These detections correlate activity across your entire environment, resulting in improved response times and detailed investigations. They’re also built to trigger auto remediations for immediate actions like deactivating access keys, disabling SaaS accounts, resetting credentials, and more.
Sounds like:
- “Who Are You” by The Who
- “Identity” by Rob Riccardo
4. Detection Engineering
We create and update our detections based on a complex number of factors to be sure we’re providing you with the best efficacy and efficiency. From there, we test and validate each detection (including peer review and validation testing before deployment); each detection is tested by our SOC analysts against real-world data, too. We monitor the precision, recall, detection drift, mean time to respond (MTTR), pivots-to-console, and volume and success rates for each metric to provide continuous improvement.
Sounds like:
- “Engineering” by David Guo
5. Managed Investigation
We support our and your security analysts with automation. Data ingested by our tech is enriched with customer context and third-party open source intelligence, and then presented and triaged in Expel Workbench™, our SecOps platform. Additionally, our bot Ruxie adds context to 95–97% of alerts for analysts and handles 30–40% of investigations end-to-end, with analysts providing a review, saving you time and energy to focus on alerts that matter.
Sounds like:
- “Private Investigations” by Dire Straits
- “Ain’t No Mountain High Enough” by Marvin Gaye and Tammi Terrell
- “The Investigation” by John Powell
6. Managed Response: Manual & Automated
Automated responses are provided via alerts, and manual responses come from our analysts. Our bot, Ruxie, automatically responds to and adds context to alerts, prepping analysts to either review and close or remediate an incident. When intervention is needed, analysts can run a variety of auto remediations to contain threats, and every action is captured clearly and transparently in Workbench. This combination of automated and manual managed response is what sets Expel apart from others.
“Expel’s strategy continues to successfully strike a balance between human delivery and software-enabled platforms that few in the cybersecurity market can replicate.”
The Forrester Wave™: Managed Detection and Response Services, Q1 2025
Sounds like:
- “Grenade” by Bruno Mars
- “Better Together” by Jack Johnson
- “The Man Machine” by Kraftwerk
7. Threat Hunting
Expel performs two types of threat hunts: emerging and hypothesis-based. Emerging threat hunts are indicator of compromise (IOC)-based hunts initiated when we observe an external threat or internal attack patterns. Hypothesis-based threat hunting is customer-specific and chosen by customers to run monthly by a dedicated threat hunter against your specific telemetry data. This type of threat hunting produces millions of leads surfaced for additional analysis, and often yields additional findings and insights for future detections.
Sounds like:
- “Somebody’s Watching Me” by Rockwell
- “Search and Destroy” by Iggy Pop
- “Vigiliante Sh*t” by Taylor Swift
8. Integrations
Expel offers 130+ integrations across 65+ vendors via API, webhook, and syslog connections. We’re constantly evaluating and adding new integrations based on customer and prospect requests, trending and emerging technologies, and strategic partnerships. Every integration we offer is mapped to a MITRE tactic/technique and comes with a custom onboarding process for quick, easy adoption.
Sounds like:
- “Got You (Where I Want You)” by The Flys
- “I Spy” by Pulp
9. System Criticality & Vulnerability Prioritization
Customer context + vulnerability data = the perfect equation for prioritization. Customer context (think critical systems, key user identities, geological and IP restrictions, expected activity, and so on) is populated via an API or UI, and then paired with third-party vulnerability data to determine the criticality of an incident. Expel shares all of this information in each alert in Workbench, and our vulnerability prioritization analysts use all of this information to give you risk-based recommendations and root cause analysis.
Sounds like:
- “Vulnerable” by Secondhand Serenade
- “When Worlds Collide” by Powerman 5000
- “Fix You” by Coldplay
10. Analyst Experience (AX)
Our analysts use the same SecOps platform—Expel Workbench™—we use with our customers because it’s that good. It’s built to help analysts reduce triage time and provide clear and transparent details on any incident or investigation. It’s powered by AI and automaton built to assist in pattern-based decision making, and includes guidance for new analysts learning investigative and scoping skills. Customers see what we see, so we’re able to constantly seek and incorporate feedback into our platform to consistently improve our analyst experience, which is mission critical for preventing burnout and stopping cybercrime.
Sounds like:
- “Baddie” by IVE
- “Particle Man” by They Might Be Giants
- “I Am Not a Robot” by Marina and the Diamonds
- “Under Pressure” by Queen & David Bowie
- “Who’s Afraid of Little Old Me?” by Taylor Swift
11. Dashboards & Reporting
Expel provides options for both out-of-the-box (OOTB) and custom reports and dashboards. Our OOTB reports are specific to key cybersecurity roles, from operators to the C-suite, and we present additional data to our customers on a regular cadence for continuous learning and improvement. For custom requests, Expel can provide customized dashboard views, specific parameters or timeframes, and work with our Customer Success team for one-off data questions. We’re happy to help in whatever way works best for you.
Sounds like:
- “Dashboard” by Modest Mouse
- “369” by Cupid feat. B.o.B.
- “22” by Taylor Swift
12. Metrics
Copious industry standard metrics are provided to customers by default via Workbench, and even more are accessible via the Customer Success team. This includes everything from mean time to detect and remediate, to trends and patterns for each, to alert breakdowns versus MITRE ATT&CK tactics and updated detection performance. We also publish benchmarks and targets to help customers develop a deep understanding of their security posture, and compare themselves to industry standards and competitors. And to help even more, we provide access to a resilience recommendation library, where customers can track improvements to their posture.
Sounds like:
- “Metrics” by Wizdakidd
- “The Distance” by CAKE
- “Numbers” by Kraftwerk
- “7 rings” by Ariana Grande
13. Vision
Expel’s vision is to offer best-in-class MDR across every measureable customer outcome while constantly improving and raising the bar of what MDR means. We aim to deliver high-quality, transparent, and reliable security while building trust, so we become an extension of our customers’ IT and security organizations. Our focus on seamless onboarding, limitless integration, helpful automation, and complete transparency propel our product roadmap.
Sounds like:
- “Vision” by Indigo Waves
- “Only The Young” by Journey (from Vision Quest)
- “Visions” by Charli XCX
14. Innovation
Expel’s innovation for the future is focused on remaining customer- and analyst-centric, and engineering-driven. By listening to our customers, ensuring our analysts are happy, effective, and efficient, and investing in technical research and data science, we remain committed to finding innovative solutions for addressing customer needs while keeping them safe and secure, 24×7.
Sounds like:
- “Innovation” by Self-Isolation Jazz Artists
- “Calm Down” by Krewella
- “Someone New” by Hozier
15. Roadmap
Our roadmap includes advancing our service delivery, the capabilities of Workbench, and the surfaces and products we protect. It’s based on the needs of our customers, prospects, and internal stakeholders, and is vetted by customers, advisory boards, and a network of CISOs and security leaders. We’re not afraid to make long-term investments to deliver what really matters.
Sounds like:
- “Roadmap” by Wordtraveller & Max Merseny
- “Autobahn” by Kraftwerk
- “Little Lies” by Fleetwood Mac
- “The Long and Winding Road” by the Beatles
- “Life is a Highway” by Rascal Flatts
