MDR · 5 MIN READ · KIM MAHONEY · JUN 23, 2025 · TAGS: Guidance
TL;DR
- MDR is a partnership that requires active involvement from your security operations team; it’s not a simple “easy button” or always a full replacement for your SOC.
- The future of MDR is shifting heavily towards proactive security; focusing on identifying and closing potential vulnerabilities before they can be exploited.
- Effective MDR prioritizes human expertise, regular engagement, and delivering clear, actionable insights on threats and exposures, rather than just relying on automation, chat bots, or vague “cyberspeak.”
After getting back from the Gartner Security & Risk Conference, we wanted to share some of our key takeaways from Pete Shoard’s session on the upcoming Gartner Market Guide for Managed Detection and Response (MDR). If you’ve ever felt like your MDR isn’t quite hitting the mark, or you’re trying to figure out what “good” actually looks like, in our opinion, this one’s for you.
Let’s dive into what’s really going on in the MDR world and what it means for all of us security practitioners in the trenches.
Expectations vs. reality: “Alerts R Us”
One of the biggest themes? A lot of organizations are pretty unhappy with their MDR purchase after about a year. Sound familiar? It often boils down to an “Alerts R Us” situation—you’re still drowning in notifications, and the promised relief hasn’t materialized.
The core message here is that buying MDR isn’t about getting an “easy button” or outsourcing all your security headaches. Depending on the organization and maturity level, it’s definitely not a replacement for your SOC. Instead, it’s about building a genuine partnership with a team you can trust. An MDR provider needs to deeply understand your specific requirements and environment to be able to provide meaningful context, not just hand you a generic service. You’ve got to stay involved, constantly thinking about what you need them to do next for you.
What MDR isn’t (and what it’s becoming)
Let’s clear up some common misconceptions.
MDR is not:
- Autonomy: It’s not a set-it-and-forget-it service.
- An end-to-end fix: It won’t magically solve all your security problems.
- A place to outsource responsibility: You still own your security posture.
- Just about fixing issues: It needs to do more than point out problems.
- An “easy button”: Sorry, the grind is still real, just hopefully more efficient or less burdensome.
So, what should you expect? You should demand a high-quality service focused on human engagement. We’re talking regular, even daily, real-time interaction. Think of them as an extension of your team. The best MDR providers offer:
- Advisory support: Not just telling you about an issue, but guiding you on how to tackle and remediate it.
- Response to all threats: Regardless of priority, they should be addressing every confirmed threat.
- Clear, actionable deliverables: They need to tell you exactly what was found, its impact, and how to fix it, complete with business context.
- On-demand access to human experts: Real people, not just AI chatbots.
We at Expel happen to agree with Pete’s assessment. In fact, we’ve always made it easy for our customers to communicate with us through the collaboration tools they’re already using—Slack, Microsoft Teams, PagerDuty, etc. This makes it easy for our SOC team to quickly communicate with our customers when it matters most.
Expel also provides detailed context on any incident, including root cause analysis, and exactly what you need to do to remediate the incident (or even do it for you in some cases), as well as what you can do in future to prevent it from happening again in the form of our resilience recommendations.
The future is proactive: exposure management
This is a big one. According to Gartner, the MDR market is rapidly shifting towards proactive security. Gartner states that by 2028, 50% of MDR findings from managed detection and response providers will be focused on, or include details on threat exposure, up from only 10% today.* We feel this means:
- Closing doors before they get exposed: Think vulnerability management, but integrated into your detection and response.
- Exposures are as crucial as threat alerts: Identifying security gaps, misconfigurations, and other potential weaknesses before they happen.
- Not just detecting everything, but detecting what has an impact: Prioritizing what truly matters to your business and what will have the biggest impact in the event of a disruption.
Incident response (IR) as an add-on: Be savvy here. IR retainers are often add-ons (or in some cases thrown in to sweeten the deal), but many cyber insurance policies already include IR support. Check your contracts—you might not need that extra retainer!
AI: An enabler, not a differentiator
Everyone talks about AI. But in MDR, it’s not a differentiator just by having it. AI and automation are already used across all MDR services. What you should demand is that AI translates into tangible outcomes: faster, broader detection and improved service quality. Beware of “cyberspeak” and the mysteries of AI—demand clear, impactful results.
At Expel, we’ve been using automation and machine learning since inception, but the focus has always been on simplifying our SOC analysts’ triage and investigation process, and speeding up response times to better serve our customers. That focus continues today, and has led to our industry-leading response times, including a 17-minute mean time to remediation on high/critical incidents.
The future of MDR
MDR will absolutely still be here in five years. Here’s what we believe Gartner is seeing:
- Alignment with co-management: The shared responsibility model is growing, making it possible to pair co-management of SIEM/XDR with MDR. It’s important to understand the nuances between pure MDR and co-managed services and ensure you’re actually getting what you want/need.
- New telemetry/surface coverage: MDR is expanding beyond traditional endpoints and networks to include:
- Identity
- Cloud environments
- Brand monitoring (social media, dark web)
- Collaboration tools
- IoT devices
- Continued growth of exposure management: This isn’t going away. Proactive issues (exposures) should always be a part of your detection and response requirements.
Choosing your MDR partner: focus on what matters
When considering an MDR provider, focus on:
- Understanding your needs: Do they truly get your business and environment and help you understand how to improve? Can they work with what you have, or are they going to make you switch tooling or learn new technology in order to deliver the service?
- Delivering relevance: Are their findings actionable and impactful? Are they in plain English that is easily understood, and do the findings provide the whole story of what/where/why/how?
- Proactive capabilities: Are they looking for what could happen, not just what has happened? And are they telling you how you can improve your defense for next time?
- Human expertise: Are real people available for advisory support, not just automated responses? Can you communicate easily with the SOC team when additional help is needed?
Ultimately, treat MDR as a service, not just a technology purchase. Your partnership with an MDR provider should continuously improve your security posture and help you communicate its value to the business.
And keep an eye out for the latest Gartner Market Guide for Managed Detection and Response, coming soon!*
*Market Guide for Managed Detection and Response, June 24, 2024
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
