Roundtable | Inside the managed detection and response market

Introduction

Ben Baker: Hello and welcome to the LinkedIn Live roundtable discussing the Q1 2025 Forrester Wave for Managed Detection and Response. This is our second LinkedIn Live in recent weeks, following our discussion about the Annual Threat Report, which you can find on our YouTube channel.

Today, we’ll be focusing on the recently released Forrester Wave for MDR, where Expel MDR was named a Leader. As you may know, Forrester releases these Wave reports every other year to assess leading vendors in specific categories. This is the first update since 2023.

While we’re proud of our positioning in the Wave, what will ultimately matter most is the service we continue to provide to our customers. During this session, we’ll highlight areas where we performed well, but more importantly, we’ll discuss why these areas matter in today’s cybersecurity landscape.

We’ll focus on three areas where we excelled, two areas where we’ve improved since the 2023 Wave, and one area where we scored poorly but are actually fine with that result. Our goal isn’t just to celebrate our success but to discuss what good cybersecurity looks like and why it matters in the managed detection and response market.

Detection surface coverage: Cloud, extended detection, and identity

Ben Baker: Expel scored highly in detection surface coverage, particularly across extended detection, cloud, and identity. Ben, from an operational perspective, why do these specific coverage areas matter?

Ben Brigida: We think of ourselves first and foremost as a customer service organization. We have to consider what customers need today and anticipate where the industry is headed. With the increasing reliance on cloud services, identity, SaaS applications, and cloud infrastructure, we’d be remiss not to focus on these areas.

What’s particularly significant is that these are areas where we can have the biggest impact. EDR vendors already have mature detection capabilities for endpoints, but cloud security is still somewhat the Wild West. While this will evolve over time, just as endpoint and network security did, currently we can provide substantial additional value by identifying new attack techniques and delivering insights beyond what vendors already provide.

Ray Pugh: This has been a foundational element of our approach from day one, not a mid-stream pivot. We’ve always focused on meeting customers where they are and providing what’s most valuable to them. This strategy has allowed our capabilities to grow organically over time, in line with evolving customer needs.

Industry context: Recent market research indicates that the global managed detection and response market is experiencing significant growth, projected to reach $11.8 billion by 2029 at a CAGR of 23.5% from 2024 to 2029. This growth is driven by increasing cyber threats and organizations’ need for comprehensive security coverage across multiple attack surfaces (MarketsandMarkets).

Ben Baker: Customer-centricity is indeed central to our approach. In fact, the Forrester report highlighted feedback from our customers about Expel’s “intimate knowledge of their environment, strong analyst experience, and competency of service delivery personnel.”

Lauren Horaist: From a product perspective, I’m seeing expectations around detection coverage evolve rapidly. While EDR vendors have gotten quite good at what they do, there’s a significant lag in security maturity for newer technologies. Customers increasingly struggle with hiring and retention challenges, particularly for specialized roles in detection engineering and strategy.

As organizations adopt more cloud services and tools, they’re looking to MDR providers not just for alert triage, but for strategic guidance on detection approaches. This is a key value Expel provides—detection strategy across diverse attack surfaces.

Looking ahead, I expect this trend to accelerate. Technology ecosystems are expanding, not contracting, with more capabilities and solutions emerging regularly. We’re already seeing growth in OT and IoT environments, and I anticipate MDR providers will extend coverage to these areas in the coming years. The value proposition isn’t just technological—it’s addressing the hiring and retention challenges that security teams face.

Ben Brigida: That’s a great point. We were actually one of the first teams in the cloud security space, which is why many competitors try to recruit from our talent pool. It’s definitely an industry-wide challenge.

Ben Baker: Looking to the future, are there other attack surfaces you foresee MDR providers needing to cover?

Ben Brigida: Custom applications represent a significant challenge. Many organizations exist to deliver custom applications that solve specific problems. These can be difficult to monitor from an MDR perspective but represent meaningful attack surfaces for our customers. Finding ways to protect these crown jewels will be something MDR providers need to address in the coming years.

Ray Pugh: That’s similar to the IoT paradigm, where devices are connecting to networks with specific functionality in mind but without security as a primary consideration. As these attack surfaces mature and threats emerge, defenders will need to work together to develop effective protection strategies.

Recent development: In March 2025, Expel became the first MDR provider to offer coverage for Oracle Cloud Infrastructure (OCI), expanding their multi-cloud protection capabilities. This adds to their existing support for AWS, Google Cloud Platform, and Microsoft Azure. Approximately 80% of organizations now operate in multi-cloud or hybrid environments, making comprehensive cloud coverage increasingly important for effective security (Expel Blog).

Managed response: beyond alerting to action

Ben Baker: Let’s discuss managed response, another area where Expel received top scores. Ray, from your perspective, what does good managed response look like, and how do you measure success?

Ray Pugh: Managed response starts with high-quality detections that identify genuinely concerning activities and are enriched with the right contextual data. This could include third-party information or data from the customer’s technology stack that helps our team properly diagnose threats and prioritize them appropriately.

When an active threat is identified, effective response means having the right levers to pull. Some of these are pre-configured actions we can take automatically on behalf of customers, while others involve clear, concise communication with recommendations. All of these actions need to align with the customer’s risk tolerance, which we establish upfront.

We measure success through response times: how quickly we identify threats, perform automated actions, and deliver recommendations to customers. These metrics matter because in security, minutes can make all the difference.

Ben Baker: Many MDR providers stop at simply alerting customers about threats. Ben, how does Expel truly manage the response, and where do you draw the line between guidance and hands-on action?

Ben Brigida: Ray made excellent points. We position ourselves as an extension of the customer’s team, which means understanding that customers aren’t a monolith—each has unique needs and risk tolerances. For some organizations, immediately killing a user session for any suspicious activity is appropriate. For others, particularly when it might affect executives or critical business functions, more nuanced approaches are necessary.

Lauren’s team has done tremendous work in designing systems that allow us to automatically adjust our response approach based on customer-specific parameters. Beyond the technical response, being accessible to customers during an incident is critical. Whether through chat applications or other communications channels, we need to be available when customers need us most. Managing the response means being there throughout the incident, not just providing a list of deliverables after the fact.

Lauren Horaist: I’d add that beyond the immediate firefighting, what Ben and Ray’s teams do especially well is post-incident analysis. After resolving an incident, they examine what happened, how it escalated, and what environmental improvements could prevent similar issues in the future.

This isn’t just about containing the immediate threat—it’s about helping customers improve their overall security posture. Sometimes this means reinforcing recommendations that security teams have already made internally but couldn’t get organizational buy-in for. Having a trusted third party make the same recommendation can often help security teams get the resources they need.

Ben Baker: The theme of partnership keeps emerging in this conversation. The Forrester report specifically mentioned our “unmatched transparency,” which is something we’re particularly proud of.

Ben Brigida: That transparency does make our job more challenging. When I first joined and learned that our SOC would use the same portal that customers see, with complete visibility into our work, it gave me pause. But that transparency has proven invaluable—it creates accountability and forces continuous improvement.

We can’t sweep anything under the rug, so we’re incentivized to maintain robust processes and technology. This transparency keeps us honest and ensures we deliver the service we promise.

Threat hunting: a purist approach

Ben Baker: Threat hunting was another area where we received high marks. Lauren, what makes our approach stand out from other MDR providers?

Lauren Horaist: We take a purist approach to threat hunting, though we actually have two distinct types. The first aligns with what most of the industry calls threat hunting—when we see trends of emerging attacks in the industry or across our customer base, we proactively search for indicators. Some purists might call this simply “search,” but it’s a table stakes capability that every MDR should provide.

What truly differentiates us is our customized, hypothesis-based approach. When customers express concerns about specific attack types or attack surfaces without concrete evidence of compromise, our team works with them to develop hypotheses and examine raw telemetry, typically looking back 30 days.

This process involves asking questions and investigating patterns until we identify events that merit deeper investigation. This approach is more time-intensive and tailored to individual customer environments, which is why it’s particularly valued by our clients—it goes well beyond what most MDR providers offer as threat hunting.

Ray Pugh: Lauren’s probably thinking of me when she mentions purists! I agree that IOC sweeps are table stakes, providing tremendous value for timely, high-fidelity indicators. But our layered approach—combining tactical, time-sensitive searches with more deliberate, hypothesis-based investigations—allows us to provide comprehensive coverage. By baselining activity over time and looking for novel patterns, we can identify threats that might otherwise go undetected.

Ben Baker: Forrester also gave Expel high marks for detection engineering, which relates to threat hunting. Ben, what’s the key to balancing comprehensive coverage with minimizing false positives?

Ben Brigida: In the Forrester Wave, detection engineering refers to having operational rigor and robust controls to prevent issues. Everyone is acutely aware of the potential impact of problematic detection updates after the incidents we’ve seen across the industry this year.

Our engineering team has implemented strong practices to ensure we don’t cause more harm than good when deploying detections. Operationally, we’re constantly evaluating whether we’re casting a wide enough net while avoiding decision fatigue for our analysts. If everything is a priority, nothing is a priority, so we maintain internal targets for true positive rates and regularly assess their effectiveness.

We also focus on reducing the number of unique decisions analysts need to make through automation and decision support. These three elements—proper controls to prevent issues, managing decision fatigue, and using automation to reduce decision volume—are key to effective detection engineering.

Areas of improvement: investigations and reporting

Ben Baker: Let’s discuss areas where we’ve improved since the 2023 Wave. Ray, we scored well in managed investigations this time around. What constitutes a well-executed managed investigation, and how does it benefit customers?

Ray Pugh: We’ve invested significantly in this area, building on our initial approach to deliver even better outcomes for customers. Good investigations start with high-fidelity alerts enriched with the right information, allowing analysts to prioritize effectively.

Transparency in documentation is crucial—we should be able to review any investigation, even without speaking to the analyst who conducted it, and clearly understand what additional data they gathered, how they interpreted it, and what actions or recommendations resulted. This integration with the customer’s entire technology stack allows us to leverage all available signals.

Finally, we focus on delivering clear, concise information to customers, explaining not just what we found but why it matters and what specific actions they should take. This approach ensures customers receive actionable intelligence rather than just data.

Ben Baker: Lauren, Forrester also noted improvements in our dashboards and reporting. What enhancements have we made, and how do they help customers extract more value from our service?

Lauren Horaist: In the spirit of transparency, our dashboards and reporting aim to clearly show customers what we’re doing for them, whether the metrics are good or bad. When improving these tools, we recognized that we serve different types of users—executives, SOC analysts, and administrators—each with distinct information needs.

We’ve made our dashboards more flexible to accommodate these different perspectives. Executives can access high-level views that translate security metrics like MTTR into business impacts. Security analysts can dive deeper into investigation and incident trends. Administrators can monitor integration health and performance. This tailored approach ensures everyone can access the information most relevant to their role, enhancing transparency across the organization.

Ben Baker: Do your teams also benefit from these enhanced dashboards and reporting capabilities?

Ben Brigida: Absolutely. From a customer-focused perspective, we protect many different environments and can observe trends over time. Understanding what customers commonly want to see helps us ensure we’re appropriately valuing the right metrics. We also learn from forward-thinking customers who request new metrics or visualizations—this helps us anticipate emerging needs.

Internally, these dashboards help keep us accountable. While Ray and I tend to work with more granular data that tracks platform activity down to the millisecond, having unified scoreboards helps the team monitor performance across customers and identify areas for improvement.

GenAI in MDR: why less is more

Ben Baker: Finally, let’s address an area where we scored poorly in the Wave—generative AI. Ben, I know you have strong views on this. Why are you actually proud of our low score here?

Ben Brigida: We received a one out of five for generative AI usage, indicating we’re behind the industry in implementation. This was an intentional decision that we believe aligns with what our customers would choose if they were in our position.

At the end of the day, we’re a service provider paid to deliver outcomes—finding and stopping threats quickly. Customers care about results, not the specific technologies we use internally. Currently, we’re achieving industry-leading performance without generative AI, so implementing it would introduce risks without clear benefits.

When you examine industry reports on generative AI in security, you’ll notice that most benefits accrue to providers through increased margins rather than to customers through improved outcomes. As a customer-focused organization, we prioritize consistent, high-quality results over implementing trendy technologies.

There are legitimate concerns about using AI in decision-making processes, especially in security. We’re intentional about where we might apply these technologies—perhaps for summarizing information or QA processes, but not for making critical decisions about closing alerts. Those decisions should remain with human analysts.

Many of our customers operate in highly regulated industries and have reasonable concerns about AI use in their security operations. Our position on generative AI actually puts them at ease. It’s worth noting that while we’re cautious about large language models, we use significant automation to position our analysts to make better decisions faster. This traditional automation is more explainable and reliable than current generative AI capabilities.

Ben Baker: That’s a compelling perspective. As one of our viewers commented, “It’s all about the results.”

Future of the MDR market: predictions and priorities

Ben Baker: As we wrap up, I’d like each of you to share your predictions about which Forrester scoring criteria will matter most to companies in the MDR market in 2025.

Ben Brigida: I believe explainability will become increasingly important. Our unrivaled transparency is something the market is trying to replicate because customers demand it. Black box security doesn’t make sense—customers want to understand not just why threats were identified but also why non-threats were dismissed.

Consistency will also be crucial. While mean time to respond is an important metric, outliers can cause serious business impact. The industry needs to focus on reducing standard deviations in response times, not just improving averages.

Ray Pugh: I agree with Ben’s assessment. I’d also emphasize extended detection capabilities. We’re seeing vendors across the MDR space increasingly push into this area, indicating its growing importance. This trend will drive healthy competition and ultimately make the entire defender community stronger as we develop better ways to protect diverse environments.

Lauren Horaist: I agree with most of what’s been said, but I’ll offer a slight nuance on the GenAI discussion. While customer-facing explainability is absolutely critical, I believe internal explainability—helping our own teams understand complex data faster—will become increasingly important.

As organizations adopt more technologies and our teams manage more alerts across diverse tools, finding ways to quickly summarize information could help drive faster decision-making. Any implementation would need to be extremely cautious about data privacy and accuracy, but as the technology matures, it could offer internal operational benefits.

I also anticipate that as extended detection capabilities grow, customers will increasingly expect response capabilities across those same surfaces. The scope of response will likely expand beyond what we’re seeing today.

Ben Brigida: I think Lauren and I are actually saying the same thing—explainability matters both internally and externally. We need to understand our own decisions before we can effectively explain them to customers.

Ben Baker: Thank you all for your insights. The partnership between people and technology is something Forrester specifically highlighted about Expel, noting our ability to “successfully strike a balance between human delivery and software-enabled platforms that few in the cybersecurity market can replicate.”

Additional resources

• Download the complete Forrester Wave for MDR Services, Q1 2025
• Learn more about Expel’s MDR solution
• Learn about Expel’s approach to integrations and how these API integrations enhance MDR effectiveness
• Explore Expel’s Oracle Cloud Infrastructure security capabilities

About the MDR market

The managed detection and response market continues to experience significant growth, with projections indicating it will reach between $8.34 billion and $11.8 billion by 2029, growing at a CAGR of 20-23.5%. This expansion is driven by increasing cyber threats, a shortage of cybersecurity talent, and the growing complexity of IT environments. According to the Forrester Wave report, key trends in the MDR market include a focus on detection engineering and security posture management, with customers demanding more proactive security approaches from their providers.

This transcript has been edited for clarity and readability.

For more information about Expel’s services and how we’re redefining managed detection and response, visit expel.com.