The state of the managed detection and response vendor market | Nerdy 30, Episode 4

Introduction

Ben Baker: Welcome, everyone, to another Nerdy 30—thirty minutes, one topic, zero fluff. Today we’re looking at the current state of the MDR market. And let’s be honest… it’s a lot.

Between the surge of AI SOC companies, the wave of market consolidation, and the shifting expectations of security teams, the category is changing faster than ever. For customers trying to make sense of managed detection and response vendors, the landscape is crowded and often confusing.

To help us unpack it all, I’m joined by two people who’ve been shaping MDR from the beginning: Expel co-founder and Chief Strategy Officer Justin Bajko, and VP of Product Marketing Rueben Rodriguez. They’ll break down what’s real, what’s hype, what’s changing, and how organizations should think about the MDR category heading into 2026.

Let’s dive in.

How we got here: Justin’s journey through MDR

Ben Baker: Justin, you’ve been in managed security well before the MDR acronym even existed. Walk us through your career path and how that shaped your view of the market.

Justin Bajko: I’ve pretty much lived in managed security since the early 2000s. I started as a one-person security show in pharma research, moved into Symantec’s MSSP, and then joined Mandiant right as the industry was shifting toward more proactive detection and response. Over time, I helped build what eventually became Mandiant’s MDR before co-founding Expel.

Seeing the category evolve firsthand—through MSSP, through early MDR, and now through its collision with AI-driven security—gives me a pretty unfiltered perspective on how messy and exciting this moment really is.

What the MDR market looks like today

Ben Baker: So how would you describe the MDR landscape right now?

Justin Bajko: If I had to choose one word? Gross. Not because MDR is broken—far from it. But the market is in a strange transition phase.

Companies are trying to decide whether they’re MDR, an AI SOC, a co-managed SOC, a platform, or some hybrid. Categories are blending, and vendors are planting flags in overlapping spaces. The labels don’t match the realities of how customers actually use these tools and services.

To me, all of these offerings—MDR, AI SOCs, hybrid platforms—fall under one larger umbrella: security operations. We’re just in a moment where the taxonomy hasn’t settled.

Rueben Rodriguez: And cybersecurity doesn’t help itself. Marketing noise doesn’t always make things clearer. But at the end of the day, the goal is simple: keep customers safe.

The rise of AI SOC companies

Ben Baker: Let’s talk about AI SOCs. There’s been an explosion of them lately.

Rueben Rodriguez: There are more than 40 now, and that list is growing. They’re betting heavily on automation—and there’s real value in that. But customers still need decisions to be explainable and defensible.

Behind the scenes, many AI SOCs still need human analysts to review outcomes. No matter how advanced your model is, someone has to verify the decisions.

Justin Bajko: Exactly. AI SOCs remind me of self-driving cars. They’re powerful, but you still need a human in the loop so it doesn’t run over the metaphorical cat.

Automation is great for speed. Humans are still essential for judgment.

Whether AI SOCs solve a new problem—or the same one differently

Ben Baker: Are AI SOCs fundamentally solving something different from MDR vendors?

Justin Bajko: Honestly? No. Both are trying to solve for one reality: attackers only need to be right once, and defenders have to be right all the time.

AI SOCs are leaning heavily into automation. MDR vendors lean more into human expertise supported by technology. But everyone is trying to improve detection, reduce noise, and respond faster.

Eventually, I think the two approaches converge.

Market consolidation and platformization

Ben Baker: Consolidation keeps coming up in our industry. What’s happening there?

Justin Bajko: Budgets are tightening. Security teams want fewer vendors. Platform players are bundling more capabilities. That drives consolidation cycles.

But innovation in cybersecurity moves so fast that new best-of-breed tools keep emerging—and suddenly the pendulum swings back.

We’ve seen this pattern over and over:

• Consolidation

• Innovation and specialization

• Back to consolidation

Security teams feel the tension the most because they’re caught between risk reduction, cost pressure, and the need to stay ahead of attackers.

How Expel is approaching the MDR market today

Ben Baker: So how is Expel navigating this evolving landscape?

Justin Bajko: We’re not trying to push customers into one model. Some want a fully outsourced MDR partner. Some want a co-managed approach. Some want to build more in-house capability while still relying on a partner for coverage.

Our approach is simple: meet customers where they are, and support them as they grow. And pair human-led analysis with AI-supported speed.

Rueben Rodriguez: And the focus is on outcomes—noise reduction, faster MTTR, better detections, improved visibility. AI helps with that, but humans still drive the quality.

Final thoughts

Ben Baker: One last thought for security leaders navigating all this?

Rueben Rodriguez: Change is constant. Stay adaptable, and stay connected to the community. You don’t have to navigate this alone.

Justin Bajko: Amen.

Ben Baker: And before we go—critical question. If you had to be haunted by a ghost… Casper or Patrick Swayze?

(Arguments were made. Opinions were strong. Swayze ultimately wins.)

And with that, the gong hits. Nerdy 30 complete.

Frequently asked questions about managed detection and response vendors

Q: What should organizations look for when evaluating managed detection and response vendors?

Focus on outcomes—detection quality, response speed, communication clarity, and visibility across your environment. Good MDR vendors offer transparency, strong metrics, and partnership, not just alerts.

Q: How are AI SOC companies different from MDR vendors?

AI SOCs prioritize automation; MDR vendors prioritize expert analysis supported by automation. Most organizations benefit from a hybrid: automation for speed, humans for context and decision-making.

Q: Will AI replace human analysts in MDR?

Not in the foreseeable future. AI accelerates triage, enrichment, and documentation, but customers still rely on analyst judgment, explanations, and accountability. The strongest model today is “human-led, AI-supported.”

Q: Why is there so much consolidation among cybersecurity vendors?

Budget constraints, tool sprawl, and platform strategies drive consolidation. But innovation moves faster than consolidation cycles, so best-of-breed tools continue to re-emerge.

Q: What should organizations ask MDR vendors about AI?

Ask how AI improves analyst efficiency, reduces noise, enriches detections, and accelerates response. Also ask how humans review AI-generated decisions and how the vendor ensures accuracy.

Q: Where is the MDR market headed next?

Expect closer convergence between MDR and AI-driven SOC platforms, more automation of routine tasks, and increasing emphasis on flexible co-managed models that support customers’ internal team growth.