21 Questions to Ask Before Choosing an MDR Provider

Consider a scenario that plays out more often than it should: ransomware encrypts a school district’s systems mid-afternoon. Their Managed Detection and Response (MDR) provider had been monitoring the environment for months. The breach still costs weeks of recovery time — not because detection failed, but because the contract never guaranteed containment.

That distinction, between a provider who notifies and one who acts, is what this list is built around. Most MDR providers sound identical in a sales presentation. The real differences live in service-level agreement (SLA) definitions, staffing models, pricing structures, and how much authority the provider actually holds during an active incident.

These 21 questions cut through the marketing language and surface what actually determines performance when it counts. Each one targets a specific failure point we have seen collapse MDR relationships, and includes a brief explanation of what the answer reveals about the provider you are evaluating.

MDR providers hold elevated access to critical systems and make real-time containment decisions around the clock — which means choosing the wrong one can be more damaging than having no provider at all. That elevated access is precisely what makes standard procurement evaluation insufficient. After two decades working alongside more than 25,000 MSPs and the IT teams they support, we have watched the same dynamic play out: a provider clears every demo, passes the procurement checklist, and still fails when an actual incident tests the relationship.

21 Questions and Why You Would Ask Them

The following questions span SOC staffing, response authority, technology, detection, compliance, pricing, and reporting. Each includes a brief explanation of what the answer reveals.

SOC Staffing and Operations

1. What certifications do your SOC analysts hold, and what is their average tenure?

Low turnover and strong credentials indicate a mature operation. Look for analysts holding certifications like:

• Certified Information Systems Security Professional (CISSP)
• Global Information Assurance Certification (GIAC)
• GIAC Certified Incident Handler Certification (GCIH)

Vague references to “experienced analysts” without specifics suggest weak hiring standards.

2. What is your customer-to-analyst ratio?

A provider with 50 analysts serving 200 customers delivers a different experience than one with 10 analysts covering 500. This number directly affects how much attention your environment receives.

3. Is your SOC staffed or on-call after hours, and which analyst tier operates the night shift?

Attackers frequently target off-hours windows, which means on-call response adds real lag to detection while active monitoring catches threats in seconds. But staffing the overnight shift is only part of the answer; the tier level of who operates it matters just as much. Junior analysts triaging alerts alone at 2 AM is a different capability than senior analysts with escalation authority.

4. Can you provide current customer references and arrange a SOC tour or live incident demo?

Sales presentations show you the best case. References and SOC tours show you the operational reality. Ask specifically for customers who experienced an active incident under the provider’s watch, and ask what recovery looked like, not just what was detected.

5. Can you walk through a real incident from detection through containment?

This request goes further than a reference call. Look for tight integration between detection, response, and forensics in the walkthrough. Handoffs between separate teams during the retelling suggest the same fragmentation will appear during a real event.

SLA and Response Authority

6. What are your documented MTTD and MTTR for the past 12 months, broken out by severity level?

Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are the clearest performance indicators available. Providers who cannot share historical aggregate data broken out by severity have no credible basis for the response time claims in their marketing.

7. How do you define “response time” in your SLA: acknowledgment, investigation start, or containment completion?

Providers define “response time” differently, and the contract will reflect whichever definition they prefer. Acknowledging an alert within 15 minutes means nothing if containment takes eight hours — pin down this definition before signing.

8. What containment actions can you take automatically versus requiring our approval?

Providers requiring approval for every action create dangerous delays during active incidents. The real question is whether your MDR provider delivers active remediation or guided response. Define that boundary in the contract before signing. Time-sensitive containment actions like process termination and file quarantine can be pre-authorized. More disruptive interventions like network isolation or credential revocation should require your approval.

Technology and Integration

9. Do you require proprietary agents, or can you work with our current endpoint and security tools?

Providers requiring complete technology replacement create vendor lock-in and extend deployment timelines. Vendor-agnostic architecture lets you keep what already works while adding MDR capabilities.

10. Does your platform support multi-tenant management with client-level isolation?

For organizations managing multiple client environments, this is non-negotiable. You need a centralized portal with strict data segregation between tenants. Without it, operational complexity scales linearly with every new client.

11. Do you provide native PSA and RMM integrations, or will we rely on custom API connections?

Native integrations with professional services automation (PSA) tools and remote monitoring and management (RMM) platforms eliminate manual ticket creation and auto-sync alert data into existing workflows. Custom Application Programming Interface (API) connections require ongoing maintenance and introduce more points of failure.

Detection and Threat Hunting

12. How specifically do you use AI and machine learning in detection, and what human oversight exists?

Generic claims about AI detection are a red flag. Strong providers explain specific use cases: behavioral baselining, lateral movement correlation, false positive reduction through environmental tuning. Those specifics also reveal where the human layer sits — a provider who cannot tell you what AI handles versus what analysts escalate has not thought carefully about the handoff that determines whether a real threat gets caught.

13. How does your threat hunting program align with the MITRE ATT&CK framework?

Proactive, hypothesis-driven threat hunting catches what automated detection misses. Providers who map their hunting activities to specific MITRE ATT&CK techniques demonstrate structured methodology rather than ad-hoc searching.

Compliance and Data Security

14. What compliance certifications has your organization earned through third-party assessors?

A provider claiming to “support” your compliance is different from one that has earned its own SOC 2 Type II, ISO 27001, or Health Insurance Portability and Accountability Act (HIPAA) attestation through a third-party assessor. Ask for audit reports less than 12 months old and the name of the firm that issued them. Providers who cannot produce those documents are self-attesting, and self-attestation is not verification.

15. Does your service include compliance reporting, or is that out of scope?

Many MDR providers place compliance reporting outside the standard service definition. If you operate in a regulated industry or serve clients who do, confirm that the provider can generate audit-ready reports mapped to specific frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Payment Card Industry Data Security Standard (PCI DSS), or HIPAA.

16. Where is our security telemetry processed and stored?

Data residency matters for General Data Protection Regulation (GDPR) compliance and increasingly for cyber-insurance requirements. Strong providers map data flows explicitly and can confirm geographic storage locations along with which analysts access that data.

Pricing and Contracts

17. What is the maximum we could pay in a single month?

The play here is surfacing hidden costs. This one question reveals data overage charges, burst pricing, and incident-related cost spikes that flat quotes obscure. Many providers cap incident response hours by endpoint count, and a single major incident can exhaust a significant portion of the annual allocation.

18. Are incident response and forensic investigation included in base pricing or billed separately?

Providers charging extra for incident response, the core function of MDR, demonstrate misaligned incentives. A provider quoting a lower per-endpoint rate but billing separately for forensics may cost more over time than a higher all-inclusive price.

19. What are the termination terms, and what happens to our data if we leave?

Standard contracts often create asymmetry: no refund of prepaid fees for early termination, short notice periods for provider-initiated cancellation. The data portability question carries the same asymmetry. Before signing, confirm how your data gets exported, what format it comes in, and whether their proprietary structure would block a clean migration to another provider.

Reporting and Accountability

20. Do you offer real-time dashboards, and can reporting be customized for different stakeholders?

Providers offering only monthly PDF reports create information gaps that grow with the size of your environment. Multi-tenant operations compound the problem, and a single PDF covering all clients obscures per-client performance and makes it impossible to demonstrate value to individual accounts. The upshot is that reporting needs to serve at least two audiences: executive-level summaries for board and client conversations, and technical detail for the operational teams acting on the data.

21. Do you offer a breach warranty, and what exclusions apply?

Financial guarantees covering breach costs remain uncommon among MDR providers. If a warranty exists, scrutinize the exclusions around customer negligence, failure to patch, and policy violations, and review the claims process in detail before you need to use it.

How These Questions Fit a Broader Security Strategy

No MDR provider operates in isolation. The questions above evaluate what happens during an active attack, but strong security posture also depends on what happens before and after.

Before an attack, N‑able N‑central closes the attack surface by automating patch deployment across Microsoft and 100-plus third-party applications, running continuous vulnerability management, enforcing endpoint security policies at scale, and providing endpoint protection through integrated EDR powered by SentinelOne.

During an attack, Adlumin MDR/XDR runs 24/7 monitoring with behavioral AI that autonomously mitigates 90% of threats, with human SOC analysts handling active investigations and providing full transparency throughout. Adlumin Security Operation extends into the Before phase as well, covering vulnerability management, identity protection, dark web monitoring, and ransomware prevention.

After an attack, Cove Data Protection keeps the business running through cloud-native immutable backups, automated recovery testing, and flexible recovery options that scale from individual files to full bare-metal rebuilds. Cove also operates during an attack, with anomaly detection, honey pots, and critical configuration change notifications built in to surface threats before recovery becomes necessary.

That coverage is only as strong as the provider you choose to fill that role. Bottom line: the 21 questions above reveal whether a provider can actually deliver when it matters most. Pair your MDR evaluation with an honest look at your prevention and recovery capabilities, and you close the gaps attackers rely on. Contact us to see how an end‑to‑end cybersecurity approach from N‑able brings it all together.

Frequently Asked Questions

How many MDR providers should we evaluate before deciding?

Evaluating three to five providers gives enough variety to benchmark answers against each other. Fewer than three makes it difficult to spot which responses are standard and which are differentiated.

What is a reasonable timeline for an MDR evaluation and deployment?

Most evaluations take four to eight weeks when structured around a defined question set. Deployment timelines vary by provider, but platforms like Adlumin are built to start monitoring quickly, collecting logs and surfacing insights without extended onboarding cycles.

Can an MDR provider replace our need for internal security staff?

MDR eliminates the need to build and staff a full internal SOC, but your team still needs to own the vendor relationship, review reports, and make risk decisions. The monitoring gets outsourced; the accountability does not.

What is the difference between guided response and active remediation?

Guided response means the provider sends recommendations and expects your team to act. Active remediation means the provider isolates endpoints, disables compromised accounts, and blocks threats directly, giving you a resolution instead of a notification.

How often should we re-evaluate our MDR provider after signing?

Annual reviews against the original evaluation criteria keep the provider accountable. Track SLA performance data, MTTD and MTTR trends, and incident outcomes quarterly so the annual review is data-driven rather than anecdotal.