Reference / 2026
What is included in an MDR service: deliverables and SLAs
A full breakdown of what MDR vendors actually deliver, with SLA benchmarks across the six major providers, what's not included at the base tier, and the questions you should ask before you sign.
Technology
Platform deliverables
- EDR or XDR agent. Deployed and managed on every in-scope endpoint. Vendor-specific (Falcon for CrowdStrike, Singularity for SentinelOne, Sophos Endpoint for Sophos MDR) or sometimes layered on existing tooling (Expel).
- SIEM or log aggregation. Most MDR services include log ingestion from the EDR platform plus key cloud and identity sources. Capacity is tier-limited; overages apply above the cap.
- Threat intelligence integration. Provider's own threat feeds plus commercial intel licensed by the vendor. You don't pay for separate intel feeds when MDR is in place.
- Vulnerability monitoring. Identification of high-risk vulnerabilities on monitored endpoints. Remediation is your responsibility unless you buy a separate managed risk add-on.
- Cloud telemetry. Standard at most vendors at higher tiers: AWS, Azure, GCP. Endpoint-only base tiers usually exclude this.
- Identity and email coverage. Tier-dependent. Microsoft 365, Google Workspace, Okta integrations are common at mid-tier and above.
People and process
Service deliverables
- 24x7 SOC monitoring. Provider's analysts watching alerts around the clock. Standard across all major MDR services.
- Alert triage. False positive filtering, prioritisation, and contextualisation before alerts reach your team. The single most valuable service the provider delivers.
- Threat hunting. Proactive search for adversary behaviour beyond signature-based detection. Depth varies by vendor and tier.
- Incident notification. Defined SLA for alerting your team when a confirmed incident is identified.
- Containment actions. Tier-dependent. Some MDRs take action on your behalf (delegated authority); others recommend and wait for your sign-off.
- Incident response guidance. Runbooks, playbooks, and analyst-led investigation support during active incidents.
Reporting
Documentation deliverables
- Monthly executive reports. Threat landscape, incident summary, trend analysis, posture recommendations.
- Incident reports. Detailed write-up of each significant incident with timeline, response actions, and lessons learned.
- Quarterly business reviews (QBRs). Mid-tier and above. Strategic conversation about programme effectiveness with named analysts.
- Compliance evidence packages. Reporting templated to satisfy SOC 2, ISO 27001, PCI DSS, HIPAA audit requirements.
- Cyber insurance documentation. Reports formatted for cyber insurance renewals and underwriting reviews.
SLA comparison
Response time across major MDR vendors
| Vendor | Standard SLA | Premium SLA | Containment authority |
|---|---|---|---|
| CrowdStrike Falcon Complete | 1 hour | 15 min | Default delegated |
| Arctic Wolf | 4 hours | 1 hour | Tiered |
| SentinelOne Vigilance | 4 hours | 30 min | Tiered |
| Sophos MDR Essentials | 8 hours | N/A | Notify only |
| Sophos MDR Complete | 1 hour | N/A | Full active |
| Huntress | Same-day | N/A | Notify + recommend |
| Expel | 4 hours | 1 hour | Tiered |
SLA speed correlates strongly with price. Halving the response time typically adds 30-70% to the contract. Most mid-market deployments land at a 4-hour SLA which balances cost against meaningful detection-to-containment timing for the threats SMBs and mid-market actually face.
Tier-by-tier inclusion
What's at base tier vs what costs extra
| Capability | Base tier | Costs extra |
|---|---|---|
| 24x7 monitoring | Yes | No |
| Endpoint detection | Yes | No |
| Cloud workload monitoring | Sometimes | Often add-on |
| Email and identity coverage | Tier-dependent | Often add-on |
| Active containment | Tier-dependent | Higher tiers |
| Full forensic IR | No | Retainer required |
| Vulnerability remediation | No | Managed risk add-on |
| Penetration testing | No | Separate engagement |
| Security awareness training | Huntress includes | Add-on or separate |
What is NOT included
Common gaps to plan for separately
- Vulnerability remediation. MDR identifies vulnerabilities; you patch them. Some vendors offer Managed Risk add-ons for an additional 20-40% on the base price.
- Penetration testing. Always a separate engagement, typically $15K-$80K depending on scope.
- Full forensic incident response. Beyond initial containment, deep forensic work is a separate retainer at $250-$400/hour.
- Network security infrastructure. Firewalls, VPN, DDoS protection are separate.
- Application security testing. Static analysis, dynamic testing, code review are separate.
- GRC platform and audit support. MDR provides reporting; turning that into compliance evidence and audit response is your work.
- Identity and access management. SSO, MFA platform, privileged access management are separate.
Pre-signing checklist
Questions to ask before you sign
- What is the response SLA in writing, and what happens if you miss it?
- What level of containment authority will the analysts have on my environment?
- What's the log volume cap and what's the per-GB overage rate above it?
- What's covered as "MDR investigation" vs what triggers the IR retainer?
- What integrations are included; what's a separate professional services engagement?
- What's the annual price escalation and can it be capped at CPI?
- What documentation will I receive that maps to my compliance frameworks?
- What's the path to renewal, and what's the right to terminate for cause?
- Who's my named point of contact, and how often do we meet?
- What's included for cloud, email, and identity coverage at this tier?
Get the answers in writing
Vendor verbal commitments don't survive renewal cycles or staff changes. Anything that matters to your decision should be in the contract or an addendum.
Guide
Hidden costs
Beyond the headline price.
Tool
Cost calculator
Model your spend.
Guide
Cyber insurance
Compliance overlap.
FAQ
What's included questions
What does a typical MDR service include?
Standard inclusions: 24/7 monitoring, alert triage and investigation, threat hunting, incident notification and response guidance, monthly reporting, EDR or XDR platform, threat intelligence integration, and a defined response SLA. Higher tiers add active containment authority, full incident response, and named analyst teams.
What is the typical MDR response SLA?
Standard response SLAs run from 8 hours (entry tier) to 30 minutes (elite tier). Most mid-market MDR contracts land at a 4-hour SLA. Sophos MDR Complete and CrowdStrike Falcon Complete offer 1-hour SLAs at premium tiers. SLA speed correlates strongly with price; cutting response time in half typically increases price 30-70%.
What is NOT included in MDR?
Vulnerability remediation (MDR identifies; you fix), penetration testing, security awareness training (Huntress includes; most others don't), network security tools, full forensic incident response (separate retainer), application security testing, and compliance audit support beyond standard reports. Confirm scope explicitly during evaluation.
Do MDR providers handle compliance reporting?
Yes, but to varying depths. All major MDR vendors produce monthly reports suitable for SOC 2, ISO 27001, and PCI DSS audit evidence. Custom compliance frameworks (HIPAA, FedRAMP, regulatory bodies) may require additional reporting packages or professional services to assemble auditor-ready evidence.
Disclaimer
MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor. Pricing data is compiled from public sources, partner channels, Vendr transaction data, and verified buyer reports. Always request a direct quote for your environment.