Managed detection and response (MDR) — without a doubt — has successfully claimed the crown of all managed security services for making and keeping clients happy. Clients are far happier with MDR services than they ever were with legacy managed security service provider (MSSP)-style security services.

MDR vendors have higher customer retention, wallet retention, growth, and margin compared to their MSSP predecessors. Now that MDR is an established market beginning to struggle with services bloat, the next set of choices for providers and customers is on the horizon (and in the pitch deck). That’s why it’s important for buyers and users of MDR services to understand the direction of the provider they work with and which services will deliver value in the near and long term.

We recently published a new report, Choose Your Own MDR Adventure Amid Ever-Expanding Services, to guide security buyers through the available options and help them make informed investment decisions for their security services.

For this research, we surveyed and spoke with MDR providers, buyers, and users to identify which services augmented MDR, which ones made sense to “sole source,” and which services were designed to please investors and shareholders … but not customers.

We classified what service providers offer — or plan to offer — into three categories:

  1. Adjacent MDR services destined to disrupt
  2. Adjacent MDR services destined to distract
  3. Adjacent MDR services destined to self-destruct

Read on to learn about each of these.

Adjacent MDR Services Destined To Disrupt

These services naturally augment MDR. Incentives align with these services by making the service delivery experience better for users and providers. Two of the services we put in this category are automation and exposure management.

The benefits of automation are obvious: More automation equals more throughput, more bandwidth to focus on things that matter, and service delivery scale for providers. The key here is that providers are helping their clients automate, not just demanding that they automate.

Exposure management gives much-needed context about the technology estate, detection surface, and attack surface for providers and their customers. Services in this area can help improve — and demonstrate — overall security posture across the service, driving real benefit for clients.

Adjacent MDR Services Destined To Distract

These services “fit” with MDR by seemingly producing value but, in reality, deliver less value due to scope limitations inherent in the service or in the relationship with the client. In other words, the MDR provider lacks enough visibility, context, information, and permission to drive meaningful change. It’s not that these services are bad, per se; it’s that they require significantly more effort from all parties involved to produce valuable outcomes. Two of the services we list in this category include risk dashboards and legacy vulnerability risk management.

Risk dashboards — not posture dashboards — are the realization of video game-style microtransactions to cybersecurity to make the “line go up” (or down). These services give you an abstracted “risk score” based on your current environment that you can improve. This is often accomplished through purchasing additional features and functions of your existing products or services. These dashboards don’t so much track how much risk you’ve reduced as much as give a visual representation of how much your spending has increased with this provider.

Vulnerability risk management (aka managed vulnerability scanning) is an MSSP oldie but goodie. It was often the next service purchased by MSSP clients one year into the relationship. The problem with this service is that confirmation of successfully executed scans is already available through vulnerability risk management platforms. Additionally, API integrations bring in scanning data to MDR providers without you paying more for a special service dedicated to it, especially when you don’t control patching. This is as close to the old-school “alert factory” services of MSSPs as you can get, unfortunately.

Adjacent MDR Services Destined To Self-Destruct

The final category includes services that fail to complement MDR in meaningful ways by trying to be all things to all clients. One challenge that MSSPs faced is they became a “portfolio vendor” of a bunch of services that didn’t have much to do with each other.

Security teams run identity and access management technologies and manage firewalls. But doing one doesn’t necessarily make the other better. MSSPs went to market with this approach, and some MDR providers are now making that same mistake, creating a mishmash of semi-related services that fail to improve — or even coexist — with one another. Two of the services we identified in this category include virtual CISOs and security engineering (managed firewall).

Virtual CISOs as an offering doesn’t make sense, as CISOs are a target buyer for MDR and most CISOs aren’t terribly interested in hiring their replacement. As a result, these services are primarily aimed at small organizations or those without a dedicated security team. In those scenarios, a virtual CISO may make sense. Otherwise, virtual CISOs lack all the things a CISO needs to be effective: constant communication, relationships, and a fundamental understanding of the political environment with senior leadership in a company. This service simply doesn’t make the core functions of detection and response better — and that’s why people buy MDR.

Security engineering — aka managed firewall — does perform tasks such as blocking command-and-control communications to stop malware beaconing or data exfiltration. But the same can be done via integrations, APIs, and automation. Security doesn’t need to perform “managed change control” on these devices to accomplish those activities.

In a world of Zero Trust, secure access service edge, and Zero Trust network access, you can work with providers that really understand networking to manage these devices. But those providers often don’t have expertise in detection and response, and if they do, their service delivery organizations aren’t integrated well enough to deliver meaningful improvements in each service. If you need a great router person, go to a telecom. If you need a great detection and response person, go to an MDR provider.

For the full report and to see the other two services in each category, read the full report, Choose Your Own MDR Adventure Amid Ever-Expanding Services. Forrester clients can schedule a guidance or inquiry session to discuss the topic in more detail.