Security leaders often assume that once they’ve invested in managed detection and response (MDR) services, the hardest parts of breach detection and response are behind them. Alerts are monitored. Playbooks exist. Someone is watching the environment 24/7.

Then, they have a security incident. It escalates quickly. And the response feels less coordinated than expected.

We recently published Best Practices For MDR To IR Handoffs to address a reality many CISOs only encounter during a live incident: the most fragile moment in breach response is often the transition from MDR to incident response (IR). That handoff is where organizations can lose time, context, decision clarity, and sometimes legal protection, even when their MDR provider is doing exactly what it was hired to do.

MDR And IR Solve Different Problems By Design

MDR and IR are complementary, but they are not interchangeable.

MDR teams are optimized for continuity and speed. They triage alerts, apply playbooks, and maintain visibility across complex environments. Many MDR providers are very clear about this role and work effectively alongside IR firms when escalation is required.

IR teams, by contrast, are built for depth and consequence. They focus on forensic investigation, evidence preservation, executive decision support, and coordination with legal counsel, insurers, regulators, and communications teams.

Issues arise when organizations expect MDR providers to seamlessly become IR providers mid-incident… or when providers blur those lines themselves. Some MDR providers market “IR-like” capabilities without fully accounting for the legal, procedural, and governance shifts that occur once an incident becomes a breach. Others are explicit about where MDR ends and where IR must begin. The difference matters.

Even Well-Intentioned Transitions Still Break Down

In our research, security leaders consistently described similar friction points during escalations, often because escalation thresholds weren’t clearly defined in advance. Teams disagreed on when an incident crossed into breach territory. Roles blurred once IR firms, legal counsel, and insurers became involved. CISOs often found themselves acting as translators between MDR analysts, IR commanders, and executives instead of leading decision-making.

None of this implies MDR failure. In fact, many MDR providers handle detection, containment, and early response exactly as designed. The problem is that IR plans and playbooks don’t take into account the moment when authority, scope, and legal posture must shift.

The Legal Line That Changes Everything

Legal protection is one of the most commonly overlooked issues in MDR-to-IR transitions.

Many organizations assume that all analysis performed during an incident is protected by attorney-client privilege. In reality, attorney-client privilege often attaches only once IR services are formally engaged under the appropriate structure, typically a tri-party agreement. Activity that occurs before or outside that boundary can later become discoverable, even if it was technically sound and operationally necessary at the time.

What Effective Organizations Clarify Before An Incident

The organizations that manage breaches most effectively are not the ones with the most tools or the most aggressive MDR contracts. They are the ones that have already aligned expectations — internally and with providers — before escalation ever happens. They know who has authority to escalate and declare a breach, when MDR responsibilities shift and IR takes the lead, what evidence must be preserved and how it is transferred, and how legal counsel is engaged and when leadership involvement changes. This clarity reduces friction, protects optionality, and allows MDR providers and IR teams to operate in their respective strengths instead of stepping on each other’s toes and wasting precious time.

If you assume your MDR and IR investments automatically carry you through a full breach response, now is the time to pressure-test that assumption with your providers.

Forrester clients can download Best Practices For MDR To IR Handoffs and Forrester’s Incident Severity Matrix Template and schedule a Guidance Session to evaluate whether their current operating model will hold up under real escalation pressure.