Why MSSP Is Increasingly the Wrong Default

The MSSP model was designed for a 2010-era SOC where the deliverable was log retention plus alert triage on a SIEM the customer also owned. That deliverable does not stop modern intrusions. By the time an MSSP has correlated the SIEM event, opened the ticket, and emailed the customer's IT operations, LockBit has finished encrypting. The Verizon DBIR 2024 finding that 32% of breaches involve ransomware or extortion underlines the problem — these are not "investigate within 4 business hours" attacks.

The honest split is that most legacy MSSPs have rebadged themselves as MDR by adding a CrowdStrike or SentinelOne EDR feed and an active-response addendum. Read the addendum carefully. Is the provider authorised to isolate a host without customer approval during a confirmed ransomware event? If the answer is "no, customer must approve in writing" you are still buying MSSP-grade response.

The XDR Stack Underneath

Whether you buy MDR or run your own SOC, the XDR engine matters. The 2026 leaders consolidate by ecosystem.

• Microsoft Defender XDR + Sentinel — strongest pick for Microsoft 365 / Azure-heavy estates. Native identity (Entra ID Protection), email (Defender for Office 365), endpoint (Defender for Endpoint), and cloud (Defender for Cloud) feeds correlate in one schema. KQL is the query language across the stack — see our Azure Sentinel managed service for the operating model.
• CrowdStrike Falcon Insight XDR — endpoint-led with strong identity (Falcon Identity Protection) and cloud (Falcon Cloud Security) modules. Best-in-class endpoint telemetry, the dominant choice in finance and pharma.
• SentinelOne Singularity XDR — autonomous response on endpoint, growing identity and cloud coverage via the PingSafe and Attivo acquisitions.
• Palo Alto Cortex XDR / XSIAM — strong network and cloud telemetry given the firewall and Prisma footprint; XSIAM ingests SIEM-grade volume natively.
• Open-stack alternatives — Elastic Security, Wazuh, plus a SIEM (Splunk Enterprise Security or Elastic). Lower licence cost, much higher engineering investment to reach the parity that the named-vendor XDRs ship out of the box.

Detection Logic: The Same KQL Either Way

Whichever model you pick, the detection logic is your asset, not the vendor's. The same Microsoft Sentinel KQL that hunts T1078.004 (Valid Accounts: Cloud Accounts) runs identically whether your SOC or an MDR's SOC operates it.

// Impossible-travel sign-ins followed by mailbox-rule creation (BEC pattern)
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == "0"
| extend Country = tostring(LocationDetails.countryOrRegion)
| summarize Countries = make_set(Country), Cities = make_set(tostring(LocationDetails.city))
    by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Countries) > 1
| join kind=inner (
    OfficeActivity
    | where Operation in ("New-InboxRule", "Set-InboxRule")
    | where Parameters has_any ("DeleteMessage", "MarkAsRead", "MoveToFolder")
) on $left.UserPrincipalName == $right.UserId
| project TimeGenerated, UserPrincipalName, Countries, Operation, Parameters

Portability of the KQL — and the equivalent Splunk SPL — is the lock-in test. If the MDR's "secret sauce" detections do not export into rules you own, you are renting your detection programme. Mature MDRs publish their detection content in CI/CD repositories and version every rule against ATT&CK technique IDs.

Cost Comparison That Holds Up

Pricing is opaque on purpose, but the public-floor numbers are stable enough to plan against.

• Tier-1 MDR (CrowdStrike Falcon Complete, Arctic Wolf, Red Canary, eSentire, Sophos MDR Complete) — $5-15 per endpoint per month including XDR licences. Identity (IDR) modules add $50-100 per identity per month at the high end (Mimecast, Abnormal, Microsoft Defender for Identity).
• MSSP — $3-8 per log source per month plus SIEM licence. Cheaper per unit, but you pay separately for IR retainer ($10K-$50K/year minimums) when the alert turns into an incident.
• In-house SOC + XDR — XDR licence at $4-9 per endpoint per month, plus 6 FTE analysts at fully-loaded $180K-$240K each. Break-even versus MDR sits at roughly 5,000-7,000 endpoints in most Nordic and EU markets.

The cheapest contract is rarely the cheapest outcome. A LockBit affiliate that completes encryption costs an average of $4.91M in IBM's 2024 Cost of a Data Breach Report. An MDR that contains the intrusion at the staging stage saves the breach. The marginal $40K/year between MSSP and MDR is irrelevant against the seven-figure delta.

Procurement Criteria That Survive the RFP

When evaluating, hold every provider to the same checklist:

1. Mean time to acknowledge (MTTA), mean time to detect (MTTD), mean time to respond (MTTR) — backed by attestation from the last 12 months, broken down by alert tier.
2. Active-response authority in writing, including isolate-host, disable-account, and revoke-token without customer approval during a declared P1.
3. Detection content portability — rules exported in Sigma, KQL, or SPL on contract termination.
4. ATT&CK coverage matrix — which techniques the provider claims coverage for, and the telemetry source for each.
5. Threat hunt cadence and deliverable — typically 1 hunt per fortnight with a written report, not just "we run hunts continuously."
6. IR retainer minimum hours and on-site response window — 24-hour SLA is industry standard; 4-hour exists for premium tiers.

How Opsio Helps

Opsio's managed detection and response services deliver 24x7 SOC operations on Microsoft Defender XDR, Microsoft Sentinel, and CrowdStrike Falcon, with active response authority, detection content you own, and an attested ATT&CK coverage matrix you can audit. We integrate the MDR layer with SOC operations for customers who want a hybrid in-house plus managed model. Engagements typically reach 15-minute MTTA and 1-hour MTTR on tier-1 alerts within 60 days of onboarding, with detection coverage mapped to the ATT&CK techniques most relevant to the customer's industry.