When evaluating a Managed Detection and Response (MDR) provider, many organisations focus on the wrong question.
They often compare services based on headline price, log ingestion limits or whether a provider includes a SIEM platform. Yet none of those measures tells you how much risk the service will actually reduce.
A better question to ask is: how many of your security blind spots does the provider help eliminate?
That may sound like an unusual way to assess MDR, but it reflects a simple reality. Every security control has weaknesses, and every organisation has visibility gaps. The challenge is not finding a perfect control. It is building enough layers of visibility and detection to prevent those gaps from aligning.
A useful way to think about this comes from an unlikely place: Swiss cheese.
The Swiss Cheese model has long been used in safety-critical industries to explain how failures happen. Each slice represents a control layer and each hole represents a weakness. No individual safeguard is perfect – risk is reduced when multiple layers work together, making it far harder for those weaknesses to align.
The same logic applies directly to cyber security.
In an MDR environment, every source of telemetry provides a different perspective on attacker activity. Endpoint telemetry may reveal malware execution on a managed device. Email logs may expose phishing campaigns or suspicious mailbox activity. Identity systems may highlight privilege abuse. Network telemetry may uncover lateral movement or command-and-control traffic.
The fact is no single source sees everything and every layer has blind spots.
That matters because attackers rarely operate within a single domain. They move between identities, endpoints, cloud environments and networks, looking for the gaps that security teams cannot see. The greatest risk is often not the threat an organisation detects, but the activity occurring in the visibility gaps between controls.
This is why MDR buyers should think carefully about coverage rather than simply comparing service features or headline pricing. The question is not whether a provider includes a SIEM or supports a particular log source. It should be whether the service delivers the visibility required to detect real-world attack paths across the environment.
A serious evaluation should begin with the assets that matter most. Group systems logically identify where business risk sits and consider how an attacker would move through the environment. That threat model should shape the MDR design, not the other way around.
From there, assess providers on the things that affect outcomes: detection quality rather than detection count, signal-to-noise ratio, implementation effort, tuning overhead and the ability to identify meaningful threats without overwhelming analysts with alerts.
A service that generates more alerts does not necessarily provide more security. In many cases, the opposite is true. The best MDR providers are those that consistently convert visibility into meaningful detections and actionable outcomes.
The Swiss Cheese model is a timely reminder that good security is built in layers, and that every missing layer creates an opportunity for risk to pass through. That's why MDR buyers should focus less on individual product features and more on the strength of the overall defensive coverage being delivered across the assets, threats and operational realities that matter to the business.