← Back to Insights

How can you tell if your MDR provider is actually watching, or just logging?

Detection & Response

You can tell whether your managed detection and response service is actually watching by asking one question: if a confirmed intrusion happened at 2 a.m. on a Sunday, would a human being contact you before Monday morning? A real MDR detects, triages, and escalates around the clock. A log collector quietly stores the evidence so someone can find it later, usually after the damage is done. The five signs below separate the two.

Watching versus logging: why the distinction is expensive

Almost every security tool produces logs. Endpoint agents, firewalls, identity providers, and cloud platforms all generate telemetry. Collecting that telemetry into one place is useful, but collection is not detection. The gap between "the data was captured" and "a person saw it and acted" is where breaches live.

The numbers make the cost concrete. IBM's 2024 Cost of a Data Breach Report found that organizations took an average of 194 days to identify a breach and another 64 days to contain it, a 258-day lifecycle (IBM, Cost of a Data Breach Report 2024). Mandiant's frontline data tells the same story from a different angle: even with global median dwell time down to 10 days, roughly half of organizations still learned they were compromised from an outside party rather than detecting it themselves (Mandiant, M-Trends 2024). When an outsider tells you first, your logs were working and your watching was not.

Sign 1: A median detection-to-notification time you can actually see

A real MDR measures the interval between a confirmed detection and the moment a human notifies you, and it will tell you that number. Ask for the median minutes-to-notification for the last quarter. If the provider cannot produce it, or answers with the speed of their dashboard refresh rather than the speed of a human picking up the phone, you are paying for storage. The metric that matters is people-to-people, not machine-to-screen.

Sign 2: Detections get better, not just more

Detection content is software, and software needs maintenance. A watched service tunes rules to your environment: it suppresses the benign weekly job that fires an alert every Tuesday, writes new detections for the line-of-business application you just adopted, and retires content that no longer earns its keep. A logging service ships the vendor's default rule set and never touches it. The symptom of an untuned service is alert fatigue: hundreds of low-value notifications that train your team to ignore the one that mattered. If your provider cannot describe a specific detection they tuned for you in the last 90 days, no one is engineering your detections.

Sign 3: Humans escalate, and they are allowed to act

Watching implies a watcher. Ask who is staffing the service at 3 a.m. on a holiday weekend, because attackers deliberately choose those windows. Then ask the harder question: what is the provider contractually permitted to do on your behalf when they find something? There is a meaningful difference between a service that emails you an alert and waits, and one authorized to isolate an endpoint, disable a compromised account, or block a malicious process while you sleep. Response authority, written into the contract, is the line between detection and detection-and-response. CISA's ransomware guidance is built around the assumption that containment happens in the first hours, not the first business day (CISA, #StopRansomware Guide).

Sign 4: Detection coverage is mapped, not assumed

A serious provider can show you which adversary behaviors they can detect and which they cannot. The industry standard for this is the MITRE ATT&CK framework, a public catalog of the tactics and techniques attackers use (MITRE ATT&CK). A watched MDR maps its detection content to ATT&CK techniques and can tell you, for example, that it has strong coverage for credential dumping and lateral movement but limited visibility into a particular cloud-persistence technique. That honesty is a feature. A logging service treats coverage as a marketing claim ("we monitor everything") because no one has actually measured it. "We monitor everything" is the answer of a provider who monitors nothing in particular.

Sign 5: They prove what they did

Watching produces a record. A real MDR sends a monthly report that states how many alerts were triaged, how many were escalated to you, how many were closed as benign, and what actions were taken. That report is operational evidence, not a vanity dashboard of green checkmarks. It answers "what did you do for me last month" with specifics. A logging service produces volume metrics ("4.2 million events ingested") that prove the pipe is full and say nothing about whether anyone looked.

The seven questions that expose the difference

Bring these to your next provider review. Specific questions force specific answers, and vagueness is the tell:

If you are still untangling the vocabulary behind these questions, start with the term comparison in What is the difference between MDR, SOC, EDR, and SIEM? It explains why applications and vendors use those four words as if they were interchangeable when they are not.

Why this matters for your cyber insurance renewal

The watching-versus-logging gap is not only an operational risk. It is an insurance risk. Carriers increasingly ask about managed detection and response on renewal applications, and the 2025 NAIC Cybersecurity Insurance Report documented how policies use "failure to maintain" exclusions to deny claims when a control was attested but not operating as described (NAIC, 2025 Cybersecurity Insurance Report). A logging tool that no one watched can read as "monitored detection and response" on the application and as an unenforced control during the post-breach forensic review. That mismatch is one of the most common reasons claims are denied, as covered in Why do cyber insurance claims get denied? Documented, human-watched detection with an evidence trail is part of what makes the control defensible, the standard laid out in our pillar guide, How do you make your IT cyber-insurance defensible?

Frequently asked questions

What is the difference between MDR and a log collector?

A log collector ingests and stores telemetry so it can be searched after the fact. Managed detection and response (MDR) adds detection engineering and human analysts who watch that telemetry in near real time, triage alerts, and respond to threats around the clock. The simplest test: if a confirmed intrusion happened at 2 a.m. on a Sunday, would a human contact you before Monday morning? If the answer is no, you have logging, not MDR.

What questions should I ask my MDR provider?

Ask for the median time from detection to human notification, who is staffing the service overnight and on weekends, what response actions they are contractually allowed to take on your behalf, how detection content is tuned to your environment, which MITRE ATT&CK techniques they have detection coverage for, how many alerts they closed for you last month, and what they would have done in your last security event. Vague answers to specific questions are the tell.

Does cyber insurance care whether my MDR is actually monitored?

Increasingly, yes. Carriers ask about managed detection and response on renewal applications and rely on failure-to-maintain exclusions when a control was attested but not operating as described. A logging tool that no one watched can read as monitored detection and response on an application and as an unenforced control during a post-breach forensic review. The evidence trail that proves humans were watching is part of what makes the control defensible.

Related articles

Find out whether your detection is watched or just stored.

A free assessment checks how your current monitoring would perform against a real intrusion, and where the evidence gaps are before your next renewal. No obligation, no stack rip-and-replace pitch.

See our MDR approach → Book a Free Assessment →