Technology Cybersecurity Security Operations & Incident Response

Managed Detection & Response (MDR)

High scrutiny and high blast radius; proof and governance matter.

IBM Secureworks Arctic Wolf Palo Alto Networks
Inside this journey
  1. Pre-Discovery

    Align decision-makers, timelines, and failure tolerances before deep diagnosis.

    1. Stakeholder Alignment

      Confirm decision roles (IT director, VP Ops, CFO), timeline, budget constraints, and acceptable operational impact.

      Alignment Questions

      Quick Reality Check — Getting Started Together

      • What's the single pain that pushed you to talk with an MDR provider today?
      • Who on your team will be most involved in evaluating and onboarding an MDR service? Options: IT Director, CISO/Security Lead, VP Operations, CFO/Finance, IT Manager, Other
      • How soon do you realistically expect to make a decision about outsourcing detection and response? Options: Immediately (days), Within 30 days, 30–90 days, 3–6 months, Longer than 6 months
      • Would you prefer to start with a lightweight proof-of-value or move straight to a full onboarding? Options: 30-day PoV first, Short pilot (7–14 days), Skip PoV and go straight to onboarding, Undecided — need guidance

      Are You Comfortable Being Blind to Real Threats?

      • If critical alerts were slipping through right now, how soon would you expect someone on your team to know about it? Options: Within minutes, Within hours, Next business day, We often don’t know until much later
      • How many alerts does your primary monitoring tool generate on an average business day? Options: <100, 100–500, 500–1,500, 1,500–5,000, >5,000, Don't know
      • What percentage of daily alerts currently get a full analyst investigation rather than just a ticket creation? Options: >90%, 50–90%, 10–50%, <10%, Almost none
      • Tell me about a recent alert or incident that you later realized was more serious than initially thought—what happened and what was the impact?
      • How does it feel inside your team when you discover high-risk alerts weren’t investigated—annoying, alarming, helpless, or something else? Options: Anxious/Alarmed, Frustrated/Annoyed, Helpless/Overwhelmed, Motivated to change, Other

      Who's Steering the Ship — Really?

      • If we had to get final sign-off tomorrow, who holds the budget authority and what will they want to see to say yes? Options: CFO/Finance, CEO/Owner, IT Director, VP Operations, Board/Committee, Undecided
      • What timeline would your decision-maker find acceptable from proposal to go-live? Options: <14 days, 14–30 days, 30–60 days, 60–90 days, Flexible
      • What non-negotiable concerns does your CFO or finance owner raise when comparing outsourced MDR vs building an internal SOC?
      • How does the VP of Operations weigh in on security work that could touch production systems—what would they absolutely not accept?
      • Who on your side can approve emergency containment actions (e.g., endpoint isolation, account disable) during nights/weekends? Options: IT Director, CISO/Security Lead, Operations Manager, Designated Security Contact, No one — vendor must get approval

      Where the Night Shift Is Missing

      • Imagine an intrusion at 2 a.m.—what typically happens today, and how does that outcome make you feel about your overall risk?
      • How often do incidents occur outside business hours and how disruptive are they when they do? Options: Weekly and highly disruptive, Monthly and disruptive, Rarely but severe, Very rare and minor, Unknown
      • Would your team accept a vendor performing automated containment actions without prior approval if it reduced mean time to contain by 50%? Options: Yes — within agreed playbooks, Yes — but only with after-action review, No — must always contact us first, Depends on the severity
      • Describe any previous night/weekend incident where delay in response caused measurable harm (downtime, data loss, regulatory risk)—what was the consequence?

      What Would Success Actually Look and Feel Like?

      • If we guarantee containment within a target window, what MTTC (mean time to contain) would transform how you feel about security? Options: <1 hour, 1–4 hours, 4–24 hours, >24 hours, Unsure — need guidance
      • Beyond MTTC, what operational signals would convince you the service is working (pick all that apply)? Options: Faster onboarding time, Fewer false positives, Dedicated analyst familiarity, Clear incident playbooks, Regular tuned detections, Transparent SLA reporting
      • How quickly would you expect full monitoring coverage after contract signature to be achieved? Options: <7 days, 7–14 days, 15–30 days, 31–60 days
      • How will you measure ROI internally—what costs or risk metrics are you comparing against building a four-person SOC?
      • When this is working well, how will it change your day-to-day for the IT director, your security team, and operations?

      Surface the Technical Map We Need to Own Together

      • What primary SIEM, EDR, or logging platforms are currently in place? Options: Splunk, Microsoft Sentinel, Elastic, QRadar, Sumo Logic, Native cloud logs only, No SIEM/EDR deployed, Other
      • Which log sources are currently being forwarded (pick all that apply)? Options: Endpoints/EDR, Active Directory, Firewalls/Perimeter, Cloud (AWS/Azure/GCP), VPN/Remote Access, OT/ICS, Email/M365, HR/Payroll systems, Other
      • Estimate current endpoint coverage (% of workstations/servers where agents could be deployed): Options: <25%, 25–50%, 50–75%, 75–100%, Unknown
      • Are there operational technology (OT) systems, segmented air-gapped networks, or third-party vendor environments that require special handling? Options: Yes — OT/ICS present, Yes — highly segmented networks, Yes — third-party constraints, No special constraints, Unsure
      • What current pain points exist with log quality, retention, or missing telemetry we should know about?

      PoV & Risk: Can We Prove Value Without Putting You at Risk?

      • If a 30‑day PoV reveals missed detections, how would you like that information presented to gain trust quickly? Options: Weekly executive summary + full findings, Daily highlights + dashboards, Live demo of specific detections, Walkthrough with our analysts
      • What acceptance criteria will make a PoV a clear win for you (pick top three)? Options: Missed detection examples found, Baseline MTTC improvement, Full agent rollout on X% endpoints, Detection tuning completed, Analyst familiarity & handover, No production disruption during tests
      • What change windows, maintenance blackout periods, or seasonal constraints must we respect during a PoV or onboarding? Options: Nightly windows OK, Only scheduled change windows, No changes during production hours, Seasonal blackout dates, Flexible — need to discuss
      • What rollback or escalation plans do you require if the PoV causes unexpected issues?
      • Are you willing to deploy temporary agents/connectors alongside your existing tools for the duration of the PoV? Options: Yes — fully supportive, Yes — but limited scope, Prefer remote/log-only observation, No — cannot deploy agents

      People & Process — Who Lives This Day to Day?

      • Who will be the day‑to‑day liaison for incident handling, and what authority will they have? Options: IT Director, Security Lead/CISO, Network Admin, Designated Security Contact, Other
      • Which internal roles will we need to train or hand over runbooks to during onboarding? Options: IT Operations, Helpdesk, Network Engineering, Application Owners, VP Operations, Other
      • How mature are your existing incident response runbooks on a scale from 1 (none) to 5 (rigorous and practiced)? Options: 1, 2, 3, 4, 5
      • Describe one internal process that regularly blocks fast incident containment today (approval delays, lack of credentials, uncertainty about change windows, etc.):
      • What cadence of operational reviews and tuning would you find reasonable after go‑live (pick all that apply)? Options: Weekly for first month, Bi-weekly for first quarter, Monthly ongoing, Quarterly strategic reviews, Ad-hoc as needed

      Commercial & Commitment — The Financial and Contract Questions That Matter

      • What procurement hurdles have blocked past security engagements from moving forward? Options: Lengthy legal review, Budget timing, PO/contracting process, Need multiple vendor quotes, Other
      • Would your CFO accept a three‑year managed service with defined SLA credits over the engineering cost of building a four‑person SOC? Options: Yes — prefers managed service, Maybe — needs detailed TCO, No — prefers internal build, Undecided
      • What contractual guarantees are deal‑breakers for you (minimum MTTC SLA, response authorities, liability limits, breach notification timelines)?
      • What internal approval steps remain for budget sign‑off (committee meeting, CFO review, CEO sign, board approval, other)? Options: CFO only, CFO + CEO, Finance committee, Board approval, Other
      • What commercial structure do you prefer for a three‑year agreement? Options: Fixed annual subscription, Monthly billing with term commitment, Year 1 ramp then flat, Performance‑based pricing, Undecided

      Final Check — Readiness, Risks, and Next Steps

      • What is the single biggest internal obstacle that would prevent a smooth PoV or onboarding in the next 30 days?
      • On a scale from 1–5, how emotionally ready is your leadership to hand operational control for containment to a vendor during incidents? Options: 1, 2, 3, 4, 5
      • Which three outcomes would make you feel confident to sign a three‑year MDR contract after the PoV?
      • Who should be invited to the next technical scoping session (name, role, and preferred contact method)?
      • Realistically, what's our next step together and when can we schedule it? Options: Technical scoping call (within 7 days), Executive commercial review (within 14 days), Begin PoV (within 30 days), Need internal alignment first
    2. Current State Mapping

      Document existing SIEM noise, tool coverage, staffing, alert volumes, and any operational technology constraints.

      Current State

      Quick Snapshot: Your Security Reality

      • To get started, which best describes your primary business vertical? Options: Manufacturer (plants/OT), Distributor / Logistics, Professional services, Other — please specify
      • How many people work across your organization? Options: 500–999, 1,000–2,499, 2,500–4,999, 5,000+
      • Which team owns day-to-day security operations today? Options: IT / Infrastructure, Dedicated internal SOC, Third‑party MSSP, No single owner / shared responsibility, Other
      • Roughly how many security alerts (SIEM/EDR/console) are generated on a typical business day? Options: <50, 50–199, 200–499, 500–999, 1,000–1,499, 1,500–4,999, 5,000+
      • Who should we coordinate technical follow-up with (name & title)?

      If We’re Honest, How Much Is Noise?

      • What percentage of alerts do you believe are false positives or noise that never get investigated? Options: <10%, 10–25%, 26–50%, 51–75%, >75%, Unsure
      • Which types of alerts generate the most noise in your environment? Options: Malware/AV detections, Authentication anomalies, Firewall/IDS alerts, Proxy/web gateway alerts, Vulnerability scanner alerts, OT/PLC alarms, Other — specify
      • How long does an average alert sit in your queue before someone looks at it? Options: <15 minutes, 15–60 minutes, 1–4 hours, 4–24 hours, >24 hours, Never reviewed
      • When alerts aren’t investigated, what typically happens to them? Options: Auto‑closed, Left in queue indefinitely, Ignored then deleted, Escalated later, Other — explain
      • Tell us about one recent alert or small incident that was missed or deprioritized and later caused problems — what happened?

      Who’s On Watch When It Matters?

      • If your most senior analyst resigned tomorrow, what would happen to daily detection coverage? Options: Coverage continues with no impact, Some degradation but manageable, Significant loss of coverage, We'd be blind / unknown
      • How many full‑time staff (headcount) actively investigate security alerts today? Options: 0, 1, 2, 3–4, 5+
      • Do you have 24/7 shift coverage for monitoring and response? Options: Yes — internal team, Yes — via third‑party, No — business hours only, Partial after‑hours cover
      • How experienced is your most senior analyst (years of hands‑on SOC experience)? Options: <1 year, 1–3 years, 3–5 years, 5–10 years, 10+ years
      • Describe any recent staffing gaps, turnover, or single‑point‑of‑failure you worry about.

      Where Your Tools Actually Reach — and Where They Don’t

      • Which critical assets would you admit are effectively blind to your current monitoring? Options: OT / PLC networks, Remote or branch offices, Cloud workloads (IaaS/PaaS), Identity providers / SSO logs, IoT devices, Legacy on‑prem servers, Other — specify
      • Which of these tools are actively feeding logs to your SIEM or monitoring today? Options: Firewall, EDR, Proxy / Web gateway, Active Directory / IdP, Cloud audit logs (CloudTrail/Azure), VPN / remote access, OT sensors / historians, Email gateway, Vulnerability scanner, Other
      • Which vendors/products are in your toolchain (SIEM/EDR/Firewall)? List names and versions if known.
      • Approximately what percentage of endpoints and servers can receive an agent today? Options: <25%, 25–49%, 50–74%, 75–94%, 95–100%, Unknown
      • Are there technical or organizational constraints preventing log ingestion from specific systems? Options: Bandwidth limits, Change control windows, Legacy/unsupported devices, OT vendor restrictions, Data privacy/regulatory limits, No constraints, Other — describe
      • If you had to pick the top three systems we must instrument first, which would they be and why?

      When Detection Turns Into Disruption

      • Which investigation or response actions would you consider unacceptable during production hours? Options: Isolating endpoints, Disabling user accounts, Changing network routes/segments, Restarting services/controllers, Making changes to OT systems, No action is off‑limits, Other — specify
      • Have you experienced a situation where a defensive action caused operational impact or downtime? Options: Yes — major impact, Yes — limited impact, No, Not sure / never tracked
      • Who must be notified or authorize containment before a high‑impact action is taken? Options: IT Director, VP Operations, CFO, Plant Manager / OT Lead, Security Lead / CISO, No prior authorization required, Other — list
      • What rollback or escalation steps are in place if a containment action breaks something mission‑critical?
      • How comfortable are you with a provider that will take immediate action to contain confirmed threats outside business hours? Options: Very comfortable, Somewhat comfortable, Only with pre‑approved playbooks, Not comfortable

      Signals That Would Prove We’re Helping

      • If we could guarantee one measurable improvement in the first 90 days, which would change your mind about outsourcing detection? Options: MTTC reduction, Fewer false positives, Faster onboarding to full coverage, Dedicated analyst assigned, Detecting previously missed incidents, Other — specify
      • What is your current target (or expectation) for mean time to contain (MTTC)? Options: <1 hour, 1–4 hours, 4–24 hours, 24–72 hours, No target / unknown
      • Which metrics are tracked today that we should baseline in the PoV? Options: MTTC / MTTR, Alert volume by source, Investigations completed, Incidents by severity, Dwell time, False positive rate, Analyst utilization, Other — list
      • How often would you like status reports and what level of detail do you expect (daily high‑level, weekly dashboard, monthly executive)? Options: Daily — high level, Weekly — tactical, Biweekly — mix, Monthly — executive, On demand
      • Would you want a single dedicated analyst assigned to your environment for the PoV and ongoing service? Options: Yes — dedicated, No — pooled model OK, Prefer hybrid (dedicated lead + pool), Unsure — discuss options
      • By when would you realistically expect to be on full monitoring after contract signature? Options: Within 7 days, 7–14 days, 15–30 days, 30–60 days, Longer / depends

      The Practical Constraints — Budgets, Timelines & Approvals

      • What single outcome or event would make a three‑year managed service contract a non‑starter for your organization? Options: Budget cuts / reprioritization, Operational disruptions, Lack of executive buy‑in, Unacceptable contractual risk, Data residency / compliance issues, Other — explain
      • What is your procurement timeline for selecting an MDR provider? Options: Immediate — weeks, This quarter, Next quarter, 6–12 months, Undecided
      • Who will sign the SOW and who approves the budget for security services? Options: IT Director, CFO, VP Operations, CEO, Procurement, Other — list
      • What annual budget range are you evaluating for outsourced detection & response? Options: <$100k, $100k–$250k, $250k–$500k, $500k–$1M, >$1M, Undecided
      • Do you have contractual or regulatory SLAs that an MDR provider must meet (response times, data retention, auditability)? If yes, please list.
      • Are there any internal change‑control or maintenance windows that would limit onboarding activities or agent deployments? Options: Daily business hours only, Night/weekend windows available, Weekly maintenance windows, Change freeze periods exist, No restrictions, Other — describe
  2. Outcome Discovery

    Define measurable success signals including MTTC targets, analyst coverage expectations, onboarding speed, and acceptable disruptions.

    Discovery Questions

    Starting Here: A Quick Snapshot

    • Who are you and how do you currently own security decisions day-to-day? Options: IT Director, Security Manager/Analyst, VP Operations, CFO/Finance Sponsor, Other
    • Which vertical best describes your organization? Options: Manufacturing, Distribution / Logistics, Professional services, Other
    • How many total employees does your organization have? Options: 500–999, 1,000–2,499, 2,500–4,999, 5,000+, Prefer not to say
    • How many people are currently assigned to security or SOC responsibilities (include part-time and outsourced)? Options: None / single IT generalist, 1–2 (business hours only), 3–4 (limited extended hours), 4+ (formal 24/7), Fully outsourced partner
    • Which detection and logging tools are actively in use today (select all that apply)? Options: Splunk / SIEM, Microsoft Sentinel, Elastic / EDR, Carbon Black / CrowdStrike / EDR, IDS/IPS / Firewall logging, OT/ICS-specific tools, We don’t have visibility / unsure, Other
    • Roughly how many alerts does your monitoring stack generate on a typical business day? Options: <100, 100–499, 500–1,499, 1,500–5,000, >5,000, Unsure

    If Alerts Could Talk, Who Would They Blame?

    • Do you feel most alerts are meaningful signals or background noise that you’ve learned to ignore? Options: Mostly meaningful, Mixed — many are noise, Mostly noise, I’m not sure
    • How many of your daily alerts actually receive a full investigation and documented conclusion? Options: Nearly all, About half, A minority (~25%), Very few (<10%), None
    • Which alert categories drive the highest volume and frustration in your environment? Options: Credential/authentication failures, Endpoint behavioral detections, Firewall/IPS floods, Cloud configuration alerts, OT/ICS telemetry, Vulnerability noise, Other
    • When someone flags an alert as suspicious, how does the investigation typically unfold and who owns the work? Options: Security team owns end-to-end, IT triages then escalates, Ticket handed back to the business, No clear ownership, Other
    • Tell us about one recent alert or pattern you wish had been resolved differently — what happened and how did it feel to you?

    Are We Unknowingly Inviting a Major Outage?

    • Have you experienced a security incident in the last 24 months that caused downtime, data exposure, or regulatory impact? Options: Yes — caused downtime, Yes — caused data exposure, Yes — regulatory exposure, No, Unsure
    • If you answered yes, please briefly describe the business impact (hours of downtime, lost revenue, fines, customer impact).
    • Which parts of the business bear the brunt when security investigations touch production systems? Options: Plant / production operations, Customer-facing services, IT infrastructure / servers, Sales / commercial teams, Mixed across departments
    • What level of disruption is absolutely unacceptable during investigations (e.g., no changes during production hours, limited after-hours only)? Options: No disruption during business hours, Acceptable only in maintenance windows, Minor agent installs allowed anytime, Full access acceptable for short windows, Other
    • When you imagine a severe undetected breach, what worries you most emotionally and practically?

    If You Could Snap Your Fingers, What Would Change Tomorrow?

    • What mean time to contain (MTTC) would make you feel confident threats are under control? Options: <15 minutes, <1 hour, <4 hours, <24 hours, Unsure / need guidance
    • How many analysts and what model do you expect for your environment—exclusive dedicated analysts or a shared/pool model? Options: 1 dedicated analyst, 1–2 dedicated analysts, Shared analyst per multiple clients (low ratio), Fully pooled analysts (high ratio), Unsure
    • Would you prioritize a rapid onboarding timeline over minimal initial changes to production, or the reverse? Options: Speed (onboard quickly, more changes short-term), Minimal disruption (slower onboarding), Balanced approach, Unsure
    • What exact onboarding speed from signature to full monitoring coverage would meet your operational goals? Options: 3–7 days, 8–14 days, 15–30 days, 30+ days, Unsure
    • List the concrete, measurable success signals you want us to guarantee for PoV and the first 90 days (include MTTC targets, coverage metrics, and acceptable false-positive rates).

    Who Holds the Keys — Decision & Response Authority?

    • Who must approve containment actions (isolate endpoint, disable account) outside business hours? Options: IT Director, Security Manager, VP Operations, CFO / Finance, Provider may act per SLA, Customer approval required every time, Other
    • Which stakeholders must be included in incident communications and updates for critical cases? Options: IT Director, VP Operations, CFO, Plant Manager / Ops Lead, Legal, HR, External counsel, Other
    • What escalation method do you expect for critical incidents (e.g., immediate phone + SMS, scheduled war room, email only)? Options: 24/7 phone + SMS + email, Phone + email during business hours, Scheduled war room within SLA window, Email only, Other
    • Are there systems or networks (for example OT/ICS or specific production servers) where we should never take remote containment actions? Options: OT/ICS environments, Primary production servers, Customer-facing services, No restrictions — allow containment, Other
    • Describe any internal approval workflows or change-control gates that typically slow containment decisions (who signs off, how long it takes).

    Proof in the Pudding — The 30-Day Proof-of-Value

    • What single outcome from a 30-day PoV would make you say ‘this is working’? Options: Missed detections discovered, MTTC meets target, All required log sources ingested, Successful containment example, Clear analyst handover and documentation, Other
    • Which specific log sources and endpoint classes must be included in the PoV to consider it comprehensive? Options: Endpoint agent logs, Windows Event logs, Firewall / Perimeter logs, Cloud provider logs (AWS/Azure), Identity providers (AD/Okta), OT/ICS telemetry, Application logs (ERP/SCADA), Other
    • How many concrete missed-detection examples or validated incidents during PoV would you need to see to sign off? Options: 1–2, 3–5, 6–10, >10, Quality and relevance over count, Unsure
    • What quantitative acceptance criteria should we list at PoV close (e.g., MTTC threshold, percent of alerts investigated, log coverage percent)?
    • Who will be our day-to-day technical contact for PoV adjustments, and who must approve final acceptance? Options: IT Director, Security Manager, Managed Services Engineer, Third-party integrator, Other
    • Do you have sandbox or test environments we can use for tuning, or do we need to work directly in production? Please explain any constraints. Options: Test/sandbox available, Limited sandbox, Must use production only, Unsure

    Pricing, Contract Rhythm & Board-Level Proof

    • How will your CFO evaluate the three-year managed service vs building an internal SOC—what metrics or comparisons matter most?
    • What budget constraints or approval processes should we design the proposal around? Options: Fixed annual budget, Three-year TCO requirement, Capital vs operating budget considerations, Need executive/board approval, Procurement-led RFP, Other
    • Which contractual guarantees are non-negotiable for you (select all that apply)? Options: MTTC SLA, Escalation response times, Financial penalties for missed SLAs, Data residency & handling rules, Right to audit, Termination clauses / exit support, Other
    • After a successful PoV, what is a realistic timeline for a commercial decision and signature? Options: Immediately following PoV, Within 30 days, 30–60 days, 60–90 days, Longer / board cycle
    • Who are the signatories required for a three-year managed detection and response agreement? Options: IT Director, VP Operations, CFO/Finance, Procurement, Legal, Other

    Ready for a Small Win? Next Steps & Low-Risk Trials

    • Would you prefer to start with a 30-day PoV, a phased rollout, or a site-focused pilot to reduce perceived risk? Options: 30-day PoV (full environment), Phased rollout (by site/system), Single-site pilot, Other
    • What are the top three blockers that could delay onboarding right now? Options: Access / credentials, Budget approval, Change control / maintenance windows, Endpoint installation restrictions, OT / ICS constraints, Contracting / legal review, Other
    • How would you like progress communicated during PoV—real-time alerts, daily dashboards, weekly executive summaries, or a combination? Options: Real-time alerts + dashboards, Daily dashboards, Weekly executive summary, Incident-driven communications only, Combination of dashboard + weekly summary
    • What would give you the confidence to sign a three-year agreement immediately after a successful PoV?
    • When would you like to schedule a kickoff to map stakeholders, confirm log sources, and set MTTC and onboarding targets? Options: Within 48 hours, Within 1 week, Within 2 weeks, Later / coordinate with procurement
  3. Solution Experience & PoV Plan

    Plan a 30-day proof-of-value: deploy agents/connectors alongside existing tools, surface missed detections, and agree acceptance criteria.

    Experience Meetings

    • PoV Kickoff & Current State Confirmation
    • Technical Deployment & Integration Planning
    • Acceptance Criteria & Success Signals Workshop
    • PoV Midpoint Review & Tuning Session (Day 15)
    • PoV Findings, Decision & Next Steps (Day 30 Wrap-up)
    • Decide on any necessary adjustments to the remaining PoV plan.
    • Set the evidence, reporting cadence, and formal sign-off workflow for PoV results.
    • Provider: Draft and circulate the Acceptance Criteria document with KPI definitions and success thresholds.
    • Customer: Confirm or adjust the proposed test scenarios and provide any environment-specific variations.
    • Provider: Configure dashboard/reporting templates and grant customer read access for live verification.
    • Status vs Timeline & Baselines
    • Demonstrate real examples of previously missed threats now detected by the PoV deployment.
    • Validate that tuning reduces false positives and improves signal-to-noise for the customer's team.
    • Confirm MTTC measurement method and that early containment times meet interim expectations.
    • Validate Log Source & Asset Inventory
    • Provider: Apply additional tuning rules and document changes with justification and expected effect.
    • Customer: Provide feedback on any operational disruption observed and confirm acceptable remediation actions.
    • Provider & Customer: Update the PoV timeline and reallocate tests if scope changes were agreed.
    • Executive Summary of Outcomes
    • Deliver the formal PoV verdict against the pre-agreed acceptance criteria.
    • Secure customer decision (Go to onboarding, request extension, or No-Go) and next-step owners and dates.
    • Capture lessons learned and any final adjustments to the future-state definition before transition.
    • Provider: Produce and deliver the final PoV report with all evidence, metrics, and the formal pass/fail recommendation.
    • Customer: Provide formal sign-off decision or request list within the agreed SLA window.
    • If Go: Provider & Customer: Schedule the full onboarding/deployment milestones and contractual start date.
    • Confirm the exact set and priority of log sources to ingest during the PoV.
    • Agree on deployment sequence and pilot cohort to prove agent safety.
    • Secure required access and document rollback and escalation procedures.
    • Ensure data handling, retention, and privacy requirements are explicit.
    • Customer: Provide validated credentials, network firewall exceptions, and maintenance window approvals.
    • Provider: Produce a step-by-step deployment runbook including rollback steps and test checklist.
    • Customer & Provider: Schedule exact install windows and pilot endpoint lists.
    • Customer: Provide final approval or edits to the one-sentence current state and one-sentence future state.
    • Introductions & Objectives
    • Achieve verbatim agreement on the one-sentence current state.
    • Surface and quantify the business consequence of not resolving the current gaps.
    • Define and agree the one-sentence future state the PoV must demonstrate.
    • Align on PoV timeline, roles, and immediate required artifacts/access.
    • Customer: Deliver list of critical assets, network diagram, SIEM & log source inventory, and point-of-contact list.
    • Provider: Publish the detailed 30-day PoV timeline with milestone owners and decision gates.
    • Baseline Metrics Review
    • Establish clear, numeric acceptance criteria tied to the customer's stated consequences.
    • Agree a prioritized list of test scenarios that will surface missed detections.
    • Agent & Connector Deployment Sequence
    • Quantitative Results vs Acceptance Criteria
    • Missed Detections Identified
    • Define Measurable Acceptance Criteria
    • One-sentence Current State
    • Representative Case Studies from the PoV
    • Test Cases & Scenario List
    • Tuning Actions & Rationale
    • Explicit Consequence Walkthrough
    • Access, Credentials & Network Requirements
    • One-sentence Future State (Success)
    • Reporting, Evidence & Sign-off Process
    • Change Windows, Rollback Plan & Escalation
    • Business Impact & Cost/Risk Avoidance Estimate
    • Live Triage Walkthrough
    • High-level 30-day PoV Plan & Roles
    • Recommendation, Decision & Next Steps
    • Adjust Acceptance Criteria or Plan (if needed)
    • Data Handling & Privacy Controls
  4. Solution Scope

    Define deliverables: dedicated analyst model, detection tuning, response authorities, SLAs, log sources, and PoV/onboarding milestones.

    Scope Configuration

    • Install lightweight endpoint sensors across endpoints
    • Configure cloud and on‑prem log connectors to platform
    • Ingest and normalize network, identity, and OT telemetry
    • Author and deploy custom detection rules tuned to environment
    • 24/7 alert triage with full investigation to conclusion
    • Execute automated containment playbooks (isolate/quarantine hosts)
    • Perform malware removal and endpoint remediation
    • Disable and remediate compromised user accounts
    • Conduct scheduled proactive threat hunts across environment
    • Collect and preserve forensic artifacts for incidents
    • Enforce network quarantine via firewall and NAC integrations
    • Maintain and retune detection baselines and rule sets

    Scope Questions

    Install lightweight endpoint sensors across endpoints

    • How many total endpoints need sensor installation (approximate)? Options: Less than 250, 250-1,000, 1,001-5,000, More than 5,000
    • Which operating systems are in scope for sensor deployment? Options: Windows, macOS, Linux, Android, iOS, Other
    • Are there air-gapped, isolated, or OT endpoints that require special deployment methods? Options: Yes, No
    • Do endpoint installs require local admin approvals or ticketed change windows? Options: Local admin approval required, Scheduled change window required, Can be installed remotely anytime, Other (describe in next field)
    • List any endpoint groups that must be excluded or treated specially (e.g., medical devices, SCADA consoles).
    • What is the preferred timeline for full sensor rollout after contract signature? Options: 0-7 days, 8-30 days, 31-90 days, 90+ days
    • Do you require proof-of-installation reporting and a remediation plan for failed installs? Options: Yes, No

    Configure cloud and on‑prem log connectors to platform

    • Which log sources do you plan to connect initially? Options: Windows Event Logs, Syslog, Office 365, Azure/AWS CloudTrail, Firewall, VPN, Other
    • Do you have cloud environments (IaaS/PaaS/SaaS) that require native connectors? Options: None, Azure, AWS, GCP, Office365/G Suite, Other
    • Are there on-prem SIEM or log-retention systems that must remain in parallel during PoV/onboarding? Options: Yes - SIEM in place, Yes - other log archive, No
    • Do connectors require credentials, service accounts, or privileged IAM roles? If yes, specify constraints. Options: No, Yes - can provide service accounts, Yes - only read-only credentials allowed, Other (describe)
    • Are there data residency or compliance restrictions affecting cloud exports of logs? Options: Yes, No, Unsure - need review
    • What daily log volume do you estimate (GB/day) or number of events/day? Options: Less than 1GB, 1-10GB, 10-50GB, 50-200GB, 200+GB, Unknown - need assessment
    • Do you require encrypted transport, customer-managed keys, or specific retention windows for ingested logs? Options: Yes - customer keys, Yes - custom retention, No special requirements

    Ingest and normalize network, identity, and OT telemetry

    • Which identity sources must be normalized (select all that apply)? Options: Active Directory, Azure AD, Okta, LDAP, Other
    • What network telemetry sources are available (firewalls, proxies, IDS/IPS, switch flows)? Options: Firewalls, Proxies, IDS/IPS, NetFlow/sFlow, Switch/router logs, None
    • Does your environment include operational technology (OT) systems that produce telemetry? Options: Yes - OT present, No - IT only, Unsure - need discovery
    • Are there proprietary or unsupported log formats that will require custom parsers? Options: Yes, No, Unknown - need review
    • What retention period is required for normalized telemetry for investigations and compliance? Options: 30 days, 90 days, 6 months, 12 months, Custom (specify)
    • Are there bandwidth or storage constraints that could impact continuous telemetry ingestion? Options: Yes, No, Unknown - need assessment
    • Describe any segmentation or network zones that affect where telemetry can be collected.

    Author and deploy custom detection rules tuned to environment

    • Do you require custom detections for business applications, OT protocols, or unique network patterns? Options: Yes - business apps, Yes - OT protocols, Yes - other, No standard detections sufficient
    • How many custom rules do you anticipate needing during onboarding (estimate)? Options: 0-10, 11-25, 26-50, 50+, Unknown
    • Who will approve and sign-off on custom detection tuning and false-positive reductions? Options: Customer SOC lead, IT Director, CISO, No formal approver, Other
    • Do you require documentation and test evidence for each deployed custom rule? Options: Yes, No
    • What is the acceptable false-positive rate threshold during initial tuning (percent of alerts)? Options: Less than 1%, 1-5%, 5-10%, 10%+
    • Are there regulatory or business-critical events that must always trigger immediate escalation? Options: Yes, No
    • Provide examples of three high-priority detections you believe are critical in your environment.

    24/7 alert triage with full investigation to conclusion

    • Do you require dedicated analysts assigned to your account or a pooled analyst model? Options: Dedicated analysts, Pooled analysts, Hybrid - dedicated during incidents
    • What are your SLAs for alert investigation and time-to-containment (target)? Options: 30 minutes, 1 hour, 4 hours, 8 hours, Custom
    • Are there classes of alerts that must always be escalated to on-call customer staff? Options: Yes, No
    • Do you require daily or weekly reporting of investigated alerts and outcomes? Options: Daily, Weekly, Monthly, On-demand
    • Will analysts have authority to take response actions without separate customer approval during confirmed incidents? Options: Yes - full authority per playbook, Yes - limited actions only, No - require approval each time
    • Are there any internal teams (IT ops, legal, HR) that must be looped into investigations automatically? Options: IT ops, Legal, HR, Executive, None
    • Describe your expected reporting cadence and metrics for the triage service (e.g., MTTC, incidents per week).

    Execute automated containment playbooks (isolate/quarantine hosts)

    • Are automated containment actions permitted in production without prior human confirmation? Options: Yes - automatic for high confidence, No - require analyst confirmation, Only during business hours, Only during incidents declared by customer
    • Which containment actions are approved (select all that apply)? Options: Network isolation, Endpoint quarantine, Block user account, Block IP or domain, Other
    • Do you have systems or processes that would be disrupted by host isolation (manufacturing SCADA, call center systems)? Options: Yes - high impact systems present, No - minimal impact, Unknown - need asset review
    • What business-hours constraints exist for containment (e.g., no isolation during 6am-6pm)? Options: No constraints, Business hours only, Night/weekend only, Specific windows - describe below
    • Do you require rollback playbooks or automated rejoin for mistakenly isolated hosts? Options: Yes, No
    • Who are the authorized approvers for escalated automated containment overrides? Options: IT Director, VP Ops, CFO, Security Manager, Other
    • Provide any recent examples of containment concerns or incidents to guide safe playbook design.

    Perform malware removal and endpoint remediation

    • Do you have an endpoint remediation standard operating procedure (SOP) we must follow? Options: Yes, No, Partial - need alignment
    • Which remediation actions are acceptable to perform remotely (select all that apply)? Options: Malware removal, Package uninstall, Service restart, OS reimage, Other
    • Are there business-critical endpoints that cannot be reimaged or taken offline without approval? Options: Yes - list them, No
    • Do you require a quarantine environment or isolated lab for remediation and rebuilds? Options: Yes, No, Unsure
    • Who will own warranty and licensing implications when agent-based remediation requires product changes? Options: Customer IT, Vendor/third-party, MDR provider, Other
    • What is your acceptable timeframe to remediate infected endpoints once identified? Options: Under 1 hour, 1-4 hours, 4-24 hours, 24+ hours
    • Do you require post-remediation validation scans and a remediation report for each incident? Options: Yes, No

    Disable and remediate compromised user accounts

    • Are analysts authorized to disable user accounts immediately upon confirmed compromise? Options: Yes - immediate disable, No - require approval, Disable only during off-hours
    • Which identity stores do we need write access to for automated remediation (AD, Azure AD, Okta, other)? Options: Active Directory, Azure AD, Okta, LDAP, Other
    • Do you require staged remediation (disable, password reset, re-enable) and who performs each step? Options: MDR does all steps, MDR does initial steps then customer, Customer performs all steps
    • Are there privileged accounts or service accounts that must be handled differently? Options: Yes - privileged accounts, No
    • Do you want automated notification templates to end-users and managers when accounts are disabled? Options: Yes, No
    • What is the desired retention or logging policy for account remediation events (audit trail)? Options: 90 days, 6 months, 12 months, Custom
    • List any regulatory considerations for identity changes (e.g., SOX, HIPAA) that affect remediation.

    Conduct scheduled proactive threat hunts across environment

    • How frequently do you want proactive threat hunts (weekly, bi-weekly, monthly, quarterly)? Options: Weekly, Bi-weekly, Monthly, Quarterly, Ad-hoc
    • What hunting scopes do you prefer (network, endpoints, identity, OT)? Options: Network, Endpoints, Identity, OT, All of the above
    • Do you want hunts focused on MITRE ATT&CK techniques, malware families, or bespoke threats to your industry? Options: MITRE ATT&CK, Malware families, Industry-specific threats, Other
    • Should proactive hunts produce playbooks and IoCs for automation and detection tuning? Options: Yes - produce playbooks/IoCs, No - summary only
  5. Mutual Commit

    Finalize three-year commercial terms, contractual response guarantees, responsibilities, and signatures for go-live.

    Agreement Modules

    • Master Services Agreement (MSA)
    • Statement of Work (SOW)
    • Commercial Terms & Pricing
    • Service Level Agreement (SLA)
    • Response Authority & Guarantees
    • Proof-of-Value (PoV) Acceptance
    • Roles, Responsibilities & RACI
    • Data Processing Agreement (DPA)
    • Security & Compliance Addendum
    • Onboarding & Deployment Plan
    • Change Order & Scope Management
    • Termination, Transition & Exit Plan
    • Insurance, Liability & Indemnity Schedule
    • Execution & Go‑Live Authorization
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm access, log ingestion, endpoint coverage, change windows, and escalation/rollback plans are in place.

      Readiness Questions

      Start Here: A Quick, Honest Snapshot

      • Who are you and which team owns security day-to-day here? Options: IT Director, Security Manager, CISO/Head of Security, VP Operations, Other
      • How many employees and locations should we use when sizing a monitoring plan? Options: <500, 500–1,000, 1,001–2,500, 2,501–5,000, >5,000
      • How urgent is solving this monitoring gap on a scale from 1 (not urgent) to 5 (critical)? Options: 1, 2, 3, 4, 5
      • Who will be the primary point of contact for onboarding and day-to-day decisions?
      • When we talk about success for an initial conversation, what’s the single outcome you most want from this call? Options: Get a PoV plan, Understand commercial terms, Validate coverage needs, Quick risk assessment, Other

      Are You Comfortable With What You Don’t Know?

      • If an attacker was already in your environment today, how confident are you that you'd notice within 24 hours? Options: Very confident, Somewhat confident, Not very confident, Not confident at all
      • What blind spots worry you most right now (pick all that apply)? Options: Remote workforce endpoints, OT/ICS systems, Cloud workloads, Third-party contractors, Identity/account compromise, Other
      • Tell us about the last time you learned of an incident—how did you find out and how long did it take to triage?
      • How often do you suspect false negatives—events you later learned were real threats but weren’t detected? Options: Regularly (monthly+), Occasionally (quarterly), Rarely, Unsure
      • How does it feel when you realize something slipped past your tools—frustrated, resigned, alarmed, or motivated to change? Options: Frustrated, Resigned, Alarmed, Motivated to change, Other

      What’s Driving Everyone Crazy Right Now?

      • Would you say alert volume is a symptom you tolerate—or a problem you’re actively trying to fix? Options: Tolerating, Trying to fix, Not sure
      • Approximately how many SIEM/EDR alerts come in on an average business day? Options: <100, 100–499, 500–1,499, 1,500–5,000, >5,000
      • Which tools generate the majority of noisy alerts in your stack? (select all that apply) Options: SIEM, EDR/Endpoint agent, Cloud provider alerts, Network IDS/IPS, Email security/Gateway, VPN/Remote access, Other
      • How much of that daily alert volume actually gets investigated to conclusion today? Options: >90%, 50–90%, 10–50%, <10%, Almost none
      • Describe a recent example where alert noise caused a missed or delayed response—what happened and what was the impact?

      What’s Getting in the Way of Taking Action?

      • If you had to pick one structural reason investigations stall, what is it—staffing, tooling, processes, or leadership priorities? Options: Staffing, Tooling, Processes, Leadership priorities, Other
      • How many full-time people (or FTE-equivalents) are currently responsible for triage and incident response across all shifts? Options: 0, 0.5–1, 1–2, 3–4, 5+
      • Do your analysts cover multiple customer environments/tools or are they dedicated to your environment? Options: Dedicated to our environment, Shared across multiple environments, Don't have consistent analysts, Unsure
      • Which of these skills are hardest to recruit or retain in your team? (select up to 3) Options: Threat hunting, Forensics, Detection engineering, Cloud security, OT/ICS expertise, Level 2/3 triage
      • How does the operations team feel about after-hours investigations or containment actions that could impact production? Options: Strictly prohibited, Allowed with pre-approved runbook, Allowed if critical, No clear policy

      If We Could Snap Our Fingers, What Would Change?

      • What would a meaningful reduction in risk look like to you—faster containment, fewer false positives, broader visibility, or something else? Options: Faster containment, Fewer false positives, Broader visibility, Dedicated analyst(s), Custom detections, Other
      • What target mean time to contain (MTTC) would satisfy your leadership—hours, days, or other metric? Options: <1 hour, 1–4 hours, 4–24 hours, 1–3 days, >3 days or N/A
      • How important is having dedicated analysts (one team focused only on you) versus a pooled model that rotates across customers? Options: Very important, Somewhat important, Not important, Open to either
      • What level of autonomy should a provider have during incidents (isolation, account disablement, network quarantine)? Options: Full autonomy, Autonomy with notification, Requires approval every time, Case-by-case
      • Which KPIs will your CFO or exec team require to justify a three-year managed service? Options: Total cost of ownership, MTTC improvements, Reduction in incidents, Compliance posture, Time-to-onboard, Other

      Who's Holding the Keys — and the Approval Stamp?

      • If the project needs a yes from three people, who are they and what does each care about most?
      • Which of these best describes your procurement/contracting timeline once commercial terms are agreed? Options: Weeks, 1–2 months, 2–3 months, 3+ months, Depends on legal review
      • Who owns the budget and how will they evaluate the three-year cost versus building internally? Options: CFO/Finance, IT Director, Procurement, CEO/Exec sponsor, Other
      • What contractual guarantees are non-negotiable for you (response SLAs, uptime, confidentiality, liability caps)? Options: Response SLAs, RPO/RTO, Confidentiality, Liability caps, Regulatory clauses, Other
      • Who in your organization will sign off on live response permissions (isolate endpoints, disable accounts) and how quickly can they act? Options: IT Director, VP Ops, CFO, Legal, No single approver

      Hidden Obstacles: Tech, OT, and Change Windows

      • What operational technology (OT) or legacy systems exist that are sensitive to changes or agent installation? Options: SCADA/PLC, Manufacturing execution systems (MES), Proprietary controllers, None, Unsure
      • Are there any networks or segments where we absolutely cannot run active scans, agents, or intrusive detection? Options: Production/OT segments, Guest/contractor networks, HVAC/building controls, None, Other
      • What are your routine maintenance/change windows (days/times) when we could schedule agent rollouts or configuration updates? Options: Weekday business hours, Weekday off-hours, Weekends, Monthly maintenance window, No regular window
      • Do you have IAM/SSO restrictions or sensitive privileged accounts that require special provisioning steps? Options: Yes, strict, Yes, moderate, No, Unsure
      • Are there regulatory or compliance rules (HIPAA, PCI, NERC, ITAR) that constrain incident response or data handling? Options: HIPAA, PCI, NERC, ITAR, GDPR, None, Unsure
      • Tell us about one technical constraint you expect will slow onboarding (network segmentation, air-gapped systems, legacy auth), and how you currently work around it.

      How Would a 30-Day Proof Actually Prove Value?

      • If we run a 30-day PoV alongside your existing tools, what evidence would make you say 'this works'? Options: Missed detections found, MTTC improvements, Cleaner alert triage, Operational handoff readiness, Other
      • Which log sources are available for immediate ingestion to support a PoV (select all that apply)? Options: Windows events, Syslog/network devices, Cloud provider logs (AWS/Azure/GCP), Email/Gateway logs, EDR logs, IAM logs, Other
      • What percentage of endpoints and servers could we realistically install a lightweight agent on within the first 14 days? Options: <25%, 25–50%, 50–75%, 75–95%, 95–100%
      • What would be the non-negotiable acceptance criteria at PoV completion (e.g., X missed detections surfaced, MTTC < Y hours)?
      • Who must be engaged internally during the PoV (IT ops, SOC, OT engineers, legal), and who will own the day-to-day PoV communications? Options: IT Ops, SOC/Analysts, OT Engineers, Legal/Compliance, Executive Sponsor, Other

      If We Move Forward, What Could Kill the Project?

      • What are the top three deal-breakers that would stop you from onboarding an MDR provider?
      • Are there access or network changes we should expect resistance to (VPN access, privileged credentials, opening collector ports)? Options: Yes — significant resistance, Some resistance expected, No resistance, Unsure
      • What escalation and rollback processes must be in place before any containment or disruptive actions can be taken?
      • Who will be our escalation path during an incident outside business hours, and what is the expected response expectation? Options: IT Director on-call, VP Ops on-call, Dedicated incident response contact, Rotate through team, No defined after-hours contact
      • Which legal or procurement steps have historically delayed security projects here, and how long do those typically take? Options: Security review, Legal contract review, Insurance requirements, Third-party vendor onboarding, Other

      Putting It All Together: Next Steps and Comfort Level

      • Based on everything above, how comfortable would you be signing a three-year managed service agreement after a successful PoV? Options: Very comfortable, Somewhat comfortable, Not comfortable yet, Need more info
      • What immediate resources or information do you need from us to move to a PoV (statement of work, agent docs, security questionnaires)? Options: Security questionnaire, Statement of work, Agent deployment guide, SOC procedures, Contract template, Other
      • Who should we invite to a technical kickoff to ensure the PoV can start within your preferred timeline?
      • Realistically, what date could your team commit to starting a PoV or pilot (give a target month or week)?
      • Is there anything we haven’t asked that would make a huge difference in understanding your situation or ensuring a smooth onboarding?
    2. Deployment Enablement

      Schedule agent rollouts, tuning sprints, analyst handovers, runbooks, and execute onboarding tasks with owners.

    3. Validation Checklist

      Verify monitoring coverage, tuned detections, incident handling drills, and MTTC baselines before full handover.

      Validation Questions

      Start Here: Tell Us About Your Situation

      • In one short paragraph, how would you describe the security situation that brought us together today?
      • Which best describes your organization’s employee size? Options: Under 500, 500–999, 1,000–2,499, 2,500–4,999, 5,000+
      • Which industry best fits your organization? Options: Manufacturing, Distribution / Logistics, Professional Services, Healthcare, Financial Services, Other
      • Who is the internal owner driving the MDR evaluation? Options: IT Director, Security Manager, CIO/CTO, VP Operations, CFO, Other
      • How many full‑time people are currently dedicated to security or SOC functions? Options: None, 1, 2–3, 4–6, 7 or more
      • What immediate event or trigger prompted this exploration (select all that apply)? Options: Senior analyst resigned, Too many SIEM alerts, Recent suspicious activity, Compliance requirement, Executive request, Budget review

      Are You Comfortable Flying Blind?

      • If your SIEM is screaming with alerts, what percent of those alerts do you honestly believe are investigated to a conclusive outcome? Options: 0%, 1–5%, 6–20%, 21–50%, Over 50%
      • On a typical day, roughly how many alerts does your environment produce? Options: Under 100, 100–499, 500–1,499, 1,500–4,999, 5,000+
      • What percentage of alerts receive human triage (not just automated ticketing)? Options: None, <10%, 10–30%, 31–60%, >60%
      • Which detection and visibility tools are in place today? (select all that apply) Options: SIEM, Endpoint Detection (EDR), Network Detection/Analytics (NDR), Cloud workload logging, Vulnerability scanner, Identity provider logs, None / minimal tooling
      • Tell us about a recent alert or near‑miss that made you question whether your monitoring is sufficient—what happened and how did it feel?
      • How confident are you that current tooling and staffing would detect and contain an attack against critical OT or industrial control systems? Options: Very confident, Somewhat confident, Not confident, Not applicable—no OT

      Who Really Decides — And What Keeps Them Up at Night?

      • If your CFO ran the numbers comparing building a four‑person SOC to outsourcing detection and response, what single concern would make them immediately push back?
      • Which stakeholders must sign off on a three‑year MDR contract? (select all that apply) Options: IT Director, Security Manager, CFO, CEO, VP Operations, Legal, Procurement
      • Which budgeting model does leadership prefer for this purchase? Options: OpEx / annual, Multi‑year OpEx (3 years), CapEx, Unsure / flexible
      • What operational constraint from VP Operations is non‑negotiable (e.g., no production interruptions during business hours)? Options: No production interruptions during business hours, No agents on certain systems, Change windows limited to specific weekends, Response actions require prior approval, Other
      • What is the target timeline leadership expects between agreement and the point at which risk is meaningfully reduced? Options: Within a week, 2 weeks, 1 month, 2–3 months, Unsure
      • If procurement or legal delays the decision, what real business risk do you foresee in the next 90 days?

      What Would Success Actually Look Like — Not Just a Dashboard

      • If you could measure just one outcome to prove this engagement succeeded, what would it be?
      • Which of the following metrics will best indicate success for your team? (select up to three) Options: Mean time to contain (MTTC), Mean time to investigate, Percent of alerts closed to conclusion, Days to full monitoring after signature, Reduction in false positives, Dedicated analyst ratio
      • What MTTC target would make you feel confident incidents are being contained appropriately? Options: Under 30 minutes, 30–120 minutes, 2–8 hours, 8–24 hours, Not sure / need recommendation
      • How soon do you expect full coverage (all agreed log sources and endpoints) after contract signature? Options: Under 7 days, 8–14 days, 15–30 days, More than 30 days
      • What types of detections or threats are highest priority for you (e.g., credential theft, ransomware, insider misuse)? Options: Ransomware, Credential compromise, Data exfiltration, Insider threat, Supply chain compromise, OT/ICS attacks
      • Which outcome would make your VP Ops and CFO publicly congratulate the security team one quarter from now?

      Imagine a 30‑Day Proof That Changes the Game

      • What would you assume a PoV provider might gloss over or not show you—if they could—and why does that worry you?
      • Which acceptance criteria must the 30‑day PoV meet for you to call it successful? (select all that apply) Options: Demonstrated missed detections compared to current tools, Onboarded target log sources, Established MTTC baseline, Documented tuning reducing noise by X%, Analyst handover and knowledge transfer
      • Which log sources and systems must be included in the PoV to make it meaningful? (select all that apply) Options: Active Directory / identity logs, Endpoints / EDR telemetry, Domain controllers, Cloud workloads (AWS/Azure), Email gateway, Network devices / firewalls, OT/PLC systems
      • Are there internal approvals, vendor contracts, or remote access constraints that could delay PoV work? Options: Yes — vendor approvals required, Yes — internal change approvals required, No known constraints, Unsure
      • How many engineering or admin hours can your team commit during the PoV for connector work, tuning, and validation? Options: None, <8 hours, 8–24 hours, 25–40 hours, >40 hours
      • What single result from the PoV would most convince your leadership to proceed to a full engagement?

      Who Owns Response When Things Go Wrong?

      • If an analyst recommended isolating a production server at 2:00 a.m., who in your organization should have the final say—and why?
      • Which response actions are you comfortable delegating to an external provider without prior approval? (select all that apply) Options: Isolate endpoint, Disable user account, Block IP at edge, Quarantine files, Initiate forensic capture, None — all require approval
      • Do regulatory, customer, or contractual obligations restrict autonomous response activities? Options: Yes — specific restrictions apply (we'll detail), No, Unsure
      • Describe the escalation path you expect for a confirmed critical incident—who is notified and in what order?
      • Have past response actions ever caused unacceptable downtime? If so, tell us about one example and what you learned.
      • Which blackout periods do we need to respect to avoid production impact? (select all that apply) Options: Business hours M–F, Night shifts only, Weekend operations, Monthly maintenance windows, No blackout — any time is acceptable

      What Would Make Signing a No‑Regret Decision Easy?

      • If you could extract one contractual promise that would remove the last reservation from your leadership team, what would it be?
      • Which commercial term length would your leadership prefer to evaluate first? Options: 12 months, 24 months, 36 months, Other / flexible
      • Which SLA guarantees are non‑negotiable for you? (select all that apply) Options: Critical incident response time, MTTC contractual commitment, Platform uptime, Regular executive reviews, Financial remedies for SLA failures
      • What internal approvals must be completed before signature (select all that apply)? Options: Legal contract review, Security architecture review, Procurement approval, Budget signoff (CFO), Executive sponsorship
      • What would be a reasonable timeline to convert a successful PoV into a signed agreement? Options: Sign within 14 days, Sign within 30 days, Longer negotiation required, Unsure
      • Who will serve as the single point of contact for commercial negotiations and who will own technical onboarding? Please name roles and emails if possible.

      Small Technical Reality Check — Are We Ready to Move Fast?

      • If we committed to completing onboarding in two weeks, what single thing in your environment would most likely break that plan today?
      • Which operating systems and endpoint protection products dominate your estate? (select all that apply) Options: Windows (various versions), macOS, Linux (server/desktop), Industry / legacy OT OS, Third‑party endpoint protection (specify)
      • Which identity providers or SSO systems must we integrate with? Options: Azure AD, Okta, Google Workspace / G Suite, On‑prem Active Directory, None / other
      • Please list any systems or device classes where agent installation is prohibited or restricted.
      • Do you have an existing incident response runbook we should align with? Options: Yes — mature and published, Yes — draft, Under development, No
      • How would you prefer we communicate progress during onboarding and the PoV? (select all that apply) Options: Daily standup calls, Twice‑weekly written summaries, Weekly exec review, Dedicated Slack / Teams channel, Email only
  7. Success

    Review outcomes against agreed signals, capture lessons learned, and maintain a shared channel for issues and enhancements.

    Success Reviews

    • Success Review — Outcomes vs Agreed Signals
    • Lessons Learned & Improvement Workshop
    • Operational Handover & Shared Channel Setup
    • MTTC & Detection Fidelity Review
    • Continuous Improvement Cadence & Reporting Plan

    Issues & Enhancements

    • Create a prioritized detection tuning plan with owners and validation criteria.
    • Customer: Confirm resource availability for any on-prem tasks or change windows required.
    • Confirm Operational Roles & Responsibilities
    • Activate a shared channel with the right participants and permissions.
    • Agree documented escalation flows and SLA expectations for incidents and enhancements.
    • Ensure runbooks/playbooks are published and editable by agreed owners.
    • Provision the chosen shared channel and invite the agreed list of participants.
    • Publish the escalation flow document and circulate to stakeholders.
    • Seller: Upload final runbooks and ensure read/write access for owners.
    • Seller: Publish MTTC calculation workbook and raw incident timelines for audit.
    • MTTC Definition & Measurement Method
    • Confirm MTTC meets contractual targets or identify a documented remediation plan.
    • Introductions & Objectives
    • Agree on the cadence and method for re-measuring MTTC and fidelity improvements.
    • Create tuning tickets for the top 10 false positives and assign detection owners.
    • Schedule the first validation window (re-measure MTTC) 30 days after tuning completion.
    • Proposed Cadence & Purpose
    • Agree and calendarize a sustainable cadence for operational and executive reviews.
    • Lock down the KPI set and reporting template used for ongoing success measurement.
    • Define governance for enhancement requests and their prioritization process.
    • Create recurring calendar invites for the agreed cadence and populate attendee lists.
    • Seller: Publish the KPI dashboard template and automate monthly report distribution.
    • Customer: Confirm executive sponsor(s) and decision authorities for QBRs.
    • Produce a clear acceptance decision for the PoV/onboarding against each agreed signal.
    • Document any shortfalls with concrete remediation owners, deliverables, and timelines.
    • Ensure mutual alignment on the evidence and calculations used to measure outcomes.
    • Seller: Deliver a consolidated outcomes report (metrics, raw evidence, calculations) within 48 hours.
    • Customer: Provide acceptance decision or list of remaining concerns within 5 business days.
    • Assign owners for any remediation tasks and publish dates for closure.
    • Set Scope & Rules for the Workshop
    • Capture a prioritized list of improvements with owners and due dates.
    • Agree which operational practices will be retained, changed, or retired.
    • Ensure both parties commit to timelines for high-impact remediations.
    • Create the improvement backlog in the shared tracker and assign owners within 3 business days.
    • Seller: Schedule tuning sprints and a runbook update sprint for identified quick wins.
    • Reconfirm Agreed Success Signals
    • KPI & Report Template Review
    • Select & Provision Shared Channel
    • MTTC Trend & Dashboard Review
    • What Worked Well (Successes)
    • Case Reviews — Representative Incidents
    • Present Measured Outcomes & Evidence
    • What Broke or Slowed Us Down (Issues)
    • Define Escalation Paths & SLA Targets
    • Attendees & Decision Rights
    • Detection Fidelity Analysis
    • Publish Runbooks, Playbooks & Repo Access
    • Governance for Enhancements & Roadmap Requests
    • Root Cause & Impact Mapping
    • Gap Analysis: Where We Met/Did Not Meet Targets
    • Tuning & Validation Plan
    • Schedule First Cycle & Communication Plan
    • Customer Validation & Concerns
    • Onboarding & Access Checklist
    • Create & Prioritize Improvement Backlog
    • Agree Next Steps & Review Cadence for Backlog
    • Decision & Next Steps
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.