Most MDR vendors claim "rapid detection" and "fast response." Very few publish numbers to back it up. This analysis compiles every publicly citable performance metric from leading MDR providers—so you can compare vendors on data, not marketing.
We did not contact any vendor's sales team. Every metric cited here comes from publicly available sources: vendor websites, published reports, MITRE Engenuity evaluation results, and documented SLA commitments. Where a vendor does not publish a metric, we say so explicitly. The absence of data is itself a data point.
Why Metrics Matter More Than Marketing
When evaluating MDR providers, you'll encounter terms like "industry-leading detection," "rapid response," and "enterprise-grade protection." These phrases are meaningless without numbers attached to them.
Three quantitative measures separate MDR marketing from MDR reality:
- Mean Time to Detect (MTTD): How quickly does the service identify a threat from the moment malicious activity begins?
- Mean Time to Respond (MTTR): How quickly does the service contain and remediate a confirmed threat?
- Independent validation: Has the vendor's detection and response capability been tested by an independent third party?
Organizations that rely on marketing language alone when selecting MDR providers often discover—during an actual incident—that "rapid" meant something different than they assumed.
The Master Metrics Table
The following table includes every MDR vendor for which we could identify publicly citable detection or response time data. Vendors without published metrics are included with their status noted.
| Vendor | MTTD (Detection) | MTTR (Response) | MITRE ATT&CK Eval | Source |
|---|---|---|---|---|
| CrowdStrike (Falcon Complete) | ~4 min | ~37 min | 100% detection, 100% protection, zero FPs (2025) + Managed Services: 98% coverage, fastest detection | MITRE eval, vendor SLA |
| Expel | ~5 min | ~13 min (high severity) | Not evaluated (operates on CrowdStrike, Microsoft, SentinelOne platforms) | Vendor annual report |
| Huntress | Not published | ~8 min (from SOC alert receipt) | Not evaluated | Vendor marketing |
| Red Canary | ~2 min (MTTA, not MTTD) | ~19 min median | Detection analytics only | Community discussion |
| eSentire (Atlas MDR) | Not published | 15 min guaranteed containment | Not evaluated (open XDR; integrates with existing customer tools) | Platform-agnostic; SLA-backed containment guarantee |
| Arctic Wolf | Not published | Not published (~7 min Mean Time to Ticket) | Not evaluated | Vendor collateral |
| Microsoft (Defender Experts for XDR) | Not published | Not published | Platform: 24 missed detections (2024); MDR not tested | MITRE eval |
| SentinelOne (Vigilance MDR) | Not published | Not published | Platform: 100% detection, zero delays (2024); MDR not tested | MITRE eval |
| Sophos (MDR) | Not published | Not published | Platform: 100% detection, 86/90 technique-level (2025); MDR not tested | MITRE eval |
| Secureworks (Taegis MDR) | Not published | Not published | Platform: 100% visibility, 95% detection (2024); MDR not tested | MITRE eval |
| Bitdefender (MDR) | Not published | Not published | Platform: 91% analytical coverage, zero FPs Linux/macOS (2024); MDR not tested | MITRE eval |
Reading the Table: What Each Column Means
MTTD (Detection): Time from first malicious activity to the service generating a detection or alert. Only CrowdStrike and Expel publish this metric with clear methodology. Red Canary publishes Mean Time to Acknowledge (MTTA), which starts later—when the alert reaches an analyst, not when the threat begins.
MTTR (Response): Time from detection to containment or remediation. This is the most important metric for business impact, but vendors define "response" differently. CrowdStrike's ~37 minutes includes full remediation. Huntress's ~8 minutes measures from SOC alert receipt. eSentire guarantees 15-minute containment. These are not directly comparable without understanding what each clock measures.
MITRE ATT&CK Eval: Whether the vendor has participated in MITRE Engenuity's independent evaluations. Two tiers exist: Enterprise (testing the detection platform) and Managed Services (testing the MDR service end-to-end). Only CrowdStrike participates in both.
What MITRE ATT&CK Actually Tests (and What It Doesn't)
MITRE Engenuity ATT&CK evaluations are the closest thing to independent, standardized testing for security vendors. But they are frequently misunderstood. Here's what they actually measure:
What MITRE Tests
- Detection coverage: Can the vendor's technology detect specific ATT&CK techniques when an attack sequence is executed? 100% detection means the platform identified every step—but identification alone doesn't mean the attack was stopped.
- Detection quality: Does the vendor produce telemetry, a general alert, or a specific technique-level detection? A technique-level detection (e.g., "T1059.001 PowerShell execution") is far more useful to analysts than a generic "suspicious activity" alert.
- Protection (blocking): Did the platform actually prevent the attack from succeeding? Protection testing checks whether the vendor blocks malicious execution, quarantines files, or kills processes—not just whether it raised an alert. A vendor can score 100% detection and 0% protection if it sees everything but stops nothing. Protection testing has been part of MITRE evaluations since 2021.
- False positive testing: Starting in 2024, MITRE added benign activity tests that run legitimate business operations alongside attack sequences. Vendors that incorrectly flag or block normal activity receive false positive marks. This matters most for self-managed EDR deployments, where every false positive is an alert your team must investigate. With MDR, the provider's SOC analysts triage alerts before they reach you—filtering out false positives so you only hear about confirmed threats. A platform with a higher false positive rate in MITRE testing may still deliver a clean, low-noise experience when operated by an MDR service.
- Visibility across the attack lifecycle: Does the vendor see the full attack chain from initial access through exfiltration?
What MITRE Does NOT Test
- SOC response speed: MITRE does not measure how fast human analysts respond to detections
- Real-world noise: False positive testing uses controlled benign activity, not the full complexity of a production environment with thousands of applications
- Real-world incident handling: MITRE does not evaluate triage decisions, customer communication, or remediation quality
- Pricing or value: MITRE evaluations have no cost component
Why the Enterprise vs. Managed Services Distinction Matters
MITRE runs two evaluation types relevant to MDR:
Enterprise evaluations test the platform—the technology's ability to detect, and optionally block, attack techniques. Results are published on the MITRE ATT&CK Evaluations site. In the most recent evaluations:
2025 (Round 7 — Scattered Spider/Mustang Panda, first cloud evaluation):
- CrowdStrike scored 100% detection, 100% protection, and zero false positives—the only vendor to achieve a perfect score across all three measures. This was MITRE's most technically demanding evaluation to date, including cloud adversary emulation for the first time.
- Sophos scored 100% detection with 86/90 technique-level detections—but did not publish protection scores, and independent analysis found Sophos generated false positives by blocking benign activity during the noise test.
- Notable absences: SentinelOne, Microsoft, and Palo Alto Networks all withdrew from the 2025 evaluation. Microsoft pulled out first (June 2025), followed by SentinelOne and Palo Alto (September 2025).
2024 (Round 6 — CL0P/LockBit ransomware, first false positive testing):
- SentinelOne scored 100% detection with zero delays and generated 88% fewer alerts than the median vendor. Protection scores were not published.
- Microsoft Defender claimed 100% detection coverage but had 24 missed detections in MITRE's published results. Microsoft publicly criticized the protection test methodology and did not publish protection scores. Zero false positives in the detection phase.
- Secureworks achieved 100% visibility and 95% detection in their first Taegis platform evaluation. Protection and false positive scores were not published. (Secureworks was subsequently acquired by Sophos.)
- Bitdefender delivered 91% analytical coverage with zero false positives on Linux and macOS (6 false positives on Windows). Averaged only 3 alerts per incident versus a 209-alert median across vendors—the best alert-to-noise ratio of any evaluated platform. Protection scores were not published.
- CrowdStrike did not participate in the 2024 evaluation. The timing overlapped with the July 2024 global outage.
A note on protection transparency: Most vendors choose not to publish protection (blocking) scores. In the 2025 evaluation, only CrowdStrike published clear protection results. In 2024, most vendors either opted out of the protection test or suppressed those results. When a vendor highlights detection but omits protection, ask why.
But Enterprise evaluations test the tool, not the service wrapped around it. An MDR provider running CrowdStrike or SentinelOne as their underlying platform inherits that detection score—your Expel deployment running on CrowdStrike Falcon benefits from CrowdStrike's 100% detection rate.
Managed Services evaluations test the MDR service end-to-end—including human analysts, workflows, escalation, and response actions. CrowdStrike achieved 98% detection coverage and the fastest threat detection of any vendor in Managed Services Round 2, detecting incidents 6-11x faster than competitors. This is a much more meaningful evaluation for MDR buyers because it validates the entire service, not just the software.
CrowdStrike is the only vendor in our comparison that participates in both evaluation tiers. This means CrowdStrike's managed response capability—not just its detection technology—has been independently validated by a neutral third party.
MITRE Participation Summary
| Vendor | Enterprise Eval (Platform) | Protection Published? | Managed Services Eval (MDR) | What This Means |
|---|---|---|---|---|
| CrowdStrike | 100% detection, zero FPs (2025) | Yes — 100% protection | 98% coverage, fastest detection (Round 2) | Only vendor with top scores in both platform and managed service evaluations |
| SentinelOne | 100% detection, zero delays, 88% fewer alerts (2024) | No | No | Strong detection, but protection not published; withdrew from 2025 eval |
| Microsoft | 24 missed detections (2024) | No — criticized methodology | No | Detection gaps; protection methodology disputed; withdrew from 2025 eval |
| Sophos | 100% detection, 86/90 technique-level (2025) | No — had false positives | No | Strong detection but blocked benign activity; MDR service not tested |
| Secureworks | 100% visibility, 95% detection (2024) | No | No | Solid first showing; subsequently acquired by Sophos |
| Bitdefender | 91% analytical coverage, zero FPs Linux/macOS, best alert-to-noise ratio (2024) | No | No | Lowest alert noise of any vendor, but MDR service not tested |
| Red Canary | Detection analytics | N/A | No | Detection logic tested, not MDR response |
| Expel | No (operates on CrowdStrike, Microsoft, SentinelOne) | N/A | No | Inherits platform scores from underlying EDR |
| Huntress | No | N/A | No | No independent validation |
| Arctic Wolf | No | N/A | No | No independent validation |
| eSentire | No | N/A | No | Differentiates through SLA guarantees instead |
Vendors That Don't Publish Metrics
The majority of MDR providers do not publish aggregate MTTD or MTTR benchmarks. This includes widely recognized vendors: Microsoft Defender Experts for XDR, Arctic Wolf, SentinelOne Vigilance, Sophos MDR, Secureworks, and Bitdefender MDR.
There are legitimate reasons a vendor might not publish these numbers:
- Definition disagreements: What counts as "detected" or "responded to" varies across providers
- Cherry-picking concerns: Aggregate numbers can be misleading if they include low-severity incidents that inflate speed metrics
- Competitive sensitivity: Published numbers become targets that competitors use in sales conversations
- Inconsistent tracking: Some vendors may not systematically measure these metrics across all incidents
However, from a buyer's perspective, the result is the same: you cannot independently verify the vendor's performance claims. This is a legitimate factor to weigh in your evaluation—not as a disqualifier, but as a data point about transparency.
How to Use This Data in Your Evaluation
Step 1: Normalize the Definitions
Before comparing any two vendors, ask each one to provide:
- MTTD: What starts the clock? (Initial malicious activity? First alert? First analyst review?)
- MTTA: When does a human first acknowledge the alert?
- MTTC: When is the threat contained? (Host isolated? Process killed? Account disabled?)
- MTTR: When is remediation complete? (And what does "complete" mean—quarantine or full restoration?)
If vendors use different starting points, their numbers are not comparable.
Step 2: Ask for Severity-Specific Data
Aggregate numbers mix critical incidents with low-severity alerts. A vendor with a 10-minute MTTR that includes thousands of auto-resolved low-severity incidents may actually take 2 hours for critical ransomware events. Ask for:
- Median and 90th percentile times split by severity (Critical/High/Medium)
- Percentage of incidents with automated containment vs. manual response
- Whether the clock stops while waiting for customer approval
Step 3: Request a Proof of Concept
Published benchmarks are marketing. Your environment is reality. The gold standard for MDR evaluation is running the same test scenarios against multiple providers in your actual environment and measuring:
- Time to first alert
- Time to human acknowledgment
- Time to containment action
- Time to closure with proof of remediation
If a vendor refuses a structured PoC, that's informative.
Step 4: Build Your Comparison Matrix
Use this template to structure your evaluation:
| Criteria | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Published MTTD | |||
| Published MTTR | |||
| MITRE participation | |||
| PoC MTTD (your environment) | |||
| PoC MTTR (your environment) | |||
| Automated containment % | |||
| Customer-action dependency | |||
| Pricing (per endpoint/month) | |||
| Contract flexibility |
Why CrowdStrike Stands Out in This Analysis
This analysis was not designed to favor any vendor. But the data tells a clear story:
CrowdStrike is the only MDR vendor that checks all four boxes:
- 100% MITRE detection and protection — Perfect score with zero false positives in the 2025 Enterprise evaluation, the most demanding test MITRE has ever run
- Publishes both MTTD and MTTR — ~4 minutes detection, ~37 minutes response
- Participates in both MITRE evaluation tiers — Enterprise (platform) and Managed Services (MDR), with the fastest detection of any vendor in the Managed Services evaluation
- Operates a unified platform — The same Falcon agent feeds both detection and managed response, eliminating the handoff delays that affect platform-agnostic MDR providers
This doesn't mean CrowdStrike is the right choice for every organization. Expel beats CrowdStrike on published MTTR (13 min vs. 37 min). Huntress is more accessible for SMBs with lean IT teams. eSentire offers contractual containment guarantees that CrowdStrike does not.
But when the question is "which vendor can I most objectively verify as effective?"—CrowdStrike has the strongest evidence base of any MDR provider. That's not a vibes-based argument. It's a methodology-based one.
Detailed Vendor Comparison Articles
For in-depth analysis of specific vendor matchups, see our comparison guides:
- CrowdStrike vs Expel: MDR detection speed and platform-agnostic vs. unified approach
- CrowdStrike vs SentinelOne: MITRE ATT&CK performance and human-led vs. autonomous response
- CrowdStrike vs Huntress: Complete platform replacement vs. supplementary threat detection
- CrowdStrike vs eSentire: Unified AI platform vs. human-led SOC with containment guarantee
- CrowdStrike vs Microsoft Defender: Best-of-breed vs. integrated Microsoft ecosystem
- CrowdStrike vs Arctic Wolf: Technology platform vs. service-first partnership
- CrowdStrike vs Cylance: Comprehensive platform vs. AI-powered execution protection
- Choosing Between MDR, EDR, MSSP, XDR, and SOC: Complete decision framework
Methodology and Limitations
This analysis relies exclusively on publicly available data. We did not contact vendor sales teams, request private benchmarks, or use NDA-protected information. All metrics are sourced from vendor websites, published blog posts, annual reports, MITRE Engenuity ATT&CK Evaluation results, and documented SLA commitments. Source links are provided inline throughout the article.
Limitations:
- Published metrics are self-reported by vendors (except MITRE results, which are independently administered)
- Vendors may update their published metrics at any time
- Aggregate metrics do not capture incident-by-incident variation
- This analysis covers MDR services for endpoint/cloud environments and does not evaluate OT/ICS, email-only, or network-only MDR offerings
Last updated: February 2026
Ready to evaluate MDR for your organization? Our cybersecurity experts can help you assess your requirements and design the right security strategy. Explore our MDR services.
