The Forrester Wave™: Managed Detection And Response (MDR), Q2 2023 is live!

The MDR market continues to redefine what it means to offer a successful security service with high client satisfaction and retention rates and, as a result, extraordinary growth rates.

For now, no single vendor dominates the MDR market, but providers bringing endpoint detection and response (EDR), extended detection and response (XDR), and MDR to market continue to distance themselves from competitors in terms of market share and client count.

Thirteen vendors participated in the Wave, and we assessed them across areas including time to value, detection, response, analytics, product security, analyst experience, and more. Like the prior MDR Wave from 2021, this was an incredibly fun Wave to author. Read along for a glimpse into the process and some key takeaways!

Demonstration And Evaluation Process

We asked providers to demonstrate four scenarios during their briefing. Feel free to use these in your own proofs of concept as you evaluate vendors.

Scenario 1: Cloud token theft

A threat actor gained access to authentication tokens to bypass multifactor authentication (MFA) and gain access to a client environment.

Scenario 2: Fileless malware

A threat actor uses fileless malware to persist and exfiltrate data on servers in client environments. In some cases, this malware serves as a primary tool of the threat actor, and in others it acts as a backup.

Scenario 3: Business email compromise and fraudulent funds transfer

A threat actor successfully compromises an enterprise employee’s account and uses it to engage in fraudulent funds transfers.

Scenario 4: API used for data theft

A company has an API exposed that adversaries abuse to obtain sensitive information on customers, partners, and employees.

What Is Happening Now In MDR?

Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel. Channel.

That isn’t a typo or a ChatGPT prompt gone wrong. It represents one of the most common topics of conversation for every MDR provider.

Due to shakier macroeconomic conditions, in an attempt to scale across regions, pursue small to midsize clients, and reduce their cost of sale, most providers continue to pivot to selling to — and through — managed services providers (MSPs), managed security services providers (MSSPs), value-added resellers (VARs), systems integrators (SIs), telecoms, cyber insurers, fast food joints, coffee shops, and, if things get bad enough, flea markets and swap meets (okay, the last four are in jest, but you get the point). Providers, however, have to choose: Will they prioritize partners or practitioners?

Providers lack time, budget, and developers to satisfy both. Keeping partners happy requires providers to make tradeoffs based on users and vice versa. What started as a way to scale go to market while reducing costs will become the thing that forces MDR providers to lose market share as they focus on partners at the expense of the audience that matters most: the security practitioners that depend on them.

What Will Happen Next In MDR?

One hopes they will change the channel. Get it? OK, that was terrible, moving on. Provider roadmaps and visions do crystallize around four main concepts that will drive feature and capability enhancements in the future.

The great news: Enhancing analyst experience (AX) should result in improvements for security operations center (SOC) analysts as users. Focusing on security posture should lead to better protected and more resilient environments. Platform enhancements will lead to improvements for clients unless, as mentioned above, those enhancements satisfy partner use cases instead. Automation, especially automated response, is where things get a bit dicey. Providers already automate their internal operations. But not every client is ready to automate response, and some clients already feel like MDR providers have an “automate or you’re on your own” attitude with response.

All in all, the providers in this Wave represent the best of a market delivering exceptional value to clients. MDR providers continue to grow, clients continue to receive enormous value, and the market has plenty of room for upside. As in all things, risk exists as MDR providers find themselves choosing between satisfying investors, partners, and practitioners. The choices providers make now will dictate who comes out on top in the years ahead.

Check out the full report here: The Forrester Wave™: Managed Detection And Response, Q2 2023

Forrester clients seeking their next MDR provider can schedule an inquiry or guidance session with me to gain additional insight for your decision-making.