Activation typically takes less than one business day after the MSP tenant is connected and initial prerequisites are completed.
The process is designed to minimize operational friction and does not require complex deployment phases or long lead times.
From the MSP side, activation requires:
Tenant connection and access approval
Confirmation of supported environments
Agreement on escalation and communication paths
No dedicated SOC build-out or internal process redesign is required to start.
No additional standalone licenses are required beyond the agreed MDR scope.
Licensing is aligned with the MDR delivery model and does not introduce separate tooling overhead for the MSP.
MDR delivery combines human analysts and AI-assisted workflows.
AI is used to:
Reduce triage time
Correlate signals across environments
Support analysts during investigations
Final decisions, containment actions, and incident handling remain under human analyst control.
Incident response ownership is clearly defined and agreed upfront.
Operational response is handled by the MDR SOC according to predefined playbooks, while customer ownership and communication alignment remain with the MSP.
This separation avoids ambiguity during incidents.
Escalation follows structured paths based on:
Severity
Impact
Predefined response authority
MSPs are kept informed through agreed communication channels, without relying on ad-hoc emails or informal decision chains.
Yes. Both white-label and co-branded delivery models are supported, depending on the partnership agreement.
MSPs can deliver MDR services under their own brand, or in a co-branded model, while operational security is handled in the background by the SOC
By default, the MSP remains the primary point of contact for the end customer.
This preserves customer ownership, trust, and commercial relationships, while security operations run in the background.
Reporting is designed to provide both operational visibility and executive-level clarity.
MSPs typically receive two types of reports:
Monthly executive MDR report
A high-level summary covering detected threats, response actions taken, and key security metrics.
Designed to support management reviews and customer discussions.Incident-specific report
Delivered for each confirmed security incident.
Includes investigation details, root cause analysis, actions performed, and remediation recommendations.
This structure allows MSPs to:
communicate security outcomes clearly to customers
maintain operational traceability
support audit, compliance, and post-incident reviews
Yes. Reporting is structured to support common compliance and audit requirements.
Operational evidence, response documentation, and monitoring visibility can be used as part of audit preparation and regulatory discussions.
Pricing is aligned with managed service delivery, not tool consumption or alert volume.
It is typically structured as a monthly subscription, based on:
the number of protected assets
log sources and data scope
estimated operational coverage and response responsibility
This approach allows MSPs to build predictable service offerings without exposure to cost spikes caused by alert noise or investigation volume.
The focus is operational sustainability . not fluctuating usage metrics.
Pricing models may vary depending on scope and agreement.
However, they are intentionally structured to:
avoid unpredictable costs tied to alert volume
support consistent service delivery
scale without penalizing response activity
This makes pricing easier to package, explain, and maintain as MSP services grow.
This page is intended as a reference.
For MSPs exploring delivery models, onboarding options, or operational alignment, the next step is usually a focused discussion around:
Service scope
Response ownership
Commercial structure
Not every MSP operates the same way.
Delivery models should reflect that.
Note
This page is not a contract, offer, or technical specification.
Details may vary depending on partnership scope and agreement.