Cybersecurity, MXDR, SIEM

5 Key Questions for Cybersecurity Vendor Selection [Your Cheat Sheet]

Table of Contents

As part of CloudGuard’s yearly review, our Customer Success leaders ran a survey across UK and Ireland based businesses to understand the challenges that IT leaders experienced when assessing the market for cybersecurity vendor selection.

The businesses had a wide variety of cyber solutions, experiences and security maturities. The purpose of this report is to summarise the key aspects respondents provided as guidance to others in considering a new cyber security solution and/or partnership. Many businesses shared similar objectives and goals desired from a cyber MXDR services and the following details learnings and questions to understand in detail as anyone progresses through the buying process and looks to build out their success criteria, and ultimately, move towards a decision for their elected security partner.

*All customers surveyed had a requirement for a fully Managed Detection and Response service*

[Download your copy of the report here]

5 Key Questions for Cybersecurity Vendor Selection:

    1. Can you provide an accurate response time commitment from detection & alert through to remediation and action?
    2. Will there be access to the data logs ingested into your service?
    3. Does the responsibility for incident remediation reside with the provider or with the customer?
    4. What level of tuning is included within the service provision and how is this reported on throughout the partnership?
    5. What is the company’s approach and commitment on data export requests on the logs being collected, monitored and transferred?

1. Can you provide an accurate response time commitment from detection & alert through to remediation and action?

Follow-up questions

Does this commitment meet the following conditions:

  • Lasts for the duration of the contract
  • Based on my current security deployment and relevant integrations within the service, not general statistics

Challenges faced

A repeated concern across the survey audience was the response time of the incumbent, or proposed, vendor over time. Specifically, 62% of respondents indicated that post implementation, the service experience did not meet the sales positioning and commitment.

The respondents were a variety of customers who purchased one of two service categories:

  • A supplier for MDR services only based on alerting only to customer
  • A supplier providing SOC/SIEM/SOAR services where a customer is providing MDR services and support

In certain cases, it was identified that there was a difference between indicated performance and customer experiences due to endpoint solution parameters or performance.

These differences indicated potential response times of up to 1 hour from detection through to genuine action and/or containment.

The concern was once implemented, this part of the service performance could not be modified or improved. There was the exfiltration, weaponisation or disruption that could be inflicted by nefarious actors while having access to customer environments for up to an hour at a time from the point of intrusion.

Time to Mitigate and/or Time to Respond are key metrics to define with a supplier alongside in advance with contractual commitments.

 

2. Will there be access to the data logs ingested into your service?

Challenge faced

Some customers highlighted that a common issue uncovered in the purchasing process were differences in ability, or lack of, to access and/or customise SIEM data that the supplier’s SOC are capturing from the customer environment.

A ‘hands-off’ approach is of course a key part of any managed service, but 54% of customers required or contracted to have the information readily available to them on demand.

This issue identified is that access was not supported or permitted coupled with concerns around the standard vendor reporting capabilities. A key consideration for many customers in considering a 3rd party SIEM solution is improving and gaining real time reporting with behavioural user analysis capabilities.

3. Does the responsibility for incident remediation reside with the provider or with the customer?

Challenge faced

Due to varying automation capabilities and endpoint solutions across the vendor market and respondents, many providers will alert customers only and require manual intervention from the customer in order to effectively remediate incidents.

This, in turn, can significantly impact the Mean Time to Respond and Resolve metrics within the associated security partnership and should be defined as an absolute time not just provider time.

Respondents encouraged exploration of common scenario’s for each customer environment to understand in detail the handoffs, customisations, RACI to define roles and responsibilities as well as incident response execution and escalation.

 

4. What level of tuning is included within the service provision and how is this reported on throughout the partnership?

Challenge faced

The issue here is Alert Fatigue. This was reported as both provider and customer related. A combination of both insufficient tuning to continually reduce false and benign positive incident volumes, and a lack of support from customer success translated to customers continuing to experience higher than expected volumes of standardised alerts.

Consistent performance improvements via tuning and End User Behavioural Analysis are essential to effective detection, response, resolution and service evolution. It is essential to validate the level of tuning, commitment to ongoing improvement and how effectively this is communicated through reporting. Tuning can be rule, policy, controls or activity based.

 

5. What is the company’s approach and commitment on data export requests on the logs being collected, monitored and transferred?

Challenge faced

Providers have varying policies relating to the export of the data and associated formats collected from customer environments. It is essential that back dated information is archived and can be appropriately exported from the service as it forms a crucial part of running Incident Response in the event of an attack as well as future service transition. When migrating to another platform, or to an internally managed solution.

It is important to gain access to archives and export data for compliance, preservation of priorities, investigations, service continuity and incident histories.

Respondents highlighted that certain providers did not commit to any level of data export during or at contractual completion of MXDR services.

 

About CloudGuard

CloudGuard is a leading Managed Security Services Provider (MSSP), offering a range of services to protect organisations against evolving cyber threats. With a focus on proactive threat detection, automated response, and responsive support, CloudGuard helps businesses to navigate the complexities of the digital landscape securely.

If you’re looking to change MXDR providers, or would like to learn more about how CloudGuard can help you with these challenges, send us a message here.

Author: Scarlett Thompson
Share:
Author: Scarlett Thompson
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. £20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.