Watchouts for Investing in the Managed Detection & Response (MDR) Market

Vendor Landscape

However, the landscape of vendors is extensive, and competition continues to intensify: 

Each vendor employs a unique approach to positioning themselves within the MDR landscape:

• Tech-focused vendors want to deepen and expand core software capabilities. 
• Service-focused vendors prioritize enhancing and managing existing software.

Further, vendors are consistently refining their offerings and expanding services and software. Software vendors are adding additional capabilities, especially adjacent ones such as ITDR whereas services-focused vendors and services vendors are adding solutions such as PenTesting. Arctic Wolf, for example, started as a service-oriented solution but has since expanded to include a SOAR software offering.

However, the difficulty for customers and investors alike is understanding how differentiated a given MDR player is from another, understanding:  

• Blurry lines between MDR, XDR, and EDR. In some cases, MDR overlaps with MSSPs as well. 
• Difficulty in understanding whether the so-called breadth of capabilities is perception vs. reality (exacerbated by the number of MDR vendors that ‘claim’ to be true MDR solutions, when in reality, their capability sets fall short of fully meeting the standards of a true MDR offering.  
• Whether they are truly a service versus a technology product: some MDRs have proprietary tech offerings (e.g., Rapid7, Arctic Wolf), vs. some are pure service providers.   
• Nature of service-oriented space: CISOs view MDRs as providing the same services/achieving the same goal, with the decision ultimately coming down to which vendors provide more “peace in mind” (which may be subjective). 

How Can Vendors Differentiate?

While there are several attributes shared with MDR providers, such as robust detection and response technology/services, 24/7/365 support, and leading SOC analysts, we see that vendors across the MDR landscape are differentiating in a variety of ways to attract investment.

Differentiators

Investment Considerations

A heavily fragmented vendor landscape, coupled with a need to differentiate from a mass of vendors beyond “table stakes” attributes, presents challenges to current MDR players. As such, investors are deeply focused on understanding how vendors differentiate across different dimensions, and how the collection of a vendor’s differentiators impacts purchase decisions and elevates (or lessens) a vendor’s positioning in the broader landscape.   

Once MDR vendors with significant differentiation have been identified and further evaluated, there are additional factors for investors to consider. Differentiating on service quality is a tall order but some MDR vendors have succeeded in doing so—usually pairing with other differentiators as well. Furthermore, MDR vendors by nature are services-oriented businesses and one key consideration is whether a given vendor can maintain quality service as it scales:

• What expansion plans exist around ensuring a dedicated team of security experts (SMEs, threat analysts, etc.) are allocated to clients? 
• To what extent has a given vendor proven the ability to scale while maintaining service level, particularly when expanding across geographies? 
• What other value-add services make sense for a given vendor to include, and would “sit well” with existing capabilities? 
• Example services: incident response (IR), automation/workflow development (i.e., automated workflows to reduce manual time required to execute common security tasks. 
• Has the given vendor built meaningful relationships with customers in a way that can be leveraged for cross-selling other security recurring services (e.g., MXDR, ITDR)?

MDR vendors with deep expertise on a specific security platform are positive from a differentiation standpoint; while, at the same time, introducing potential concentration risk. Therefore, the stability and potential of security tech platforms need to be thoroughly evaluated in diligence:   

• What does the growth in licenses/products of a given security platform (e.g., Microsoft, Splunk) look like? 
• Which platforms are expected to see fastest growth and what are key underlying growth drivers (e.g., module/product expansion, rise in volume of net-new licenses)? 
• Is there a disintermediation risk from the security platform (e.g., security platforms start offering service and/or release more tailored products such as dashboard and playbooks, diluting MDR vendors’ differentiation)?

Since attacks and threats are often industry specific, MDR vendors are increasingly specializing and tailoring MDR solutions to meet the requirements and specifications of certain verticals. However, in doing so, key diligence questions to evaluate include:  

• Which verticals are a given vendor specialized in (and to what extent are those verticals attractive)? 
• E.g., high liquidity market, high risk market correlated with higher perceived mission criticality, etc. 
• Is there enough runway/at-bat opportunity in the given verticals (e.g., from non-adopters, displacement of industry-agnostic players)?

Stax is equipped to handle the escalating cybersecurity landscape, particularly in the realm of Managed Detection and Response (MDR). Drawing on our extensive experience in advising firms and investors across various sectors, Stax has guided clients to successful investment strategies and value creation opportunities within the MDR market. To hear more about our services and expertise, visit www.stax.com or contact us here.