Is your security team drowning in alerts? If you're tired of watching threats slip through while your analysts chase endless false positives, you're not alone. But the problem might not be what you think. 

"Our customers are exhausted, dealing with false positives, not seeing the value of the tools they've invested in," says Tommy Scott, Field CSO at Critical Start, during a recent ISMG webinar on MDR accountability. "Five years ago when I joined Critical Start, I was really educating my customers and prospects what MDR is. That story has changed. I no longer am educating customers and prospects what MDR is. I'm kind of helping them through where are the gaps." 

The gaps are real, and they're costing you more than just analyst burnout. 

Why is the False Positive Problem Still Killing Your SOC? 

Here's the uncomfortable truth: most MDR providers have become notification services. They promise to "handle the noise" and "tell you what matters," but what they're really doing is adding another layer of alerts to your already overwhelmed team. 

"If I had to summarize what the biggest challenges are, I might actually not make that word plural and say what is the biggest singular challenge," Scott explains. "The false positive problem, the reason why MDR was created in the first place is still a big problem for many customers." 

But here's where most organizations get it wrong. The solution isn't filtering out alerts, it's properly investigating them. 

"From my perspective, this is an extreme challenge because if you really dig into what that statement says, alerts aren't noise, they're data points. They're things that should be investigated," Scott notes. "The goal of an MDR provider that a customer should seek to achieve as a partnership is not can you help me handle the noise and tell me what you think I should care about? It is help me reduce false positives and tell me what's actually happening." 

Attackers Are Exploiting Your Alert Overload 

While your team struggles with alert fatigue, threat actors have adapted their tactics. They're not sneaking in after hours anymore, they're attacking during business hours, betting on your team being too overwhelmed to notice. 

"What we're seeing are malicious actors are attacking during business hours. And typically you see in the US it's from about 9:00 to noon. Over in Western Europe, it's about that 3:00 to 5:00 time," Scott reveals. "That is the most common times that we see attacks because the false positive problem, what they're assuming malicious actors is that they're going to attack when people are looking because they're not going to be looking at everything because it's kind of just a math problem. Too many alerts, not enough people, but really not enough time." 

The attackers' strategy? "Let's blend in with the noise so that we can get in, potentially look like good behavior, and then go undetected." 

What Does Real MDR Response Look Like? 

Most MDR providers talk about response, but few deliver what actually matters. Real response isn't a notification; it's a decisive action. It must be: 

• Action-Oriented: Hands-on-keyboard work using your own tools. 
• Guaranteed: Backed by an SLA with financial penalties. 
• Comprehensive: Applied to all threat alerts, not just a select few. 

"Response has to equal action," Scott emphasizes. "It means active hands on keyboard utilizing the customer's tools to actually take that response. The response also can't be a best effort. It can't be a promise we'll get to it when we have time because getting to it when we have time, that's the problem the customers are struggling with. So it has to be backed by a service level agreement that actually has financial penalties." 

But here's the critical part: "All threat alerts must be investigated with an SLA when you talk to an MDR provider about response." 

Not just the "high priority" ones. Not just the ones that fit their staffing model. All of them. 

Where's the Accountability in MDR? 

The biggest problem with most MDR relationships? No real accountability. Providers promise outcomes but deliver notifications. They claim transparency but operate in black boxes. 

"What's key is and what actually matters the most is here's what we're going to do for you after the partnership has started officially, after the purchase order has been signed and received," Scott points out. "Sales is flashy, the service delivery is what's important and there has to be an emphasis on that above and beyond just gaining a new customer, it's retaining them, delighting the customer, making sure you're obsessed with the customer outcome." 

Real accountability isn't a buzzword; it's a commitment. It means your provider delivers: 

• Measurable KPIs with clear proof of performance. 
• Financial penalties for failing to meet SLAs. 
• Complete audit trails showing every action taken. 
• Radical transparency into how they operate in your environment 

Getting Maximum Value from Your Security Stack 

You've invested heavily in security tools (think Defender, CrowdStrike, SentinelOne, Palo Alto, etc.) The problem isn't your technology; it's operationalization. 

"The industry really doesn't have a tool problem any longer. It's how are those tools being operationalized?" Scott explains. "When we're out there looking for enterprises to maximize their existing investments, it should be finding an MDR provider who can leverage their existing technologies. This shouldn't be a rip and replace to find a new tool because a different provider said it's going to give you a better outcome." 

Your MDR provider should integrate directly with your existing tools, not just to receive alerts, but to take action through them. "Can I ask questions? Can I get more information?" Scott asks. "When we say operationalize a tool, an MDR provider should just say, yes, we integrate, it's yes, we fully use the capabilities that essentially were promised to you when you purchase that technology." 

The Questions You Need to Ask Your MDR Provider 

Don't just ask what they do, ask them to prove it. Here are the failure points Scott sees most often in the market: 

• False Positive Handling 
• "Show me, not tell me, show me your approach to handling false positives. And if the first thing they say is anything to do with whitelisting, it's anything to do with filtering out, you got to really dig into that language." 
• Visibility Gaps 
• How do they ensure complete signal coverage? "During the sales process, you can ask a lot of questions, you can validate all the technologies, but inevitably there's always a delta between what was talked about versus what is in the environment." 
• Response Capabilities 
• "When are you going to respond in what manner? And when you don't, are you allowing me to respond faster? What are you doing to help fully operationalize my technology as a customer?" 
• Expertise and Retention 
• High analyst turnover kills institutional knowledge. Look for providers with proven retention rates and the ability to communicate clearly about threats and required actions. 

The AI Question Everyone Should Ask 

Everyone's talking about AI in cybersecurity, but most providers are using it wrong. 

"AI as of today, where we see the market going and where customers are comfortable is AI using or being used as an acceleration versus an outcome," Scott explains. "So we use AI to accelerate our humans and allow our humans to validate what's happening." 

AI should make your analysts faster and more accurate, not replace human judgment entirely. 

"The right MDR, the sole goal should be prevent breaches, prevent business disruption, but ultimately move your security forward. It's not just about alert resolution. It's how are we reducing our overall risk footprint as a partnership?" 

Moving Beyond Best-Effort Security 

Your organization deserves better than "we'll get to it when we can." 

You need an MDR provider that operates as a true partner. One that fits into your environment, respects your risk tolerance, and delivers measurable outcomes with contractual backing. 

Attackers are counting on your team being too overwhelmed to notice them. Don't let alert fatigue become your biggest vulnerability. It's time to demand an MDR partner that investigates every threat, takes decisive action, and proves its value with unwavering accountability. 

Ready to see what accountable MDR looks like? Watch the full on-demand webinar to dive deeper into these critical MDR selection criteria, or contact Critical Start to discuss how proper MDR partnership can transform your security operations. 

The webinar "Beyond the Alert: Demanding Accountability and Real Outcomes from Your MDR Provider" features Tommy Scott, Field CSO at Critical Start, and Tom Field, Senior Vice President of Editorial at Information Security Media Group.