The 2AM Test – How to evaluate MDR when it actually matters.

At 2:07 in the morning, nobody cares what was on the demo slide…

They care whether the compromised endpoint got isolated, the attacker’s session token was revoked, and the mailbox rule that set up the business email compromise was disabled before finance woke up. Most MDR evaluations focus on dashboards and detection capabilities, not on what a provider will actually do when something is live and moving. That gap between a good demo and a good response is where this guide lives.

With 67% of security decision-makers reporting at least one breach in the past 12 months, and 88–91% of ransomware attacks landing outside business hours, the real question isn’t whether your MDR provider can see a threat. It’s whether they’ll act on it before you ever pick up the phone.

Inside the guide:

  • The four questions that matter more than the demo — Who acts after hours, what authority they have, what they can actually contain, and how you’ll know it was done.
  • Alert-led vs. response-led MDR — A side-by-side breakdown of the two models hiding under the same acronym, and which one leaves you waiting on a ticket at 2AM.
  • Five real-world breach cases, broken down — Kaseya, ConnectWise ScreenConnect, Snowflake, MGM Resorts, and 3CX, and what each reveals about the gap between detection and containment.
  • The metrics that actually define speed — MTTA, MTTR, MTTC, and MTTD: what starts each clock, and why a provider can look fast on one while being slow where it counts.
  • A full RFP question bank and 13-point executive checklist — Ready-to-use scoring criteria for vendor conversations, RFPs, and internal stakeholder alignment.

Download the guide to see how your MDR provider holds up against the criteria that matter most: authority, speed, surface coverage, and proof, and get the questions to ask before the next incident, not after.

Get Your Copy