Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In October 2024, the eSentire Threat Response Unit (TRU) responded to an incident where a software developer downloaded a JavaScript project that contained BeaverTail malware. Upon installing the project through the Node Package Manager (NPM) command, it executed malicious JavaScript files and subsequently deployed the InvisibleFerret malware to the host. The InvisibleFerret malware was executed through a Python command, which fingerprinted the host’s information and stole the browser’s credentials.

In response, our team of 24/7 SOC Cyber Analysts responded by isolating the impacted host and alerting the customer with the relevant details.

Upon further investigation by eSentire’s TRU team, it was determined that the observed Tactics, Techniques, and Procedures (TTPs) were consistent with those reported to be used by North Korea threat actors, also tracked as Contagious Interview.

Initial Access

A ZIP file named ‘task-space-eshop-aeea6cc51a7c.zip’ was found in the user’s download directory. eSentire Threat Intelligence team assesses the chances as probable that the victim downloaded the zip from a BitBucket project named “eshop” (Figure 1).

The “server.js” file is used as an entry point to load the file located in “backend/middlewares/helpers/error.js”, which facilitates further malicious activities on the victim machine such as: steal saved login credentials in the browsers; collect system information; enumerates crypto wallet extensions in the targeted browsers; and, steal configuration data from crypto wallets like Exodus and Solana. This JavaScript file (error.js) is highly obfuscated and after analysis it was determined to be a component for the Beavertail malware (Figure 5).

Managed Detection and Response (MDR) pricing can be challenging to navigate. Many security vendors often play into fears of ransomware attacks, data breaches, and costly regulatory penalties, which can push security leaders into rushed decisions, creating a sense of urgency.  

As a result, you may find yourself committing to contracts or service levels that do not fully meet your organization’s specific needs even though they appeared on paper to provide the level of detection and response your organization needs. 

Unfortunately, the challenge doesn’t stop there. Many Managed Detection and Response (MDR) offerings sound nearly identical, with vendors touting similar capabilities: 24/7 Security Operations Center (SOC) coverage, proactive threat hunting capabilities, and advanced threat detection tools. While these claims may appear straightforward on the surface, they mask a deeper level of complexity.  

One example where we see this is when fake MDR vendors interpreting terms like “24/7 monitoring” and “threat response” in different ways. For instance, a vendor can promise round-the-clock monitoring to mean a fully staffed SOC with experienced analysts on each shift.  

Meanwhile, another vendor might have junior analysts (or worse, high turnover rates in their SOC staff) with limited incident handling experience, which can lead to missed alerts and limited response when you need it most. 

As a security leader, you’re also faced with deciphering vague or inconsistent information presented in proposals and demos. In many cases, these demos show premium-tier features that may not be included in lower, more cost-effective service tiers. This lack of transparency can lead to assumptions about service quality and capabilities that don’t align with the actual contract.  

The result? A misalignment between the expected and delivered service, with potential gaps in coverage, missed alerts, limited incident response, or a lack of proactive threat hunting. 

In this blog, we aim to help you understand the MDR capabilities you actually need, how to look out for hidden costs in the MDR contract, and help you evaluate MDR offerings based on tangible outcomes rather than vendor promises.  

Understanding MDR Capabilities: What Do You Really Need? 

Before engaging with MDR vendors, it’s essential to clearly define what problems your organization is trying to solve. MDR security solutions aren’t one-size-fits-all; the right provider for your organization will be the one that aligns best with your specific security challenges and strategic goals. 

1. Identify Your Core Problems 

Start by pinpointing the main security pain points your organization faces: 

• Are there gaps in compliance that need addressing related to sensitive customer data or proprietary data?  
• Are you exposed to supply chain and third-party vendor risk? 
• Do you have limited real-time visibility across your endpoints, or is your security team struggling to monitor alerts during off-hours, such as weekends and nights?  

Understanding these gaps will shape the list of must-have features in your MDR service. 

2. Define Your Key Cyber Risks 

Identify the critical cyber risks you’re looking to mitigate. For some organizations, this could mean protecting against ransomware and other malware threats, while others may need a solution focused on phishing, insider threats, or regulatory compliance.  

A risk-based approach ensures that the MDR service you select is equipped to handle the specific threats that are most relevant based on your unique attack surface, your industry and business operations. 

3. Establish Clear, Measurable Outcomes 

The ability to measure outcomes is crucial for evaluating the effectiveness of an MDR service. Having tangible goals will guide your discussions with potential vendors and prevent you from being swayed by extraneous features that don’t serve your core objectives. Examples of measurable outcomes include: 

• Reduced Mean Time to Detect (MTTD): A critical metric that reflects how quickly threats are identified. A practical outcome should go beyond just reducing MTTD; it should include the ability to know your organization’s current MTTD and Mean Time to Investigate (MTTI). This baseline helps you assess the improvement brought by an MDR provider. 
• Investigate Security Alerts 24/7: If your in-house team is limited to having coverage only during business hours, make sure your MDR provider can extend this with continuous monitoring and investigation capabilities. 
• Operationalizing Threat Intelligence: The MDR provider should help your in-house team move from passive monitoring to proactive, hypothesis-driven threat hunting by integrating original threat intelligence.  
• Enhanced Incident Response Capabilities: Evaluate whether the MDR provider can augment your existing incident response processes. Will they support automated response actions, containment, and isolation, or will they simply notify your team and leave the work to them? Clarifying these expectations will help ensure that the service matches your operational requirements. 

Establishing these defined outcomes ahead of time will make your evaluation process more straightforward and help you ask better questions during vendor discussions.  

Clarifying the MDR Service Tier Structure 

MDR services are typically offered in multiple tiers, ranging from basic to premium, with each tier offering varying levels of service. This tiered approach allows MDR vendors to cater to different types of customers, from smaller organizations that need essential coverage to large enterprises that require comprehensive and proactive services.  

However, it’s important for security leaders to understand that not all tiers are created equal. The service level you choose can significantly affect your security outcomes. 

Premium tier packages often include multi-signal coverage (endpoint, network, log, cloud, identity),  24/7 SOC-as-a-Service, advanced threat hunting, unlimited incident handling, and rapid incident response. While these offerings may be showcased during demos, lower-tier packages frequently lack these comprehensive features.  

Instead, they may only offer basic alerting or monitoring capabilities, which could mean that threats are detected but not actively managed or mitigated. Therefore, make sure you’re asking critical questions like: 

• SOC Coverage: Does every tier provide the same 24/7 SOC Cyber Analyst coverage? Vendors may claim continuous monitoring, but in lower-tier services, this might only mean alerts are forwarded to your team without a thorough investigation. Also, you should clarify if Level 1 to Level 3 SOC Analysts are on duty around the clock or if they are only available in certain higher-tier plans. 
• Threat Hunting and Response: What level of proactive threat hunting and response actions is included at each tier? For instance, some vendors may restrict key response actions (e.g., isolating compromised systems or network segments) to their more expensive tiers. Make sure you know if lower-tier services are limited to merely alerting your team while leaving the response to you. 
• Scope of “Managed” Services: Understand what “managed” means across different tiers. While top tiers might provide comprehensive management of incidents—from detection to resolution—basic tiers might only offer minimal monitoring or advisory support. 
• Best-of-Breed Endpoint Technology Partners: Do they partners with leading technology providers such as CrowdStrike, Microsoft, SentinelOne, Sumo Logic and Tenable? If you want to leverage your existing security investments, find out what technology integrations they offer with your existing tools and SaaS platforms. 
• Dashboards and Reporting: Does the tier you’re considering include access to a customer portal or dashboard, continuous threat intelligence updates, regular updates, asset risk or cyber risk scores? While these may be impressive, they’re often part of higher-tier packages so ask for a clear breakdown of the features and services included at each service level.
  
  • Request specifics on the frequency of reports and whether you’ll have access to dedicated analysts or customer success managers. For example, premium packages might offer monthly or quarterly review sessions, whereas lower tiers might only provide an annual review, if at all. 

Lastly, ensure that you fully understand what each tier offers and verify that the package aligns with your organization’s specific requirements. If your organization needs fast response time to contain incidents or needs advanced threat intelligence capabilities, a basic tier may not suffice.  

Be proactive in comparing your security needs to what each tier truly offers to avoid mismatched expectations and service limitations. 

By asking detailed questions and pushing for transparency, you can gain a clearer picture of how well an MDR provider’s tiered services align with your security goals. This step ensures that you’re not left under protected or overpaying for features that don’t match your needs. 

Differentiate Between MDR Vendors by Getting Specific 

Terms like ‘24/7 SOC’ or ‘fully managed service’ can sound reassuring but often lack a standardized definition across vendors. To avoid misunderstandings and ensure that the MDR provider can meet your organization’s needs, it’s crucial to ask for specifics when you compare MDR vendors.  

Here are some examples where you need to get specific with your vendor as you begin the evaluation process: 

• SOC Capabilities: When vendors promise 24/7 coverage, it’s essential to clarify exactly what that involves. Will you have a complete team of Tier 1-3 Analysts available and actively monitoring on every shift, or are there limited resources during certain hours? Are Incident Handlers staffed on every shift? Some providers may only have a skeleton crew or use on-call analysts outside of core business hours, which can significantly impact response time and quality during a critical event. 
• Service Level Agreements (SLAs): Get clear definitions of key metrics like Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and Mean Time to Investigate (MTTI). These metrics are vital for assessing the effectiveness of an MDR provider, but their calculation methods can vary. For example, one vendor may start the clock as soon as an alert is generated, while another may only count time once an analyst begins investigating. Understanding these nuances will help both parties set accurate expectations for performance and accountability. 
• Ask How Metrics Are Calculated: Clarify exactly how MTTD, MTTR, and MTTI are measured. This ensures that you can compare different MDR services accurately and know what level of response you’re paying for. Providers that report faster detection and response times may be using different methodologies that skew the data, so it’s important to dig into these details. 
• Proof of Service: Request sample reports and dashboards that align with the specific tier you are considering. Sales demos often highlight the most comprehensive features, which might not be part of your chosen package. Seeing real examples of reports and dashboards can help you understand what kind of visibility, analysis, and reporting you’ll receive. 
• Threat Hunting Availability: Verify whether threat hunting services are available 24/7 or if they are limited to standard business hours. Proactive threat hunting can be a game-changer in identifying sophisticated attacks before they escalate, but some vendors may only include it as part of higher-tier plans or limit its availability to daytime hours. 
• Response Time Nuances: Ask vendors whether their stated response times are consistent across all days, including weekends and holidays. For example, a vendor might claim a 15-minute response during business hours but have much longer response windows during weekends or late-night shifts. This variability can be a significant factor during high-stress incidents where every minute counts. 
• Threat Intelligence (TI) Updates and Novel Detections: Ask vendors how frequently they update their threat intelligence and how many novel detections they make on a monthly or quarterly basis. Vendors that regularly refresh their TI and develop novel detection methods are better positioned to catch advanced threats that generic systems might miss. This proactive capability can be a major differentiator in a crowded market. 
• Integration with Your Existing Security Stack: It’s essential to clarify how well an MDR service can integrate with your existing security stack. Ask whether the vendor supports seamless integration with your current tools and if there are additional fees or technical limitations for such integrations. The ability to integrate without significant custom development can save both time and money while ensuring more comprehensive protection across your network. 

Look Out for Hidden Costs in the Pricing Models 

While many providers may advertise straightforward pricing, the details often reveal additional charges for critical services that may not be included in the base package.  

To avoid surprises, review the fine print and confirm all aspects of the pricing model before signing a contract. This approach ensures you have a complete understanding of what you’re paying for and helps prevent unexpected costs or service gaps when it matters most. 

Pitfall #1: Multi-Year Contracts and Flexibility  

While some MDR vendors offer attractive discounts for committing to multi-year contracts, you should evaluate whether locking in for a longer period is truly beneficial for your organization. Some MDR vendors may not offer flexibility so if your needs change, you may find yourself stuck in the same agreement until it expires.  

So, if you’re signing a multi-year agreement, make sure that the MDR vendor offers flexibility and can scale with your business.  

Pitfall #2: Hidden Add-ons 

Carefully review what is included in the base package versus what incurs additional fees. While core MDR services might be covered, essential features such as unlimited log ingestion, custom rule development, or advanced threat hunting often come at an extra cost.  

These features can be crucial for organizations that need deeper insights or more tailored threat detection, so it’s vital to have clarity on what is covered upfront. 

Pitfall #3: Scope of Incident Response (IR) Retainers 

Some MDR providers include an IR retainer as part of their service, which guarantees a callback in the event of an incident but does not necessarily ensure a comprehensive response. This type of retainer may only offer initial consultation or triage, leaving full remediation and recovery to your internal team or requiring an additional fee.  

Verify the scope of these retainers to understand what level of response is included and whether it aligns with your expectations. 

Pitfall #4: Breach Response Limitations 

MDR vendors often claim to offer breach response services, but the specifics can vary widely. Some providers may assist with containment and initial guidance but stop short of full incident management and recovery. Knowing the limits of their responsibility is crucial, especially in high-stakes scenarios where quick action can make the difference between containment and widespread damage.  

Ask detailed questions about what their response includes—do they handle eradication and system restoration, or will they leave those steps to you? 

Red Flags to Watch for During the Sales Process 

When evaluating potential MDR providers, it’s important to be aware of sales tactics that can lead to unexpected costs or unmet expectations. Recognizing these red flags early can save your organization from choosing a service that doesn’t align with your security needs or budget. 

• Fear-Based Selling (FUD): Be cautious of vendors that lean heavily on fear, uncertainty, and doubt (FUD) to push you into making a quick decision. These tactics might involve emphasizing the dangers of ransomware attacks, the potential for data breaches, or the hefty penalties associated with non-compliance. Stay grounded by focusing on objective evaluations and measurable outcomes. 
• Beware of “Free” Add-ons: Some vendors may offer enticing “free” add-ons, such as breach warranties or additional threat intelligence services, to make their packages seem more comprehensive. However, these add-ons often come with limitations or fine print. For example, a breach warranty might only cover certain types of incidents or require you to purchase additional services to activate the warranty. Always ask for the full terms and conditions of any “free” offering, and make sure you understand MDR breach protection warranties, to ensure there are no hidden costs or restrictions. 
• Vague Promises on 24/7 Monitoring: Vendors often push features like 24/7 monitoring and rapid response times, but these promises can be misleading if not clearly defined. Without specifics, “24/7 monitoring” could mean basic alert forwarding rather than continuous, in-depth analysis by skilled SOC analysts. Always ask for a detailed explanation of what these terms mean in practice and ensure that they align with your organization’s expectations. 
• Tour the SOC and Meet the Team: Your buying and evaluation process should include an in-person or virtual tour of the vendor’s SOC and meeting SOC leaders. During the sales cycle you should also ask to meet with members of the teams responsible for threat hunting and threat research to get an understanding of how those teams work with customers. 
• Limitations in Multi-Year Contracts: Ensure that your contract includes flexibility to upgrade, downgrade, or adjust services as your organization grows or shifts its security strategy. Without this flexibility, you could be left paying for a service that no longer meets your requirements or that restricts your ability to pivot when new threats or technologies emerge. 

How to Make an Informed MDR Decision 

Choosing the right MDR provider requires a strategic approach that goes beyond simply comparing price tags. While cost is an important factor, the true value of an MDR service lies in its ability to deliver measurable outcomes and align with your long-term security objectives. 

Begin your evaluation by understanding your organization’s specific needs and defining clear, measurable goals. Focus on whether the provider can support essential outcomes like reducing Mean Time to Detect (MTTD) and responding effectively to threats 24/7. Don’t be swayed by marketing buzzwords or fear-based sales tactics; instead, dig deeper to understand what services and features are included in each tier and how they align with your security strategy. 

When selecting a provider, prioritize those who not only meet your current requirements but can evolve with you as your organization grows. The cybersecurity landscape is constantly changing, and the right MDR partner will adapt to these shifts and offer continuous support. Look for a provider that: 

• Meets You Where You Are: Ensure they can align with your current security maturity and provide the flexibility to grow alongside your organization as your security needs evolve. 
• Adds Tangible Value: Assess their ability to provide novel detections and proactive threat hunting that goes beyond basic alerting, adding real value that is measurable to your security efforts. 
• Delivers Meaningful Metrics and Insights: A top-tier MDR provider will provide metrics and insights that help you manage and fine-tune your security posture, allowing you to make informed decisions and continually improve your resilience. 

The best MDR providers are those that go beyond offering standard services—they become partners who add substantial value through timely intelligence, proactive measures, and customized support. Evaluate whether the provider is committed to delivering meaningful, actionable metrics and reports that empower your team to stay ahead of threats and maintain a strong defense. 

Informed decision-making means choosing an MDR service that not only provides comprehensive protection today but also positions your organization for sustained security and growth in the future.  

By taking the time to thoroughly vet potential vendors, ask the right questions, and assess long-term compatibility, you can ensure that your investment in MDR strengthens your security capabilities and supports your resilience in an ever-changing threat landscape. 

To learn how eSentire MDR can help you reduce your cyber risk and build cyber resilience, contact an eSentire Cybersecurity Specialist now.