In the crowded managed detection and response (MDR) marketplace, distinguishing between vendor capabilities is increasingly difficult. As we navigate the complex threat landscape of 2026, the cost of a blind spot is not merely a missed alert; it is often a foothold for a ransomware operation or a supply-chain compromise. A recent analysis highlights a critical framework for this procurement challenge: the "Swiss Cheese" model.
The core issue is that not all MDR solutions are created equal. Vendors present pricing models and telemetry coverage that look solid on the surface, but beneath the surface, they are riddled with holes—like slices of Swiss cheese. If the holes in your vendor's telemetry collection align with the holes in your internal logging, threats pass straight through to your environment. For security leaders, the objective is to select a provider whose "cheese slices" effectively block the attack vectors that matter most to your organization.
Technical Analysis
The analysis of current MDR offerings reveals two distinct architectural approaches that directly impact visibility and risk posture:
1. Ingestion-Based Pricing Models
Some providers charge based on the volume of telemetry ingested (e.g., per GB) rather than the number of assets protected.
- The Mechanism: This model incentivizes organizations to be selective about what logs are sent to the MDR to control costs. Defenders may choose to ingest only high-fidelity logs (e.g., EDR alerts) while excluding verbose data (e.g., full DNS logs, process creation logs for non-critical endpoints, or specific authentication logs).
- The Risk (The Hole): While cost-effective on paper, this creates "accepted risk" by design. The logs left on the cutting room floor are often the contextual data required to piece together a low-and-slow intrusion. If an attacker leverages a technique that generates only the logs you chose not to ingest, your MDR provider is blind to the compromise.
2. EDR-Centric Solutions with Limited Log Sources
Other MDR offerings are essentially managed EDR services with only a few additional log sources tacked on.
-
The Mechanism: These solutions rely heavily on endpoint telemetry. They provide excellent coverage for malware and process-based behaviors but lack depth in network, identity, or application-layer telemetry.
-
The Risk (The Hole): This approach assumes the endpoint is the final control point. However, modern attacks in 2026 frequently exploit identity providers (IdP), SaaS misconfigurations, or valid accounts—areas where pure EDR telemetry is often silent. If the MDR does not ingest cloud trail logs or identity provider events, lateral movement using legitimate credentials remains invisible.
The Swiss Cheese Alignment
The danger arises when the "blind spots" of your internal logging stack align perfectly with the blind spots of your MDR provider's ingestion model. Defense-in-depth requires that the layers of your security stack (your internal tools and your MDR partner) have misaligned holes. If your internal SIEM is missing cloud logs because of a configuration error, and your MDR provider excludes them because of pricing constraints, you have no visibility layer stopping that threat vector.
Executive Takeaways
- Quantify the Cost of Blind Spots: When evaluating ingestion-based pricing, do not simply calculate the cost per GB. Calculate the cost of the exclusion. Explicitly map out which attack techniques (TTPs) become undetectable if you drop specific log sources to save money.
- **Formalize a "Blind Spot Registry":" Do not treat logging gaps as abstract concepts. Maintain a formal registry of what is not being logged or ingested. Have your MDR provider review this list and sign off on the risk acceptance. If they cannot analyze the impact of the logs you are leaving out, find a provider who can.
- Prioritize Asset-Based Coverage for Critical Infrastructure: For your most critical assets, move away from ingestion-based models to asset-based models. This ensures that cost concerns never restrict the telemetry visibility required to protect your crown jewels.
- Demand Full-Stack Telemetry: Ensure your MDR provider ingests data beyond the endpoint. Identity (Auth logs), Network (NetFlow/DNS), and Cloud (CloudTrail/AzureActivity) telemetry are non-negotiable for detecting modern 2026 threats. A solution that is "just EDR" is no longer a comprehensive MDR.
Remediation
If your current MDR engagement relies on restrictive ingestion or limited log sources, take the following steps to harden your defense posture:
- Conduct a Telemetry Gap Assessment: Immediately cross-reference your MITRE ATT&CK coverage map with your current MDR data ingestion schema. Identify any TTPs that currently have zero coverage due to log exclusion.
- Re-negotiate Data Ingestion: Engage your MDR provider to increase ingestion limits for critical log sources (Identity, Cloud, DNS). Frame this as a risk mitigation exercise rather than a scope increase.
- Implement "High-Value" Retention: Configure your internal log infrastructure to retain the raw, verbose logs that your MDR provider filters out for cost reasons. Ensure your internal IR team can pivot to these local logs during an investigation, even if the MDR does not monitor them in real-time.
- Validate Vendor SLAs on Coverage: Update your Service Level Agreements (SLAs) to include specific requirements on log source diversity. The provider should be contractually obligated to alert you if a critical log source (e.g., Active Directory Federation Services) stops flowing.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.