That’s the argument Randy Watkins, CTO of Critical Start, made during a recent interview with Dark Reading at the Black Hat USA 2025 News Desk. In his view, the "R" in MDR is where everything falls apart. 

"Response is a fairly ambiguous term. We see response meaning everything from actual containment of threats to escalation of alerts in different scenarios. They're both warranted, but what we really want to do is better set expectations of what customers are going to get." 

If you're not getting real response, you’re just paying for another alert feed. 

Define Response. Then Commit to It. 

Most MDR contracts hide behind vague language. And that’s a liability when a breach happens. Critical Start draws a clear line. 

"Is it an active response? Containment, eradication, prevention? Or is it something like notification and escalation, and then wrapping accountability around that with actual contractual SLAs of 60-minute time to response across all threat alerts?" 

It’s not about sending more tickets. It’s about taking the action your team would take, within the window you expect. 

"If something comes in within this amount of time, this action will have been taken to either stop the threat from spreading, remove the threat from the device, or prevent the threat from happening in the future." 

Response Without Visibility Isn’t Response 

Plenty of vendors claim they "contain threats." But if you can’t see the work, how do you know what’s actually happening? 

"When we talk about transparency, it's not just transparency into what alerts we're getting, but also the investigation that we're doing, the responses that we're taking, the sorts of detections that we're pushing inside of the customer’s products." 

This visibility is how customers verify value, track trends, and close security gaps. 

"If you can't see the value that you're getting, why are you paying for the service? If you don't know what you should be expecting from your service, why have it in the first place?" 

Full SOC Access, Even After Hours 

Attackers don’t wait for business hours. Your MDR shouldn’t either. That’s why Critical Start built MobileSOC®, a mobile SOC app with full feature parity. 

"Attackers love to come after you 8:00 at night on a Friday. Instead of opening up your laptop, tethering in, cracking open the console, and trying to dig through it, you pull up your mobile phone. You see the alerts we’ve escalated, exactly what our SOC has done in our investigation, and you have options to respond — using your products and APIs — right from your phone." 

Even custom rules of engagement carry over. One platform. Full access. Anywhere. 

"The transparency into what our analysts have already done, and then that recommendation back to the customer with the ability to act on it from anywhere with the mobile SOC, really enables them to cut down attacker dwell time inside the environment." 

Real MDR Is Human at the Core 

Don’t confuse automation with accountability. At Critical Start, tech supports the service, but people drive it. 

"MDR is a technology-enabled service. And a lot of people confuse it with a technology with a potentially attached service. The humans are at the center of what we're offering." 

That includes onboarding, customer success, and a dedicated advisory SOC analyst focused on your data. 

"That's how we become an extension rather than a bolt-on." 

Real MDR Means Real Outcomes 

You can have best-in-class tools and still get buried in noise. The issue isn’t what you’ve deployed; it’s what you’re getting back. 

"It's not a product problem. It's an outcome problem. They have all the right tools and are just not getting the outcomes." 

That’s why Critical Start investigates medium and low alerts; because that’s often where threats start. 

"Just because it's not a critical or a high yet doesn't mean it's not going to be. So why not stop the threats a little bit earlier on?" 

While Critical Start handles the volume, your team focuses on strategy. 

"Instead of chasing down product configurations or looking at an endless number of alerts, they can really look at procedure and policy and make bigger impacts to security where it matters for the organization." 

AI That Accelerates, Not Autopilots 

There’s no shortage of AI promises. But security operations teams know the risk of letting software make blind containment decisions. 

"Overwhelmingly there's trepidation on letting AI be fully autonomous when it comes to security operations, specifically containment." 

Critical Start’s model keeps the human in the loop. 

"Our approach is AI-accelerated, human-validated. The humans are still at the center of everything we do, but we call it SOC AI. Internally with SOC AI, it's gathering all the necessary data and presenting it in a dossier format where analysts can quickly read it, verdict on it, and then take the actions." 

The result: human judgment, at machine speed. 

"We still want humans to give the quality customers expect from our service, but we want AI to help speed up the investigation process." 

Don’t Settle for MDR Without the "R" 

You’re not buying a dashboard when you bring on an MDR vendor; you’re hiring a partner to respond when it counts. If that response is vague or invisible, you’re still on your own. 

"Transparency is just part of doing business the right way. But there are so many downstream positive impacts of being transparent with your customers. Everybody feels like it is a true partnership rather than just a bolt-on service, where maybe you’re getting value, maybe you’re not." 

Ask your MDR provider: 

• What does "response" actually mean?
• Can I see what’s happening in real time?
• Do I get a technology vendor—or a true security partner? 

Because the "R" in MDR only matters if it shows up when you need it most.