The $10,000-Per-Hour Question 

Security teams today face a frustrating paradox: despite millions invested in tools, analysts still drown in noise. 

Randy Watkins, CTO at Critical Start, and Tim Bandos, VP of Presales Engineering at Critical Start, tackled this head-on in our latest webinar. Bandos shared how downtime at DuPont (where he was VP of Cybersecurity) could cost $10,000 per hour, making missteps in detection and response not just risky, but potentially catastrophic. 

“The tools aren’t the problem,” Watkins said. “It’s the alert fatigue generated by them.” 

The real question isn’t whether you need MDR; it’s whether your MDR provider can distinguish noise from real threats, and act on them accordingly. 

From Tools to Tactics: High-Fidelity Detection in Practice 

Most threat detection strategies miss the mark because they treat every alert equally. 

Bandos recounted how his team caught multiple APT groups by tracking use of PSExec.exe, a tool often abused for lateral movement: 

“You don’t want to whitelist PSExec in general. As soon as we saw it executing, it was an immediate, high-fidelity alert. And sure enough, we caught APTs using that vector alone.” 

It worked because the team understood both the business context and adversary behavior — something technology alone can’t deliver. 

At Critical Start, we scale that approach through our Trusted Behavior Registry® (TBR®), learning each customer’s environment and eliminating noise before it ever hits an analyst’s queue. 

Real Response Means More Than Escalation 

Here’s the dirty secret of most MDR providers: their version of “response” stops at sending you an alert. 

Watkins challenged this shallow definition: 

“When we say response, we mean escalation, containment, eradication, and prevention. Not just a ticket in your inbox.” 

But real response also requires nuance. Critical Start lets you define custom rules of engagement: 

• “Escalate everything from servers, but isolate end-user endpoints.”
• “Disable all accounts except the CEO’s.” 

This flexibility ensures you get true response without compromising your operations. 

SLAs That Bite  

MDR vendors love to advertise SLAs. But most are marketing metrics with zero accountability. 

Watkins was blunt: 

“If we don’t meet our SLA, we feel financial pain.” 

Our SLA includes: 

• 60-minute MTTR — with no exceptions for alert severity
• No games — MTTR includes time to detect, investigate, and act 

For CISOs, it’s not just an SLA; it’s peace of mind, with accountability built in. 

AI in the SOC: Accelerated, Not Autonomous 

AI is everywhere, but that doesn’t mean it should be in charge. 

Watkins laid out Critical Start’s philosophy: 

“Our motto is ‘AI-accelerated, human-validated.’ AI helps analysts work faster but never makes decisions on its own.” 

That guardrail matters. Bandos shared a real-world failure where autonomous AI disabled a service account used for scheduled tasks, crippling operations. 

“AI flagged it as malicious and killed it, but it was business-critical. The whole company’s automation broke.” 

Automation must support humans, not replace them. 

Breaking the Black Box: Transparency by Design 

For many organizations, trust remains the biggest barrier to MDR. 

“It felt like a black box,” Bandos said of his early MDR experiences. “We didn’t know what they were doing.” 

At Critical Start, transparency is a foundation, not an afterthought: 

• Customers work side-by-side with our analysts
• All alert types (threat, auto, compliance) are clearly classified
• You get full visibility into how decisions are made 

It’s no surprise our analyst retention exceeds 90%. That continuity strengthens trust and eliminates turnover risk. 

The Bottom Line: What Best-in-Class MDR Actually Looks Like 

✅ High-Fidelity Detection – Built on behavioral analysis, not just tool output 
✅ True Response – Not just escalation, but action 
✅ Enforceable SLAs – Financial accountability, not fluff metrics 
✅ Human-Centered AI – Faster investigations, not reckless automation 
✅ Radical Transparency – No black boxes, ever 

Watch the full webinar to see why more CISOs are walking away from legacy MDR and what makes Critical Start the standard for what comes next. 

Watch On-Demand Now