What are the key sales KPIs for the Managed Detection & Response (MDR) Security Services industry in 2027?
The nine sales KPIs that decide whether a Managed Detection & Response (MDR) business compounds or stalls in 2027 are: ARR per Endpoint, Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), Gross Revenue Retention (GRR) and Net Revenue Retention (NRR), Annual Contract Value (ACV) by Segment, Win Rate vs. SIEM-Only / DIY SOC, SOC Analyst Productivity (Accounts per Analyst, Alerts per Hour), Time-to-Tuned (Onboarding NRT), and Sales Quota Attainment by Motion (New Logo vs. Expansion). MDR sits at the intersection of subscription SaaS economics and 24x7 human-delivered operations — meaning you must track unit economics and operational latency in the same scorecard or the unit costs eat the unit price.
> TL;DR > > — Run MDR like a SaaS business with a SOC P&L bolted on: price per endpoint and per seat, measure detection and response latency in minutes, retain net 110%+, and keep one Tier-1 analyst covering 5-10 accounts at 15-30 alerts per hour. CrowdStrike Falcon Complete sets the public benchmark at ~$650M ARR with 124% net retention; Arctic Wolf, Sophos MDR, Expel, and ReliaQuest fill mid-market and channel niches. The leading indicator that the model is breaking is MTTR drifting past 60 minutes while analyst load climbs past 12 accounts — that combination kills the margin and the renewal at the same time.
Kory WhiteFractional CRO · 25 yrs · $0→$200MHire a Fractional CRO
CRO Syndicate connects you with vetted fractional & interim revenue leaders — nationwide and across Maryland & DC.
Book a CallWhy Managed Detection & Response Works Differently
MDR is not a software business with a services wrapper — it is a 24x7 operations business with a software substrate. That structural reality changes which numbers matter and how often you look at them.
1. Two unit costs collide on one invoice. Customers pay one monthly fee, but the provider absorbs both software cost (EDR/XDR/SIEM licenses, threat intel feeds, SOAR) and human cost (Tier 1/2/3 analysts, threat hunters, incident responders, on-call). A healthy MDR provider runs 55-70% gross margin — compared with 75-85% for pure SaaS — because the analyst hours never go away. Pricing must reconcile both cost stacks against a single per-endpoint or per-employee fee.
2. The product is measured in minutes, not features. Detection latency (MTTD) and response latency (MTTR) are the actual deliverables. Top-quartile providers detect in under 5 minutes and respond in under 30 minutes; the SLA in the master service agreement is usually 15/60. Miss those numbers across a quarter and renewals turn into reverse auctions.
3. Renewals are operational, not commercial. A customer renews if their SOC team trusts the alerts and the responses. Trust is built from tuning quality, false-positive rate, and how the provider handles a real incident. Sales motions that ignore the post-sale operating reality produce 25%+ gross churn within 18 months even when the contract was won cleanly.
4. The buyer is shifting from CISO to CFO. Through 2026 the buying committee has expanded to include the CFO and audit committee, driven by cyber-insurance underwriting requirements and SEC cyber-disclosure rules. That elongates the sales cycle (90-180 days mid-market, 6-12 months enterprise) and increases the value of measurable ROI proof points — saved analyst FTEs, insurance premium reductions, mean time to contain.
The 9 KPIs, In Depth
1. ARR per Endpoint ($/endpoint/year). The price you actually realize per protected device, blended across servers, workstations, and cloud workloads. Best-in-class MDR providers land between $48-144 per endpoint per year ($4-12/month). CrowdStrike Falcon Complete typically commands the top of that range because it bundles its own EDR; pure-play MDR layered over a customer's existing EDR (Sophos MDR over Microsoft Defender, Expel over Falcon) often prices at $40-80K per 1,000 employees per year — closer to $4-7/endpoint. Track this monthly; a sub-$3 ARR/endpoint usually signals a customer who will demand premium service at commodity pricing.
2. Mean Time to Detect (MTTD, minutes). Wall-clock time from first malicious telemetry hitting the platform to a confirmed detection in the customer queue. Industry SLA is typically 15 minutes; top quartile (Falcon Complete, ReliaQuest, eSentire) operate under 5 minutes for high-fidelity detections. MTTD over 30 minutes correlates with a 3x higher churn risk because customers benchmark against publicly reported breach dwell-times and adjust expectations downward.
3. Mean Time to Respond (MTTR, minutes). Wall-clock time from confirmed detection to containment action (host isolation, account disable, key revoke). Median SLA is 60 minutes; top-quartile providers deliver under 30 minutes. Mandiant Managed Defense and CrowdStrike publish MTTR medians under 25 minutes for critical-severity events. MTTR is the single best leading indicator of renewal — a deteriorating MTTR shows up in customer-success notes 60-90 days before a renewal cancellation.
4. Gross Revenue Retention (GRR) and Net Revenue Retention (NRR). GRR measures how much subscription revenue you keep from the prior cohort after churn and downgrades; NRR adds expansion. MDR best-in-class is 92-95% GRR and 115-130% NRR. CrowdStrike Falcon Complete publicly reports 124% NRR; Arctic Wolf and ReliaQuest land in the 110-118% range; weaker channel-only providers run 95-105% NRR with 85-90% GRR. Anything under 90% GRR is a business-model problem, not a sales problem.
5. Annual Contract Value (ACV) by Segment. Mid-market (200-2,000 employees) ACV runs $35-150K; enterprise (2,000-10,000) runs $200K-$800K; large enterprise often exceeds $2M. Sophos MDR's mid-market median ACV is reportedly ~$45K; Mandiant Managed Defense's enterprise median is north of $400K. Track ACV by segment quarterly to confirm sales is winning the segment you priced and staffed for — mid-market reps closing $20K deals are evidence that your packaging is being commoditized.
6. Win Rate vs. SIEM-Only / DIY SOC (%). The percentage of competitive bake-offs you win when the alternative is the customer building their own SOC or keeping an unmanaged SIEM. Healthy MDR providers run 65-80% win rates in this scenario; market leaders like Falcon Complete and Arctic Wolf push past 80% on inbound. Track this by quarter and by primary competitor — a falling win rate against Microsoft Sentinel + Defender XDR (the "free with E5" alternative) is a packaging warning, not a sales warning.
7. SOC Analyst Productivity (Accounts per Analyst, Alerts per Hour). Two metrics in one — Tier 1 analysts at scaled providers cover 5-10 customer accounts each, handling 15-30 alerts per hour after tuning. ReliaQuest publicly emphasizes its GreyMatter automation specifically because the math only works if analyst leverage stays above 7 accounts. Drop below 5 accounts/analyst and the unit-economics math inverts; push above 12 and MTTR drifts and customers feel the deterioration.
8. Time-to-Tuned / Onboarding Net Revenue Time (NRT, days). Days from contract signature to a fully tuned alert pipeline with false-positive rate under target (typically 15%). Top-quartile providers tune in 14-21 days; the segment median is 30 days. Each day over 30 increases first-year churn risk by approximately 1% — onboarding is where the sales motion either earns the renewal or burns it. Track cohort onboarding latency and tie sales-engineer compensation to it.
9. Sales Quota Attainment by Motion (New Logo vs. Expansion). Track quota attainment separately for new-logo AEs ($1-3M ARR target) and expansion AEs ($800K-$1.5M target). Healthy organizations land 55-65% of reps at quota with top-decile attainment over 150%. CrowdStrike's Complete sales team famously runs a "Falcon Complete Specialist" overlay because the motion is technical enough to need a dedicated rep, which most pure-play MDR providers underweight. Expansion attainment below 70% — even with new-logo over 100% — predicts an NRR collapse two quarters out.
Real Operators
CrowdStrike Falcon Complete is the market leader at approximately $650M in Complete ARR, with 124% net retention and a public MTTR benchmark under 25 minutes for critical events. It commands premium pricing because it bundles its own EDR substrate.
Arctic Wolf Networks runs approximately $500M ARR with a mid-market concentration and a "Concierge Security Team" delivery model. It is the volume leader in 200-2,000-employee deals and competes primarily on relationship density rather than technology depth.
Sophos MDR absorbed Secureworks in 2024 (~$850M acquisition) and now serves 30,000+ MDR customers — the largest by logo count. Strength is the channel motion through MSPs and the ability to operate over the customer's existing EDR.
SentinelOne Vigilance Respond pairs Pure XDR with managed response and competes head-to-head with Falcon Complete in the enterprise tier. Smaller MDR ARR than CrowdStrike but faster growth rate off a smaller base.
ReliaQuest GreyMatter runs ~$300M+ ARR with a heavy emphasis on automation and analyst leverage; explicit positioning is "co-managed" rather than fully managed.
eSentire is a Canadian-headquartered MDR provider running ~$200M+ ARR with a strong mid-market and financial-services concentration. Known for sub-5-minute MTTD on critical detections.
Expel was acquired by ServiceNow in Q1 2026 for north of $1B; ~$100M+ ARR pre-acquisition. Focus is on customers running Microsoft Defender XDR or CrowdStrike who want analyst leverage without switching EDR.
Red Canary, Trustwave, Critical Start, Deepwatch, and Alert Logic (now Fortra) round out the mid-tier — each running $50-200M ARR with distinct channel and segment focus.
Huntress is the dominant MSP-channel MDR with focused ICP on businesses under 1,000 employees served through MSP partners; growth-rate leader in the SMB segment.
Mandiant Managed Defense (Google Cloud) and Cisco Talos MXDR represent the threat-intelligence-first variants — sold at the high end of enterprise on the strength of breach response credibility.
Failure Modes
1. Pricing per seat without indexing to telemetry volume. MDR providers that price purely per employee and then absorb unlimited cloud-workload and identity telemetry lose 8-15 margin points within two years. The fix is tiered pricing that includes a baseline telemetry envelope with overage rates — what Splunk does for ingest, MDR providers must do for protected workloads.
2. Hiring analysts ahead of demand, not behind. Because onboarding a SOC analyst takes 90-120 days to full productivity, providers often front-load hiring on a deal that slips, then carry the cost for two quarters. The discipline is hiring against committed pipeline at 70% probability, not signed contracts — but with strict offer-cap rules tied to monthly bookings.
3. Selling enterprise SLAs at mid-market prices. Sales teams that win mid-market deals by promising 15-minute MTTD and 30-minute MTTR with named-analyst dedication cannot deliver against the unit economics. The result is 3 quarters of NPS decline followed by mass churn. Productize the SLA tier; do not negotiate it.
4. Ignoring tuning telemetry post-onboarding. Once the customer is onboarded and false-positive rate is acceptable, providers often stop investing in continued tuning. Six months later the alert volume drifts up, Tier 1 productivity drops, and MTTR slides past SLA. Tuning is a permanent operational program, not an onboarding milestone.
Reporting Cadence
Daily
- MTTD median and 95th percentile by customer cohort
- MTTR median and 95th percentile by severity
- Alert volume by source and false-positive rate
- Analyst utilization and on-call escalation count
Weekly
- New-logo bookings vs. plan, by segment
- Expansion bookings (seat expansion, workload expansion, tier upgrade)
- Pipeline coverage ratio (target 3.5x for new logo, 2x for expansion)
- Customer Health Index changes — accounts moved from Green to Yellow/Red
- Onboarding cohort tuning progress (days-to-tuned by customer)
Monthly
- ARR per Endpoint and ARR per Employee, by segment and cohort
- GRR and NRR by cohort vintage
- Win rate by primary competitor (Microsoft Sentinel, in-house SIEM, named MDR competitor)
- ACV by segment vs. plan
- SOC analyst productivity (accounts/analyst, alerts/hour) by team
Quarterly
- Full P&L by segment with gross margin attribution to software cost vs. analyst cost
- Quota attainment distribution (new logo and expansion)
- 24x7 staffing model rebalance based on threat-event seasonality
- Renewal cohort forecast for the next two quarters with at-risk drill-down
- Pricing review — list price, discount discipline, package mix shift
30/60/90 Day Plan
Days 1-30 — Instrument the operating reality. Confirm your MTTD/MTTR measurement is wall-clock and customer-visible, not internal best-effort. Pull 90 days of historical alert data and compute median plus 95th percentile by severity. Inventory analyst load — accounts per analyst, alerts per hour, on-call escalation rate. Map every ARR dollar to an endpoint and an employee count to build the unit-cost denominator. Stand up a weekly revenue review with bookings, pipeline coverage, and customer health.
Days 31-60 — Productize the SLA and the tier. Lock the SLA matrix by tier and stop negotiating it deal-by-deal. Rebuild the order form to make telemetry envelope and overage explicit. Re-train AEs on win-loss against the three competitors you actually face — Microsoft Sentinel, in-house SIEM, and one named MDR — with the unit-economics math behind each. Audit onboarding for time-to-tuned and tie sales-engineer comp to that number. Begin a quarterly pricing review that tests +/-10% list movement against win rate impact.
Days 61-90 — Rebuild the renewal motion. Stand up a Customer Health Index combining MTTR trend, false-positive rate, NPS, and seat utilization. Move accounts moving Yellow into a defined recovery program with a named technical owner. Re-segment the renewal book by NRR potential and assign expansion AEs only to accounts with credible expansion paths. Establish a monthly executive sponsor program for top-decile accounts and put board-pack ARR/NRR/quota numbers in a single dashboard reviewed weekly by the CRO and COO together.
FAQ
How does MDR pricing scale for cloud-heavy customers vs. endpoint-heavy customers?
Endpoint-heavy environments (workstation-dense, manufacturing, retail) price cleanly per endpoint at $4-12/month. Cloud-heavy environments — Kubernetes clusters, ephemeral workloads, identity-first architectures — break the per-endpoint model and migrate toward a hybrid of per-workload, per-identity, and per-ingest-GB pricing. Providers that have not yet rebuilt their order form for cloud-heavy customers lose 5-10 margin points absorbing the ingest cost on Microsoft Sentinel and similar.
What is the right MTTR target if my customers are mostly mid-market and not on a 24x7 incident posture themselves?
Sixty minutes for critical-severity events is the published industry SLA and most mid-market customers will accept that on paper. The operating reality is that 30 minutes is the threshold where the customer trusts the provider enough to never staff their own night-shift; over 60 minutes and the customer eventually concludes they need an internal SOC anyway and churn risk rises. Aim at 30 even when you sell at 60.
How do I benchmark my SOC analyst productivity against the public leaders?
Falcon Complete, ReliaQuest, and Arctic Wolf operate at 7-10 customer accounts per Tier 1 analyst at scale, with 20-30 alerts per hour post-tuning. If your team is below 5 accounts per analyst, the unit economics will not support market-comparable pricing. The path up is automation investment (SOAR playbooks, auto-containment, ML-driven triage) — typically 18-24 months of capital expenditure to move from 4 to 8 accounts per analyst.
What is the right discount ceiling for new-logo deals?
The defensible ceiling is 20% off list for committed multi-year deals with usage floors; anything beyond 25% signals a packaging or competitive-positioning problem rather than a deal-specific concession. Mid-market deals discounted more than 30% on average produce ACVs that don't recover the customer-acquisition cost in 18 months, which is the threshold beyond which the LTV/CAC math stops working at MDR gross margins.
How should I think about expansion in MDR — seat expansion, workload expansion, or tier upgrade?
All three matter, but the highest-leverage expansion is workload coverage (cloud, identity, OT/IoT) added onto an existing endpoint contract, because the analyst already knows the environment and the marginal margin is 75%+. Tier upgrades (from MDR to MDR + Threat Hunting or MDR + Incident Response Retainer) are the second-best expansion lever. Seat expansion is the lowest-leverage of the three but the easiest to forecast.
What is a defensible churn benchmark for a sub-scale MDR provider competing against CrowdStrike and Arctic Wolf?
Sub-scale providers (under $100M ARR) should target 88-92% GRR — a few points below the leaders because they cannot match brand-strength retention. NRR should still target 105%+ on the strength of expansion, because expansion is a function of land-and-grow discipline more than scale. Anything under 85% GRR for two quarters running is an existential signal — that company will be acquired or restructured within 18 months.
<!--pillar-weave-->
Related on PULSE
- [What are the key sales KPIs for the Managed Detection and Response (MDR) Services industry in 2027?](/knowledge/ik0372)
- [What are the key sales KPIs for the Penetration Testing and Offensive Security Services industry in 2027?](/knowledge/ik0371)
- [What are the key sales KPIs for the Managed Wireless & Private 5G Network Services industry in 2027?](/knowledge/ik0136)
- [What are the key sales KPIs for the SIEM (Security Information and Event Management) Software industry in 2027?](/knowledge/ik0373)
- [What are the key sales KPIs for the Fraud Detection and AML Software industry in 2027?](/knowledge/ik0370)
- [Average Contract Value (ACV) for Cloud Services: Enterprise Sales Metric](/knowledge/ik0544)
Sources
- Gartner — "Market Guide for Managed Detection and Response Services" (2026 refresh)
- Forrester — "The Forrester Wave: Managed Detection and Response, Q1 2026"
- IDC — "Worldwide Managed Security Services Forecast, 2026-2030"
- CrowdStrike — FY2026 investor materials and Falcon Complete segment disclosures (2025-2026)
- SentinelOne — Q4 FY2026 earnings transcript and Vigilance Respond margin commentary
- Sophos / Secureworks — 2024 acquisition announcement and 2025 MDR customer-count disclosures
- ServiceNow — Q1 2026 Expel acquisition announcement and 8-K filing
- Mandiant / Google Cloud — "M-Trends 2026" annual threat report (median dwell and MTTR benchmarks)
- ReliaQuest — 2025 GreyMatter automation and analyst-leverage public statements
- Verizon — "2026 Data Breach Investigations Report" (dwell time, response benchmarks)
- SANS Institute — "2025 SOC Survey" (analyst load, alerts per hour, tuning practices)
- ESG / TechTarget — "2026 MDR Buyer Behavior" survey (buying committee composition, cycle length)
