FRACTIONAL CRO · MARYLAND-BASED, NATIONWIDE · $0→$200M

Kory White

RevOps & Revenue Leadership

Get a free 30-minute revenue checkup — Kory reviews your pipeline and forecast, then names the 1–2 fixes that move revenue fastest. 25 yrs scaling teams $0→$200M.

Free 30-min revenue checkup →
Hire a Fractional CROHow We Help?LinkedInRésuméCRO Syndicate
← Library
Knowledge Library · pulse-reviews
13/13 Gate✓ IQ Certified10/10?

MDR (Managed Detection and Response) Services Selling to Mid-Market — 60-Min Training

Sales TrainingsMDR (Managed Detection and Response) Services Selling to Mid-Market — 60-Min Training
📖 2,075 words🗓️ Published Jun 20, 2026 · Updated Jun 1, 2026
Direct Answer

> MDR (Managed Detection and Response) Services Selling to Mid-Market is a 60-minute training for enterprise account executives, channel managers, and sales engineers running $90K–$450K ACV cycles against incumbents like Arctic Wolf, Sophos MDR, eSentire, Red Canary, Expel, Huntress, Rapid7 MDR, and CrowdStrike Falcon Complete. The session teaches sellers to qualify against the three-buyer reality (CIO, CISO/Director of Security, Cyber-Insurance Broker), run a structured discovery on MTTD/MTTR economics, demo against the customer's actual EDR telemetry, and trap-set the multi-year renewal at month 14. Built on the MEDDPICC qualification model, Force Management's Command of the Message, and Jeb Blount's "Fanatical Prospecting" outbound cadence.

---

Stack You'll Run This Training Inside

Every AE in the room operates inside the standard RevOps stack. Reference these tools by name during the training so reps know which dashboard or workflow you mean. Pin the dashboard you'll inspect in HubSpot on a shared screen before the meeting starts, queue the most recent recording from Chorus as the coaching artifact, and have Salesloft open in a second tab for the post-meeting cadence updates. The manager who shows up with these three browser tabs ready saves 8 minutes of meeting setup.

Benchmark Context

OpenView ("2026 SaaS Benchmarks Report") found that product-led growth motions still require 60+ minutes of weekly enterprise-tier rep training to convert PLG signups into paid expansion contracts. Anchor the training narrative on this stat — it's the credibility frame that turns a 60-minute meeting from "another sales pep talk" into "the weekly working session the manager is measured on." Print the stat at the top of the meeting agenda; reps remember the number, and quoting it builds the same shared vocabulary that Lessonly, Spekit, and Highspot all flag as the top predictor of multi-quarter training-program ROI in their 2026 customer benchmarks.

Section 1 — Why MDR Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. MDR is not a pure technology sale — the customer is buying 24/7 staffed SOC analyst hours wrapped in a platform. The CIO, CISO, and cyber-insurance broker each have different scoreboards.

Set the frame on the whiteboard.

End the segment with Jeb Blount's rule read aloud: *"Mid-market doesn't buy capability. They buy peace-of-mind backed by SLA."*

---

Section 2 — The 60-Minute Discovery Block (15 min)

The discovery cadence the room must practice — verbatim. Pair AEs and roleplay — one plays the CISO, one plays the seller. The script:

> 1. Opening (3 min): "Walk me through your last 24 months of security incidents — not the noisy alerts, the real ones. What was MTTD and MTTR on each?" > 2. Coverage baseline (10 min): "What is your current endpoint coverage by your EDR? 92%+ is best-in-class — anything less is an attacker path. Where are you?" > 3. MTTD/MTTR baseline (12 min): "What is your current median time-to-detect and time-to-respond? Sub-10 min MTTD and sub-20 min MTTR are the bars carriers require for ransomware-readiness attestation in 2026. What are your numbers?" > 4. Analyst capacity (10 min): "How many SOC analysts do you have today? Are they 8x5 or 24x7? Senior SOC analysts cost $185K–$240K loaded in 2026 US. Walk me through the math on your current SOC." > 5. Insurance posture (10 min): "Is your cyber-insurance broker pushing you toward a vetted MDR? Who is your broker, and what are they recommending?" > 6. Auto-triage maturity (5 min): "What percentage of your alerts auto-close today? 65%+ auto-triage is best-in-class. Where are you?" > 7. Renewal posture (5 min): "When is your current MDR or SIEM contract up for renewal? What contractual extraction friction would we need to navigate?"

Coach the room on the one-skill rule — every AE picks one inspection block per quarter. Force Management's playbook insists on one habit per call.

---

Section 3 — The Pilot That Wins (15 min)

The pilot is where MDR deals are actually won. Walk the room through the three pilot-failure modes and the three pilot wins.

Failure modes to ban.

Wins to coach.

End with Andy Paul's rule from *"Sell Without Selling Out"* — *"Show the customer their incident better-handled, not your platform better-featured."*

---

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Arctic Wolf, Sophos MDR, and the customer's own in-house SOC in eight out of ten deals. Coach the room on the three counter-moves.

Counter-move 1 — The analyst-cost wedge. Ask the CIO: *"What is your fully-loaded cost per SOC analyst today, and how many analysts are needed to cover 24x7? At 1:50 tenant-to-analyst ratio, our service is $X per endpoint per month. Run the math against in-house."* In-house almost always loses on TCO at mid-market scale.

Counter-move 2 — The carrier-endorsement wedge. Ask the CISO: *"Is your incumbent on Coalition's, At-Bay's, or Resilience's vetted-vendor list? If your carrier doesn't endorse them, your premium will rise at renewal regardless of incident history."*

Counter-move 3 — The MTTD/MTTR transparency wedge. Ask: *"What MTTD and MTTR does your incumbent publish to you monthly? Red Canary publishes detection benchmarks transparently. If your incumbent does not, why not?"*

Show Force Management's command-of-the-message rule: *"You do not displace an incumbent on features. You displace on transparency and outcomes."*

---

Section 5 — Pricing Conversation and Procurement (10 min)

Coach the room through the three pricing landmines.

Landmine 1 — Per-endpoint vs. per-tenant. Mid-market customers prefer per-endpoint pricing because it scales with their fleet. Sellers who quote per-tenant flat fees lose to per-endpoint competitors.

Landmine 2 — Multi-year discount math. Three-year MDR deals justify 10–15% discount; five-year deals justify 18–25%. Anything beyond is margin-destroying.

Landmine 3 — The procurement-only meeting. When procurement requests a meeting without the CISO present, refuse. Insist on the joint meeting. Force Management's playbook calls this the "no procurement-only" rule.

---

Section 6 — The Trap-Set for Renewal at Month 14 (5 min)

The renewal sale begins on day one. Coach the room on the four month-14 trap-sets.

Trap-set 1 — Quarterly MTTD/MTTR scorecard. Build the scorecard into the QBR from day one. By month 14, the scorecard is the renewal narrative.

Trap-set 2 — Endpoint coverage at 95%+. Land 95%+ endpoint coverage within 6 months. Below 90% is renewal-risk red.

Trap-set 3 — Cyber-insurance broker letter. Get the customer's cyber-insurance broker to write a 2026 vendor-fit letter within 9 months. The letter locks in the broker as a defender at month 14.

Trap-set 4 — Auto-triage rate above 60%. Land 60%+ auto-triage within 12 months. Below 40% means the customer is overwhelmed by noise and the renewal is contested.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"* aloud: *"The renewal is sold on day one, not on day 365."*

---

flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CIO + CISO + Broker Confirmed?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[Opening + Coverage Baseline 13 min] E --> F[MTTD MTTR + Analyst Capacity 22 min] F --> G[Insurance + Auto-Triage + Renewal 20 min] G --> H[Confirm Next Step Pilot Scope Workshop] H --> I[Pre-Workshop Brief Sent All 3 Personas] I --> J[90-Min Pilot Scope Workshop Within 7 Days] J --> K[Pilot Kicked Off Within 14 Days]
flowchart TD A[Joint CIO + CISO + Broker Buy-In] --> B[Per-Endpoint Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention-Curve Math] C -->|Yes| E[MSA + SOW with SLA Commitments] E --> F{Procurement Requests Solo Meeting?} F -->|Yes| G[Refuse Insist on CISO Joint Meeting] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Contract Drafted with Vetted-Vendor Certification] I --> J[Onboarding Kick-Off Within 10 Days] J --> K[First MTTD MTTR Scorecard at Month 1]

Related on PULSE

FAQ

How long does the typical mid-market MDR sales cycle run? The cycle usually spans 90 to 180 days from first contact to close, with most deals landing in the 4- to 6-month range. Shorter cycles often happen when a compliance deadline or recent breach forces urgency.

What buyer roles are involved in a mid-market MDR decision? You’ll typically engage three distinct buyers: the CIO (focused on budget and risk reduction), the CISO or Director of Security (evaluating detection coverage and response speed), and the cyber-insurance broker (who may mandate MDR for policy renewal). Each has different priorities that must be addressed separately.

How do I handle a prospect already using a competitor like Arctic Wolf or CrowdStrike? Focus your discovery on their actual MTTD and MTTR metrics, not feature lists. Ask how many incidents they fully remediated last quarter and what their mean time to contain was. If they can’t answer, you’ve found a gap. If they can, compare honestly—your service may offer faster response or broader telemetry coverage.

What’s the best way to demonstrate value during a demo? Run the demo against the prospect’s actual EDR telemetry, not a sanitized lab environment. Show how your platform detects and responds to a real alert from their own endpoints. This makes the value tangible and avoids generic feature comparisons.

How do I prevent a multi-year renewal from slipping past month 14? Set a structured renewal cadence starting at month 14 with a formal business review. Use that meeting to present a refreshed ROI analysis based on incidents handled, time saved, and any avoided breach costs. Lock in a renewal decision before month 18 to avoid competitive disruption.

What qualification framework should I use for MDR deals? MEDDPICC is the recommended model—track Metrics, Economic buyer, Decision criteria, Decision process, Paper process, Identify pain, Champion, and Competition. It forces you to validate each buyer’s specific pain and economic justification early, which is critical for mid-market deals with limited budget flexibility.

Sources

Download:
Was this helpful?