MDR (Managed Detection and Response) Services Selling to Mid-Market — 60-Min Training

Direct Answer

MDR (Managed Detection and Response) Services Selling to Mid-Market is a 60-minute training for enterprise account executives, channel managers, and sales engineers running $90K–$450K ACV cycles against incumbents like Arctic Wolf, Sophos MDR, eSentire, Red Canary, Expel, Huntress, Rapid7 MDR, and CrowdStrike Falcon Complete.

The session teaches sellers to qualify against the three-buyer reality (CIO, CISO/Director of Security, Cyber-Insurance Broker), run a structured discovery on MTTD/MTTR economics, demo against the customer's actual EDR telemetry, and trap-set the multi-year renewal at month 14.

Built on the MEDDPICC qualification model, Force Management's Command of the Message, and Jeb Blount's "Fanatical Prospecting" outbound cadence.

Section 1 — Why MDR Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. MDR is not a pure technology sale — the customer is buying 24/7 staffed SOC analyst hours wrapped in a platform. The CIO, CISO, and cyber-insurance broker each have different scoreboards.

Set the frame on the whiteboard.

• Three buyers, three scoreboards. The CIO funds the line item; the CISO measures detection efficacy; the cyber-insurance broker uses the vendor's vetted-vendor status to lower the customer's premium. Coalition's 2026 broker survey shows 47% of mid-market MDR purchases are initiated by the cyber-insurance broker, not the CISO.
• Insurance carriers are the silent fourth buyer. Marsh, Aon, Beazley, Coalition, At-Bay, and Resilience all maintain vetted-vendor lists. Placement on those lists is worth ~30% lift on inbound pipeline for any MDR vendor.
• Mid-market is bandwidth-constrained, not capability-constrained. Most mid-market customers have a 2–6 person security team. MDR is hired to be the SOC, not to augment one. The selling motion is therefore outcomes-first, not feature-first.

End the segment with Jeb Blount's rule read aloud: *"Mid-market doesn't buy capability. They buy peace-of-mind backed by SLA."*

Section 2 — The 60-Minute Discovery Block (15 min)

The discovery cadence the room must practice — verbatim. Pair AEs and roleplay — one plays the CISO, one plays the seller. The script:

1. Opening (3 min): "Walk me through your last 24 months of security incidents — not the noisy alerts, the real ones. What was MTTD and MTTR on each?"
2. Coverage baseline (10 min): "What is your current endpoint coverage by your EDR? 92%+ is best-in-class — anything less is an attacker path. Where are you?"
3. MTTD/MTTR baseline (12 min): "What is your current median time-to-detect and time-to-respond? Sub-10 min MTTD and sub-20 min MTTR are the bars carriers require for ransomware-readiness attestation in 2026. What are your numbers?"
4. Analyst capacity (10 min): "How many SOC analysts do you have today? Are they 8x5 or 24x7? Senior SOC analysts cost $185K–$240K loaded in 2026 US. Walk me through the math on your current SOC."
5. Insurance posture (10 min): "Is your cyber-insurance broker pushing you toward a vetted MDR? Who is your broker, and what are they recommending?"
6. Auto-triage maturity (5 min): "What percentage of your alerts auto-close today? 65%+ auto-triage is best-in-class. Where are you?"
7. Renewal posture (5 min): "When is your current MDR or SIEM contract up for renewal? What contractual extraction friction would we need to navigate?"

Coach the room on the one-skill rule — every AE picks one inspection block per quarter. Force Management's playbook insists on one habit per call.

Section 3 — The Pilot That Wins (15 min)

The pilot is where MDR deals are actually won. Walk the room through the three pilot-failure modes and the three pilot wins.

Failure modes to ban.

• Sandbox-only pilots. Pilots that run against the vendor's test environment do not convince the CISO of real-world MTTD/MTTR.
• 30-day pilots. Too short to capture a meaningful range of incidents. Push for 60–90 days minimum.
• One-channel pilots. Pilots that cover only endpoints, not identity logs and cloud workload, fail to convince the buyer of full-estate coverage.

Wins to coach.

• Real production telemetry. Walk the room through Expel's and Red Canary's published pilot agendas — both require the customer to send 30+ days of production EDR telemetry before the pilot begins. The vendor then runs detection against that data for the pilot period.
• Measured MTTD/MTTR delivered in writing. Deliver a 30-day MTTD/MTTR scorecard mid-pilot. The number becomes the closing artifact.
• Joint review with the cyber-insurance broker. Invite the customer's broker to the pilot review. The broker's endorsement closes the deal faster than any seller's slide deck.

End with Andy Paul's rule from *"Sell Without Selling Out"* — *"Show the customer their incident better-handled, not your platform better-featured."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Arctic Wolf, Sophos MDR, and the customer's own in-house SOC in eight out of ten deals. Coach the room on the three counter-moves.

Counter-move 1 — The analyst-cost wedge. Ask the CIO: *"What is your fully-loaded cost per SOC analyst today, and how many analysts are needed to cover 24x7? At 1:50 tenant-to-analyst ratio, our service is $X per endpoint per month. Run the math against in-house."* In-house almost always loses on TCO at mid-market scale.

Counter-move 2 — The carrier-endorsement wedge. Ask the CISO: *"Is your incumbent on Coalition's, At-Bay's, or Resilience's vetted-vendor list? If your carrier doesn't endorse them, your premium will rise at renewal regardless of incident history."*

Counter-move 3 — The MTTD/MTTR transparency wedge. Ask: *"What MTTD and MTTR does your incumbent publish to you monthly? Red Canary publishes detection benchmarks transparently. If your incumbent does not, why not?"*

Show Force Management's command-of-the-message rule: *"You do not displace an incumbent on features. You displace on transparency and outcomes."*

Section 5 — Pricing Conversation and Procurement (10 min)

Coach the room through the three pricing landmines.

Landmine 1 — Per-endpoint vs. Per-tenant. Mid-market customers prefer per-endpoint pricing because it scales with their fleet. Sellers who quote per-tenant flat fees lose to per-endpoint competitors.

Landmine 2 — Multi-year discount math. Three-year MDR deals justify 10–15% discount; five-year deals justify 18–25%. Anything beyond is margin-destroying.

Landmine 3 — The procurement-only meeting. When procurement requests a meeting without the CISO present, refuse. Insist on the joint meeting. Force Management's playbook calls this the "no procurement-only" rule.

Section 6 — The Trap-Set for Renewal at Month 14 (5 min)

The renewal sale begins on day one. Coach the room on the four month-14 trap-sets.

Trap-set 1 — Quarterly MTTD/MTTR scorecard. Build the scorecard into the QBR from day one. By month 14, the scorecard is the renewal narrative.

Trap-set 2 — Endpoint coverage at 95%+. Land 95%+ endpoint coverage within 6 months. Below 90% is renewal-risk red.

Trap-set 3 — Cyber-insurance broker letter. Get the customer's cyber-insurance broker to write a 2026 vendor-fit letter within 9 months. The letter locks in the broker as a defender at month 14.

Trap-set 4 — Auto-triage rate above 60%. Land 60%+ auto-triage within 12 months. Below 40% means the customer is overwhelmed by noise and the renewal is contested.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"* aloud: *"The renewal is sold on day one, not on day 365."*

FAQ

Should we sell to the CIO or the CISO? Both, plus the cyber-insurance broker. CIO funds the line item; CISO picks the platform; broker influences both through the carrier-endorsement program.

How do we handle a customer running in-house SOC who insists they don't need MDR? Run the analyst-cost math. Most in-house SOCs at mid-market scale cost 1.5–2.5x what MDR costs at equivalent coverage. The math closes the conversation, not the pitch.

What is the right pilot size for a mid-market customer? 60–90 days, full endpoint and identity-log coverage. Pilots that are too short or too narrow fail to convince the CISO of full-estate visibility.

How do we price against Huntress's lower-cost positioning? Huntress wins on SMB simplicity. We win on 24x7 SOC analyst pods, named coverage, and carrier-endorsement breadth. Position Huntress as a complement for the lowest-tier endpoints, not a substitute.

What if the customer asks us to integrate with their existing SIEM (Splunk, Sentinel)? Yes — bring the SIEM-integration playbook to the scoping call. Expel and Red Canary both have public integrations for the major SIEMs. Lead with the integration as a strength, not a constraint.

Sources

• Gartner — Market Guide for Managed Detection and Response (2026)
• Forrester — The Forrester Wave: Managed Detection and Response (2026)
• Coalition Inc. — Active Insurance MDR Vendor Endorsement Survey (2026)
• Marsh McLennan — Cyber Insurance Vendor Vetting Criteria (2026)
• Arctic Wolf Networks — Annual Customer Outcomes Report (2026)
• Red Canary — Threat Detection Report (2026)
• Force Management — Command of the Message and MEDDPICC Reference (2026)
• Andy Paul — "Sell Without Selling Out" Discovery Cadence
• Jeb Blount — "Fanatical Prospecting" Renewal-First Doctrine
• SANS Institute — SOC Survey and Analyst Compensation (2026)