🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for My MDR Doesn't... Remember Expected Behaviors
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

[08/14/2025 updated to show our new case closure form to manage what we learn.]

This is part of a blog series tackling common problems in traditional MDR and outsourced/Managed SOC Service Providers (MSSPs).

My MDR Doesn’t… Remember Expected Behaviors

Once upon a time, I took this criticism on the chin from a customer. It stung:

Before we signed, you told us you would learn our organization, but here we are, a year later, and you really haven’t.

I started Wirespeed to solve that problem (and a few others). We had previously tried training analysts, making notes, forcing extra workflows in our case, but we kept failing to learn their organization. We failed to remember on the next case. If we asked the analysts in person, they’d likely remember, but they had dozens of customers to learn and became difficult on the fly working the queues. We tried documentation, more training, random QA spot-checks, but it was always so rickety. I understood all of that, but I hated it.

Turns out, it’s a common problem that many MDR/MSSP customers experience.

#The Case of the Offshore Engineers

Before one of Wirespeed’s first customers signed with us, I spent time asking what they liked and didn’t like about their current provider, who was a really huge MDR/MSSP that you may have heard of. There were good things, of course (as there better have been for the price they were paying!), but they also told me about problems their MDR provider repeated with their offshore engineers.

Customer:

They sent us an alert that one of our offshore engineers had a suspicious login event in India. We told them the IP was at our office there. They replied back with thanks, made a note in the ticket, and closed the case.

Wirespeed:

Then what happened?

Customer:

That same alert fired every week or two after that. Every time we’d tell them it was our offshore engineering office. Every time they’d thank us and close the case.

Wirespeed:

But every time that didn’t become “knowledge” about your organization?

Customer:

Exactly! It was just a comment in a ticket. Nothing else.

The really huge MSSP may as well have been Dori from Finding Nemo, asking “Hi, have we met?” for the 49th time. How frustrating this was for our client, and why it was easy for us, a brand new startup, to lure them away from the bigger, established provider. There’s a big difference between making a note in their ticketing system and actually learning the customer’s patterns of life.

Memory of a Goldfish The MDR Provider has the Memory of a Goldfish

#How an MDR can “Remember” or “Learn”

Wirespeed learns safe behaviors a handful of ways. One of the obvious ways is when you close a case as “benign.” We prompt you to let us learn aspects of the detection based on details we infer from the case. For example, in this case, we prompted the user to remember logins for the user from the IP address in the detection for 30 days. For endpoint detections, it might be prompting to remember a file hash associated with a detection you mark as benign.

At any point, you can go deep into the advanced exclusion builder and build very surgically accurate exclusions, but we think for 99.99% of the cases, it’s absotutely overkill.

Smart Case Closure Form One way Wirespeed Remembers

We also “learn” from ChatOps scenarios, in which we reach out to your users to confirm an action. If they confirm they were part of the action, and they pass our out-of-band MFA challenge to confirm their identity, in many cases we’ll make an inference and learn from those cases as well.

#Capability Maturity Model

For explaining situations like this, I like to turn to the old, but great, Capability Maturity Model (CMM).

In the story above, the “really huge MDR provider” surprisingly is only operating at Level 1 of the CMM: they could take the knowledge and apply it to the single case. They did it once, and that’s where they stopped. They couldn’t repeat the recollection that a given IP address was part of a known good offshore office location. That’s why, to our customer, it felt like talking to a goldfish. They couldn’t repeat the knowledge they acquired.

Capability Maturity Model CMM is an old, but great framework to use!

Some MDR providers will take knowledge like this and store it in some form of unstructured (or semi-structured) documentation site (a wiki, like Confluence), and that’s it. Technically, at that point it’s documented (level 3 of CMM), but if reading the documentation causes friction for the SOC analysts who have a queue of a thousand cases to review during their shift, it’s very unlikely that analyst is going to pivot away from the single pane of glass (their primary SOC workbench tool) and check the documentation.

A SOC would be operating at the Managed level (CMM 4) if every analyst has a way to see/review the prior knowledge, and there is a metric that shows this knowledge is being used. This is a big challenge for a human-led SOC, especially if they’re operating on enterprise grade tooling that is not designed for an MSSP (hint: most SOC tools aren’t, they’re built for enterprise customers with last-minute features added to widen into the MSSP market).

How Wirespeed is Different

To use that same example of the offshort login, here’s how we handle the situation:

  • CMM Level 1: In the case of a suspicious login, we leverage our enrichments, verdict steps, hunting rules, ChatOps (if enabled) or an escalation to the security team to determine if the login event, specifically the combination of that user and the IP location (among other metadata) was safe.

  • CMM Level 2: As we build up a solid baseline in our datalake, many future cases get dismissed simply by having overwhelming evidence the combination of features represent an acceptable risk.

  • CMM Level 3: If needed, the security team can leverage our case closure form to close cases and document exactly what is worth remembering, such as a file hash on a specific endpoint, an IP address for the entire organization’s logins, or a specific user’s use of a privacy VPN. These get documented as known exclusions for as short or long of a time as you need, including the ability to leverage rolling TTLs (think of that as a snooze button that will reset the clock if the criteria repeat within the time-to-live span).

  • CMM Level 4: Because of the linkages via detection case timelines, we have strong metrics around the usability and repeatability of the learning. We can know how many times this happens. It’s an interesting data point by itself. This even helps us “discover” smaller offices at larger clients.

  • CMM Level 5: We are constantly monitoring our results and improving our platform with our AQL quality assurance process.

So, as you can see, Wirespeed operates at the highest level of the Capability Maturity Model: Optimized.

#Run us Head to Head

We’re ready to run head-to-head against your current MDR provider, because you deserve to have an MDR that doesn’t have the memory of a goldfish.

It takes just a couple minutes to start a FREE Trial, where we will ingest your prior 90 days of alerts and show you cases where we would have reached out to your victim users. Did your MDR provider even tell you about any of them? How about all of them? After that, you’re welcome to integrate with Slack, Teams, or just email, and we’ll watch you for the next 14 days for FREE, reaching out to your users on your behalf. We’ll even help you with a rollout communication plan to inform your workforce that they may be asked about their activity to protect your organization. Quick, Easy, Painless … and Secure.

Wirespeed

Want to know more about Wirespeed? Follow us on LinkedIn / X or start a FREE TRIAL today.