<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">
Alienvault USM Anywhere Logo
Skip to content

Mystery Box vs. Glass Box Managed Detection and Response

Working with a transparent MDR leads to trustworthy threat detection and response.

In the Information Security industry, there are technically two teams in constant, dynamic, and perpetual war -- Team Good vs. Team Evil. An oversimplification? Maybe; however, we see this time and time again.

When a public breach happens (like Kaseya, or SolarWinds, take your pick), people on “Team Good” band together, share information, and do everything within their power to help eliminate “Team Evil.”

It’s truly an inspiring industry knowing that all your competitors at some point will be an ally. It’s like being part of an extensive team.

If you’ve been part of any team, you know that the best teams challenge each other. There are several different teams within “Team Good.” SIEM, IDS, DLP, and MDR are all a part of “Team Good.” MDR’s are arguably at the top of that list since today’s main problem is not technology; it’s resources.


There are not enough human experts to leverage all the awesome technology out there, so many companies rely on MDR’s.

However, not all MDR’s are equal. Ultimately, there are two kinds of MDR’s…

What’s the difference between “Mystery Box MDRs” and “Glass Box MDRs?”

For years, the leading MDR’s have all provided their own proprietary homegrown SIEM, and the market is now maturing to expect more transparency from the providers.

The last 10 MDR customers who have migrated to Castra’s Transparent, Glass Box model have all complained about having zero insight into their existing MDRs detection methodology. 

When Pen Testers get by without the MDR making a peep - customers will have many questions about why this occurred.

If they can’t log into their SIEM platform to see what their MDR has been detecting, how have they been detecting it, what was missed, and how did they miss it?

If they don’t have insight into those questions, how can their security posture improve? How can they have peace of mind? They can’t -- which is why customers are looking elsewhere. 

From a business standpoint, it makes sense why MDR’s take the bait of building their own homegrown SIEM.

Ultimately it gives their business a better chance of a higher valuation upon exiting. It also helps blur the line between SIEM vendors and MDR providers.

If we think about this objectively, these would be some good questions to ask ourselves when working with any MDR…

  • What happens to your tech and data if you don’t like their service? Or vice versa.
  • What happens to the data and the logs? 
  • How do you migrate to a different platform in the future? (CSV file transfer is not a true SIEM migration)
  • How can you check their work?

MDR’s who have their own homegrown SIEM have an identity crisis. Building an Information Security service is incredibly difficult. Building an Information Security product is also incredibly difficult. Trying to do both at the same time is a waste of resources.

Not only are you trying to boil the ocean, but you lose the ability to obsess about a specific problem. Building a product-based company versus building a service-based company requires vastly different infrastructure, budgets, personnel, culture, and strategy. 

Furthermore, an MDR who provides their own homegrown SIEM wants to pigeonhole customers into not leaving. What happens if you don’t like their service?

If you cancel services, your data and technology go along with it, which is a big problem for any company, regardless of the size of the organization.

Transparency and a separation of powers are the key factors in this equation. It not only displays strength and confidence from an MDR who is transparent, but transparent processes also speak to Security Operations best practices.

Castra teaches our customers how to disconnect from any third party, including Castra, on day one.

In addition, if an MDR provides their SIEM, how do you audit what they are doing? How do you audit a "Mystery Box?"

Isn’t dropping off a mystery box on your environment a security threat on its own? The lack of transparency isn’t comforting, and the lack of options if you decide to change providers is not a good fit as a long-term solution.

Always ask, “How are your MDR services different?”

This answer has to stand out. An MDR’s differentiators should be short and sweet, yet well thought out and with heavy merit. It should tell you that they understand the competitive landscape and the pain customers are going through.

Most importantly, their differentiators should tell you how well they can execute on the gaps they see in the industry.

Do you already work with a SIEM? Learn how Castra works with:

And if you don’t have a SIEM, we can help find the right fit for your organization.

Qualifying an MDR to determine who is the best partner for your organization is not an easy task.

Take it slow, and try to consider all angles. Use the questions in this blog post to better understand your MDR’s ability to provide robust services in a complex environment. 

Quantify the quality of their service by their customer and employee renewal rates. Dig deep to understand their threat intelligence and detection methodology, and align yourself with an MDR who isn’t trying to boil the ocean.

Ready to learn more about Castra's Glass Box Managed Detection and Response? Let's talk.