How to pick a UK MSSP: 12 procurement questions

Most UK mid-market organisations evaluating Managed Security Services Providers (MSSPs) for SOC + MDR + incident response struggle to compare apples-to-apples. Vendor decks all promise "24/7 monitoring + expert analysts + advanced threat hunting". This is the 12-question procurement checklist that surfaces the actual differences.

MSSP scoring — what to weigh

The 12 questions every UK MSSP RFP should ask

These are the questions we run with every Servnet customer evaluating MDR providers. The answers separate genuine 24/7 operations from US-night-shift-only marketing fluff.

•1. Where are your SOC analysts physically located? UK-based + cleared, US night-shift, India / Philippines offshore — all valid, but you need to know.
•2. What's your average time-to-investigate for a P1 alert? 5 minutes? 30? 2 hours?
•3. Do you actively respond (isolate endpoints, kill processes) or just notify? Critical distinction.
•4. Which EDR / SIEM / XDR platforms do you support natively? CrowdStrike, SentinelOne, Defender XDR, Sentinel, Splunk?
•5. What's the staff:customer ratio per analyst? Industry benchmark is 1:8 to 1:15 for active MDR.
•6. How many P1 incidents have you handled in the past 12 months? Ask for the number.
•7. Show me a real post-incident report (anonymised). The format + depth tells you a lot.
•8. Do you provide threat hunting (proactive) or just monitoring (reactive)?
•9. What's your alert-to-customer signal-to-noise ratio? If 80% of alerts are false positives, you have a tuning problem.
•10. Are you SOC 2 Type II certified? ISO 27001? Cyber Essentials Plus? CREST-certified for incident response?
•11. Can I see your standard contract? Look for: data residency, exit assistance, audit rights, SLA credits.
•12. What does a typical month's reporting look like? Ask for a real (anonymised) monthly report.

Red flags

Marketing-heavy decks with no specific named analysts or sample reports.

"24/7" without specifying which hours are in-house vs subcontracted.

No CREST / Cyber Essentials Plus / SOC 2 certifications.

Unwilling to share standard contract terms before commercial conversation.

Pricing model that doesn't map to specific deliverables.

Internal SOC, MSSP or co-managed?

What Servnet does

Servnet doesn't run our own 24/7 SOC. We partner with credible UK MSSPs (CREST-certified, UK-cleared analysts) + vendor-managed services (CrowdStrike Falcon Complete, SentinelOne Vigilance Respond, Sophos MDR).

We help customers run MSSP procurement vendor-neutrally — shortlist + commercial bid + reference customer calls + contract review. Engagement is typically 6-10 weeks from kick-off to signed MSA.

FAQs — How to pick a UK MSSP

Selection

Is vendor MDR (Falcon Complete) better than independent MSSP?

For the underlying EDR platform: vendor MDR is tighter (same engineers built the platform). For cross-vendor visibility (you run mixed EDR + Defender + Sentinel): independent MSSP wins. Most UK mid-market ends up with vendor MDR for primary EDR + adds independent MSSP for SIEM + cloud monitoring.

How much should an MSSP cost?

500-2,000 user UK orgs: typically £30-100k/year for managed EDR; £80-250k/year for full SOC including SIEM + cloud monitoring. Vendor MDR (e.g. Falcon Complete) often included in EDR per-endpoint pricing — typically £8-15/endpoint/month.

Contracting

What contract length is reasonable?

12-36 months. 36 months with annual exit clause (with reasonable transition assistance) is most common. Avoid 5-year lock-ins without genuine pricing benefit.