STRATEGY & MSSP · 7 MIN
What 'Unlimited MDR' Actually Means: Reading the Fine Print
Unlimited MDR sounds great on a slide. Behind the marketing, scope, response actions, and incident response are where vendors hide the real limits. Here's how to decode the offer.
What does unlimited MDR actually include?
Unlimited MDR typically refers to one or more of: unlimited log ingestion volume (no per-EPS metering), unlimited use cases or detection rules, unlimited investigation hours, or unlimited included incident response. The marketing claim is rarely all of these at once. The real limits live in the contract scope: which assets and users are covered, which response actions the provider is authorized to perform, whether incident response is alert-only or containment-included, what the per-incident hour cap is, and what triggers an out-of-scope billable engagement. Read those four areas line by line — that's where unlimited becomes limited.

What "Unlimited MDR" Actually Means: Reading the Fine Print
Every MDR vendor in 2026 says "unlimited" somewhere on the slide. Unlimited ingestion, unlimited use cases, unlimited investigation hours, unlimited response.
The word does real work — sometimes. Sometimes it's a marketing trick. The way to tell which is to read the SOW with the same intensity you'd read a financial covenant.
This post is the decoder. Use it on any MDR proposal, including ours.
The four axes where "unlimited" actually matters
Axis 1 — Log ingestion volume
The honest version: in a flat-rate MDR pricing model, log ingestion is genuinely unlimited within the agreed scope. You can turn on DNS query logs, full CloudTrail, Defender raw telemetry — the per-event meter is gone.
The marketing version: "unlimited ingestion up to a fair-use threshold." The contract specifies a soft cap, beyond which overage applies. Read the cap. If it's set at 1.5× current volume and your environment is growing 30% YoY, you'll hit overage in year two.
What to ask: "What's the sustained-EPS threshold above which you charge me, and what's the overage rate?"
Axis 2 — Use cases and detection rules
The honest version: unlimited detection rules and use cases — the SOC engineering team builds whatever the customer needs, on a continuous tuning cadence.
The marketing version: "unlimited included rules" — usually meaning the vendor's catalog of pre-built content. Custom content, environment-specific tuning, and ATT&CK gap closure are billed as professional services projects.
What to ask: "If I bring you a new threat scenario or a new log source, what's the cost to build detection content for it?"
Axis 3 — Investigation and response actions
This is the most common "unlimited" trap. Investigation and response are different products.
- Alert investigation = an analyst looks at the alert, decides whether it's real, writes notes
- Response action = an analyst (or automation) actively contains the threat — kills a process, isolates a host, disables an account, blocks an IP, quarantines an email
Many "unlimited MDR" offers are unlimited alert investigation. Response actions require additional authorization, separate scope, or only happen on the customer's confirmation — at which point the SOC's value-add is marginal.
What to ask: "What response actions are you authorized to perform without my approval, in what scenarios? Show me the runbook."
Axis 4 — Incident response
The most expensive carve-out, hidden in plain sight.
- Tier-1 / Tier-2 alert investigation is usually included
- Incident response — sustained, multi-day, deep-forensic engagement on a confirmed breach — is often a separate retainer or hourly billable
Read the SOW for the words "major incident," "breach response," "forensic investigation," "incident response retainer," or anything mentioning a per-incident hour cap. That's where the unlimited stops.
What to ask: "Is incident response included in the MDR fee? If yes, up to what scope? If no, what's the retainer cost and the hourly overage rate?"
What QMasters StrongHold MCSS actually includes
We're going to answer the questions we just told you to ask, transparently.
Log ingestion: Unlimited within the contracted asset and user scope, no per-EPS meter. Log everything that matters; the SOC engineering team optimizes ingestion cost on the back end.
Use cases and detection rules: Continuous custom content development included — your environment, your threats, our SOC engineering team builds and tunes against your ATT&CK coverage map. Major new integrations or new platform onboarding are scoped projects.
Investigation: Unlimited Tier-1 and Tier-2 investigation. Every alert that fires in your environment gets a human analyst, no per-hour meter.
Response actions: Containment-included on confirmation. We are pre-authorized to kill malicious processes, isolate compromised hosts, disable accounts, block IPs, and quarantine emails — on your documented runbook. You don't get a "we found something, please confirm" call at 3 AM.
Incident response: Initial IR included for incidents that escalate from regular operations. Major-incident response (sustained multi-day forensic engagement) is a defined retainer. Both have written scope.
SLAs: 15-minute critical alert acknowledgment. 1-hour fluent SLA. Documented escalation paths, with named escalation contacts on our side.
→ See full StrongHold MCSS scope
The five-axis comparison matrix
When evaluating two MDR offers, build the matrix:
| Axis | Vendor A | Vendor B |
|---|---|---|
| Log ingestion (cap?) | | |
| Custom content (scope?) | | |
| Investigation (per-hour cap?) | | |
| Response actions (which?) | | |
| IR included (which scenarios?) | | |
The vendor with the cleanest, broadest, most-specific answers across all five axes is the one whose "unlimited" is closest to real.
Common contract gotchas
Things we've seen in MDR contracts that customers brought to us during procurement reviews:
- "Reasonable use" clauses that give the vendor unilateral authority to declare overage
- Response action authorization restricted to "where technically possible without customer impact" — so vague it covers anything
- Major incident exclusion that triggers at the customer's first significant incident
- Custom content treated as professional services — every rule, every tuning request, every integration billed
- Renewal price escalators of 7–12% YoY locked into the contract
- Termination clauses that lock customer data inside the vendor's tenancy with no clean migration path
Almost all of these are negotiable. Almost none of them are negotiable after signing.
For more context, start at QMasters, review our managed detection and response, or check out webinars.
Frequently asked questions
Is "unlimited MDR" a real thing or marketing fluff?
Both. Real in some axes (log volume in flat-rate models). Marketing in others (investigation hours that exclude IR). The contract decides.
What's the most common gotcha?
Incident response scope. Many vendors include alert investigation but exclude or cap incident response — exactly when the customer needs them most.
How do I compare two unlimited MDR offers?
Map both to the same five-axis matrix: log ingestion, custom content, investigation, response actions, IR. The shape is the comparison.
Will QMasters share our SOW for review?
Yes. We'll send a redacted reference SOW so you can compare ours, line by line, against any other MDR offer on your shortlist.
---
Currently evaluating MDR providers?
Send us your shortlist. We'll do a free side-by-side scope-and-SLA breakdown — including ours — so you can negotiate from data, not slide decks. Request a comparison →
FAQ
Frequently asked questions.
Both. Some unlimited claims are real (e.g. unlimited log volume in a flat-rate model). Others are marketing — 'unlimited investigation hours' often means alert investigation only, not deep forensic incident response. Read the SOW, not the slide.
Incident response scope. Many vendors include unlimited alert investigation but exclude or cap incident response — the moment you actually need them most. The SOW will reference 'major incidents' or 'breach response' as a separate retainer.
Map both to the same five-axis matrix: log ingestion (unlimited or capped), assets/users covered, response actions authorized (alert / contain / remediate), IR hours per incident, and out-of-scope triggers. The shape of the matrix is the comparison.
ABOUT THE AUTHOR
Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.