STRATEGY & MSSP · 7 MIN

What 'Unlimited MDR' Actually Means: Reading the Fine Print

Unlimited MDR sounds great on a slide. Behind the marketing, scope, response actions, and incident response are where vendors hide the real limits. Here's how to decode the offer.

QMasters SOC Team· Strategy & Operations· 2026-01-22
TL;DR

What does unlimited MDR actually include?

Unlimited MDR typically refers to one or more of: unlimited log ingestion volume (no per-EPS metering), unlimited use cases or detection rules, unlimited investigation hours, or unlimited included incident response. The marketing claim is rarely all of these at once. The real limits live in the contract scope: which assets and users are covered, which response actions the provider is authorized to perform, whether incident response is alert-only or containment-included, what the per-incident hour cap is, and what triggers an out-of-scope billable engagement. Read those four areas line by line — that's where unlimited becomes limited.

Contract magnification on MDR scope and response actions clauses against a security operations center backdrop
Contract magnification on MDR scope and response actions clauses against a security operations center backdrop

What "Unlimited MDR" Actually Means: Reading the Fine Print

Every MDR vendor in 2026 says "unlimited" somewhere on the slide. Unlimited ingestion, unlimited use cases, unlimited investigation hours, unlimited response.

The word does real work — sometimes. Sometimes it's a marketing trick. The way to tell which is to read the SOW with the same intensity you'd read a financial covenant.

This post is the decoder. Use it on any MDR proposal, including ours.

The four axes where "unlimited" actually matters

Axis 1 — Log ingestion volume

The honest version: in a flat-rate MDR pricing model, log ingestion is genuinely unlimited within the agreed scope. You can turn on DNS query logs, full CloudTrail, Defender raw telemetry — the per-event meter is gone.

The marketing version: "unlimited ingestion up to a fair-use threshold." The contract specifies a soft cap, beyond which overage applies. Read the cap. If it's set at 1.5× current volume and your environment is growing 30% YoY, you'll hit overage in year two.

What to ask: "What's the sustained-EPS threshold above which you charge me, and what's the overage rate?"

Axis 2 — Use cases and detection rules

The honest version: unlimited detection rules and use cases — the SOC engineering team builds whatever the customer needs, on a continuous tuning cadence.

The marketing version: "unlimited included rules" — usually meaning the vendor's catalog of pre-built content. Custom content, environment-specific tuning, and ATT&CK gap closure are billed as professional services projects.

What to ask: "If I bring you a new threat scenario or a new log source, what's the cost to build detection content for it?"

Axis 3 — Investigation and response actions

This is the most common "unlimited" trap. Investigation and response are different products.

  • Alert investigation = an analyst looks at the alert, decides whether it's real, writes notes
  • Response action = an analyst (or automation) actively contains the threat — kills a process, isolates a host, disables an account, blocks an IP, quarantines an email

Many "unlimited MDR" offers are unlimited alert investigation. Response actions require additional authorization, separate scope, or only happen on the customer's confirmation — at which point the SOC's value-add is marginal.

What to ask: "What response actions are you authorized to perform without my approval, in what scenarios? Show me the runbook."

Axis 4 — Incident response

The most expensive carve-out, hidden in plain sight.

  • Tier-1 / Tier-2 alert investigation is usually included
  • Incident response — sustained, multi-day, deep-forensic engagement on a confirmed breach — is often a separate retainer or hourly billable

Read the SOW for the words "major incident," "breach response," "forensic investigation," "incident response retainer," or anything mentioning a per-incident hour cap. That's where the unlimited stops.

What to ask: "Is incident response included in the MDR fee? If yes, up to what scope? If no, what's the retainer cost and the hourly overage rate?"

What QMasters StrongHold MCSS actually includes

We're going to answer the questions we just told you to ask, transparently.

Log ingestion: Unlimited within the contracted asset and user scope, no per-EPS meter. Log everything that matters; the SOC engineering team optimizes ingestion cost on the back end.

Use cases and detection rules: Continuous custom content development included — your environment, your threats, our SOC engineering team builds and tunes against your ATT&CK coverage map. Major new integrations or new platform onboarding are scoped projects.

Investigation: Unlimited Tier-1 and Tier-2 investigation. Every alert that fires in your environment gets a human analyst, no per-hour meter.

Response actions: Containment-included on confirmation. We are pre-authorized to kill malicious processes, isolate compromised hosts, disable accounts, block IPs, and quarantine emails — on your documented runbook. You don't get a "we found something, please confirm" call at 3 AM.

Incident response: Initial IR included for incidents that escalate from regular operations. Major-incident response (sustained multi-day forensic engagement) is a defined retainer. Both have written scope.

SLAs: 15-minute critical alert acknowledgment. 1-hour fluent SLA. Documented escalation paths, with named escalation contacts on our side.

See full StrongHold MCSS scope

The five-axis comparison matrix

When evaluating two MDR offers, build the matrix:

| Axis | Vendor A | Vendor B |

|---|---|---|

| Log ingestion (cap?) | | |

| Custom content (scope?) | | |

| Investigation (per-hour cap?) | | |

| Response actions (which?) | | |

| IR included (which scenarios?) | | |

The vendor with the cleanest, broadest, most-specific answers across all five axes is the one whose "unlimited" is closest to real.

Common contract gotchas

Things we've seen in MDR contracts that customers brought to us during procurement reviews:

  • "Reasonable use" clauses that give the vendor unilateral authority to declare overage
  • Response action authorization restricted to "where technically possible without customer impact" — so vague it covers anything
  • Major incident exclusion that triggers at the customer's first significant incident
  • Custom content treated as professional services — every rule, every tuning request, every integration billed
  • Renewal price escalators of 7–12% YoY locked into the contract
  • Termination clauses that lock customer data inside the vendor's tenancy with no clean migration path

Almost all of these are negotiable. Almost none of them are negotiable after signing.

For more context, start at QMasters, review our managed detection and response, or check out webinars.

Frequently asked questions

Is "unlimited MDR" a real thing or marketing fluff?

Both. Real in some axes (log volume in flat-rate models). Marketing in others (investigation hours that exclude IR). The contract decides.

What's the most common gotcha?

Incident response scope. Many vendors include alert investigation but exclude or cap incident response — exactly when the customer needs them most.

How do I compare two unlimited MDR offers?

Map both to the same five-axis matrix: log ingestion, custom content, investigation, response actions, IR. The shape is the comparison.

Will QMasters share our SOW for review?

Yes. We'll send a redacted reference SOW so you can compare ours, line by line, against any other MDR offer on your shortlist.

---

Currently evaluating MDR providers?

Send us your shortlist. We'll do a free side-by-side scope-and-SLA breakdown — including ours — so you can negotiate from data, not slide decks. Request a comparison →

FAQ

Frequently asked questions.

  • Both. Some unlimited claims are real (e.g. unlimited log volume in a flat-rate model). Others are marketing — 'unlimited investigation hours' often means alert investigation only, not deep forensic incident response. Read the SOW, not the slide.

ABOUT THE AUTHOR

QMasters SOC Team
Strategy & Operations

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

BUILDING OR REBUILDING A SOC?

Skip the 18-month build. Get an MDR partner.

Talk to a SOC strategy lead about flat-rate MDR, SIEM operations, and what to keep in-house versus outsource.

Explore Managed Cyber Security Services

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.