Most UK mid-market organisations evaluating Managed Security Services Providers (MSSPs) for SOC + MDR + incident response struggle to compare apples-to-apples. Vendor decks all promise "24/7 monitoring + expert analysts + advanced threat hunting". This is the 12-question procurement checklist that surfaces the actual differences.
View the data behind this chart
| Weight | Tier-1 MSSP | Boutique | |
|---|---|---|---|
| UK SOC location | 25 % | UK + offshore | UK only |
| IR response SLA | 20 % | <15 min | <30 min |
| Use-case library | 15 % | 500+ | 100+ |
| Industry knowledge | 20 % | Generic | Specialist |
| Contract flexibility | 20 % | 3-yr | 1-yr OK |
The 12 questions every UK MSSP RFP should ask
These are the questions we run with every Servnet customer evaluating MDR providers. The answers separate genuine 24/7 operations from US-night-shift-only marketing fluff.
- •1. Where are your SOC analysts physically located? UK-based + cleared, US night-shift, India / Philippines offshore — all valid, but you need to know.
- •2. What's your average time-to-investigate for a P1 alert? 5 minutes? 30? 2 hours?
- •3. Do you actively respond (isolate endpoints, kill processes) or just notify? Critical distinction.
- •4. Which EDR / SIEM / XDR platforms do you support natively? CrowdStrike, SentinelOne, Defender XDR, Sentinel, Splunk?
- •5. What's the staff:customer ratio per analyst? Industry benchmark is 1:8 to 1:15 for active MDR.
- •6. How many P1 incidents have you handled in the past 12 months? Ask for the number.
- •7. Show me a real post-incident report (anonymised). The format + depth tells you a lot.
- •8. Do you provide threat hunting (proactive) or just monitoring (reactive)?
- •9. What's your alert-to-customer signal-to-noise ratio? If 80% of alerts are false positives, you have a tuning problem.
- •10. Are you SOC 2 Type II certified? ISO 27001? Cyber Essentials Plus? CREST-certified for incident response?
- •11. Can I see your standard contract? Look for: data residency, exit assistance, audit rights, SLA credits.
- •12. What does a typical month's reporting look like? Ask for a real (anonymised) monthly report.
Red flags
Marketing-heavy decks with no specific named analysts or sample reports.
"24/7" without specifying which hours are in-house vs subcontracted.
No CREST / Cyber Essentials Plus / SOC 2 certifications.
Unwilling to share standard contract terms before commercial conversation.
Pricing model that doesn't map to specific deliverables.
What Servnet does
Servnet doesn't run our own 24/7 SOC. We partner with credible UK MSSPs (CREST-certified, UK-cleared analysts) + vendor-managed services (CrowdStrike Falcon Complete, SentinelOne Vigilance Respond, Sophos MDR).
We help customers run MSSP procurement vendor-neutrally — shortlist + commercial bid + reference customer calls + contract review. Engagement is typically 6-10 weeks from kick-off to signed MSA.
