Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Mdr 17 min read Published Apr 3, 2026 Updated Apr 3, 2026

MSSP and MDR Evaluation: 30-60-90 Day Plan for Security Teams

Practical 30-60-90 day evaluation plan to pick and validate MSSP or MDR partners, with checklists, SLAs, and nursing-home examples.

By CyberReplay Security Team

TL;DR: Use this practical mssp and mdr evaluation 30 60 90 day plan to validate detection coverage, onboarding speed, and incident response SLAs. Start with asset and log onboarding in days 1-30, prove detection + playbooks in days 31-60, and measure containment, reporting, and handoff readiness in days 61-90. Expect measurable improvements - mean time to detect can drop from months to under 7 days and containment time to under 24 hours when executed correctly.

Table of contents

Quick answer

This mssp and mdr evaluation 30 60 90 day plan gives security teams a concrete, auditable approach to answer three buyer questions: 1) Can the vendor onboard our critical telemetry in under 30 days? 2) Can the vendor detect and triage realistic threats within 60 days? 3) Can the vendor contain incidents, produce compliant artifacts, and hand operations back to our team by day 90? Use the checklists and SLA language below to convert these questions into pass/fail gates and measurable outcomes.

Why you need a 30-60-90 evaluation

Security outsourcing decisions cost money and risk. Typical consequences when you pick the wrong MSSP or MDR partner:

  • Longer dwell time: mean time to detect for unmanaged environments can exceed 100 days per public reports. That increases breach cost and compliance exposure. IBM Cost of a Data Breach Report finds faster detection reduces total cost.
  • Missed compliance artifacts: for healthcare and nursing homes, HIPAA audits and breach notifications require timely logs and forensics-ready reports.
  • Operational friction: slow onboarding and noisy alerts drain internal resources and delay value realization.

A focused 30-60-90 evaluation reduces these risks by turning vendor promises into measurable gates: onboarding time, detection coverage, SLA adherence, false positive rate, and reporting quality.

Who this plan is for and constraints to know

This plan is for IT leaders, security managers, and executive sponsors at organizations evaluating MSSP or MDR services - especially nursing homes and small healthcare providers with limited security staff and strict compliance needs.

Not a fit if you already operate a mature 24-7 SOC with in-house threat hunting and IR playbooks. If that is your environment, shift the plan to vendor augmentation tests rather than full onboarding.

Constraints to plan for:

  • Limited staff time for vendor coordination - budget vendor hours for onboarding calls.
  • Legacy medical devices with limited telemetry - plan a fall-back manual monitoring control and compensating safeguards.
  • Compliance windows - ensure vendor can provide HIPAA-friendly reporting and chain-of-custody statements.

For nursing home teams, keep the test scope narrow: focus on critical EHR servers, payroll and scheduling systems, remote access, staff workstation fleet, and email security.

30-Day objectives - Onboard and baseline

Goal: Prove the vendor can onboard your log sources and produce a meaningful baseline within 30 days.

Primary deliverables by day 30:

  • Asset inventory for critical systems completed and validated.
  • Log source mapping, with at least 80% of critical telemetry flowing into the vendor platform (EHR, domain controllers, perimeter firewall, email gateway, VPN, Active Directory).
  • Baseline detection coverage and a heat map of covered asset classes.
  • Initial threat and alert tuning session including 1-2 agreed test alerts.
  • Signed list of SLAs, escalation paths, and contact roster.

Actionable tasks (week-by-week):

  • Week 1: Kickoff - vendor orientation, access provisioning, and asset list. Assign a single vendor liaison in your team.
  • Week 2: Log onboarding - connect sources, validate syslog/CEF/SIEM ingestion, confirm time sync and retention policy.
  • Week 3: Baseline review - vendor provides coverage dashboard and first-pass detection mapping.
  • Week 4: Run two controlled detection tests (e.g., benign port scan and simulated phishing click) to validate end-to-end telemetry and alerting.

Example acceptance criteria for day 30:

  • Time to onboard a Windows domain controller logs < 48 hours.
  • At least 5 prioritized assets streaming logs with timestamp accuracy within 5 seconds.
  • Vendor provides a written detection coverage statement and 1-page onboarding report.

60-Day objectives - Validate detection and playbooks

Goal: Verify the vendor can detect realistic threats, triage at scale, and execute playbooks that produce forensics-ready artifacts.

Primary deliverables by day 60:

  • A minimum of three realistic tabletop tests executed, with post-test reports.
  • A playbook for each test mapped to a concrete remediation path and roles.
  • Measured false positive rate and triage time.
  • Evidence of proactive threat hunting or tailored detections for your environment.

Recommended tests:

  • Phishing compromise simulation - vendor must detect post-click lateral activity or abnormal mailbox access.
  • Ransomware kill-chain simulation - vendor must detect suspicious file activity, privilege escalation, and command-and-control indicators.
  • Suspicious account activity - vendor must detect anomalous authentication patterns and initiate containment steps.

Sample playbook components to validate:

  • Triage checklist with data sources to collect (process list, network connections, logs, registry keys).
  • Containment steps (isolate host, revoke account, block C2 IPs) with estimated time to containment.
  • Forensics artifacts produced (E01 or ZIP of memory and disk images, event logs, timeline CSV) and chain-of-custody notes.

Acceptance criteria for day 60:

  • Median triage time for priority alerts < 4 hours.
  • False positive rate for high-priority alerts < 25% after tuning.
  • Vendor provides at least one tailored detection or hunt that would have caught a likely threat in your environment.

90-Day objectives - Prove response, reporting, and handoff

Goal: Demonstrate incident response completeness, SLA adherence, and readiness to hand operations back to you or continue managed operations with confidence.

Primary deliverables by day 90:

  • Full incident response exercise with containment, eradication, recovery, and a post-incident report.
  • Compliance-ready reporting package that supports HIPAA breach notification timelines and includes timelines, root cause, indicators of compromise, and remediation actions.
  • Measured SLA performance: triage SLA, containment SLA, and time-to-final-report SLA.
  • Knowledge transfer session and operational runbook for your team.

Sample SLA targets to demand and measure:

  • Acknowledgement of critical incident within 15 minutes.
  • Triage initiation within 1 hour.
  • Containment action started within 4 hours.
  • Final incident report delivered within 72 hours of containment.

Handoff items to expect:

  • Runbook covering who owns which steps after containment.
  • Playbooks codified into your ticketing system and assigned to named roles.
  • Monthly operational review schedule and agreed KPIs.

Acceptance gates at day 90:

  • Vendor met SLA targets in at least 3 of 4 test incidents.
  • Post-incident report includes forensics artifacts and a remediation timeline you can present to regulators.
  • Your internal staff can run at least two containment steps independently after knowledge transfer.

Checklist - Fast acceptance criteria for each phase

Use this checklist to make pass/fail decisions quickly.

Phase 1 - day 0-30 onboarding

  • Kickoff completed and vendor liaison assigned
  • Asset inventory for critical systems validated
  • 80% of critical log sources streaming
  • Timestamp sync confirmed
  • Initial detection mapping delivered

Phase 2 - day 31-60 detection validation

  • Three tabletop/test simulations planned
  • Median triage time < 4 hours
  • False positive rate for critical alerts < 25%
  • At least one tailored detection or threat hunt executed

Phase 3 - day 61-90 response and handoff

  • Full incident response exercise completed
  • SLA targets met in majority of tests
  • Compliance-ready final report produced
  • Knowledge transfer and runbooks delivered

Decision rule: Fail early if vendor cannot onboard 50% of critical telemetry in 30 days or if median triage times exceed 24 hours after 60 days during tests.

Sample SIEM detection and threat-hunt snippets

Below are minimal examples you can ask a prospective MSSP or MDR to run. Share these as test scenarios during the 30-60-90 days.

Simple Windows process creation suspicious command hunt (Elastic/ELK style):

-- Elastic Query DSL style pseudo-query
GET /_search
{
  "query": {
    "bool": {
      "must": [
        { "match": { "event.category": "process" }},
        { "match": { "process.command_line": "*rundll32*" }}
      ]
    }
  }
}

PowerShell encoded command detection (Sigma-like):

title: Detect Base64 Encoded PowerShell
logsource:
  product: windows
detection:
  selection:
    EventID: 4688
    CommandLine|contains: ['-enc', '-EncodedCommand']
  condition: selection

Email gateway suspicious attachment search (Splunk SPL-like):

index=email_logs sourcetype=maildirmonitor (attachment_name="*.zip" OR attachment_name="*.exe") | stats count by sender, subject

Ask the vendor to show results and link each detection to a playbook and sample artifacts that would be produced in a real incident.

Proof scenarios and nursing home examples

Scenario 1 - Small nursing home with legacy EHR and remote vendor access

  • Problem: Remote vendor uses RDP for maintenance. Logs are inconsistent and EHR vendor devices are not regularly patched.
  • 30-day test: Onboard remote access logs and confirm time-synced authentication events.
  • 60-day test: Simulated compromised vendor credential - vendor must detect abnormal remote logins and initiate a host quarantine within SLA.
  • Quantified outcome: If successful, average time to detect drops from a historical 45-90 days to under 7 days and containment time to under 24 hours.

Scenario 2 - Email phishing -> payroll fraud attempt

  • Problem: Staff receive phishing emails that target payroll systems and HR.
  • 30-day test: Ensure email gateway and mailbox logs stream to vendor and mailbox audit logging is enabled.
  • 60-day test: Simulate a phishing click and lateral mailbox activity. Vendor must detect suspicious forwarding rules and block outbound payments.
  • Business impact: Prevented fraudulent transfer of payroll funds worth tens of thousands of dollars; containment and remediation completed within 48 hours.

These scenarios demonstrate how a short, focused evaluation exposes gaps in both technology and operational readiness.

Common objections and short answers

Objection: “We do not have budget for another vendor.” Answer: Budget the evaluation like a short pilot. Use the 30-60-90 gates to limit spend - stop after 30 days if onboarding fails. Faster detection reduces expected breach costs materially; a single prevented ransomware event often pays for months of managed services. See IBM cost-of-breach data: https://www.ibm.com/security/data-breach

Objection: “We will get too many false positives and waste staff time.” Answer: Insist on measurable tuning cycles. Expect initial noise - require the vendor to meet a false positive threshold for priority alerts by day 60. Add a clause to the contract for tuning hours and a rollback if tuning fails.

Objection: “We are worried about vendor lock-in and data access.” Answer: Require log forwarding and data export rights in the contract. Ensure playbooks, runbooks, and raw forensic artifacts are provided after incidents and at termination.

Objection: “We are concerned about HIPAA and compliance.” Answer: Demand HIPAA business associate agreement and sample compliance reports during the 90-day test. Validate that vendor reports include required fields for breach notification.

What to measure - KPIs and target numbers

Track these KPIs during the 30-60-90 plan and use them as go/no-go metrics.

Operational KPIs

  • Onboarding time per source: target < 48 hours for major sources
  • Percent of critical assets streaming telemetry: target >= 80% by day 30
  • Median triage time for critical alerts: target < 4 hours by day 60
  • Median time to containment: target < 24 hours by day 90
  • False positive rate for critical alerts: target < 25% after tuning

Business KPIs

  • Mean time to detect (MTTD): reduce from enterprise baseline (often > 30 days) to < 7 days
  • Mean time to respond (MTTR) for critical incidents: < 24 hours
  • SLA adherence: vendor meets defined SLAs in >= 75% of incidents during tests

Reporting KPIs

  • Final report delivery: within 72 hours of containment
  • Forensics completeness score: includes timestamps, NIST-style timeline, IOCs, and remediation steps

What success looks like at day 90

You will know the vendor is a viable MSSP or MDR partner if:

  • They onboarded your critical telemetry within 30 days and provided a baseline detection coverage report.
  • They successfully detected and triaged realistic threats in 60 days with acceptable false positive rates.
  • They executed a full incident response exercise with containment, produced compliance-ready reporting, met SLAs, and handed over runbooks and knowledge.

If any of these are missing, treat the engagement as incomplete and require remediation steps or terminate the vendor pilot.

What should we do next?

If you are evaluating providers now, use this plan as your acceptance test. Start with a focused pilot: pick 5 critical assets, require 30-day onboarding, and schedule tabletop tests for day 45 and a full IR exercise by day 85. If you want help scoped to nursing homes or healthcare providers, review managed options and service descriptions and request a pilot run from a vendor that understands HIPAA workflows. See recommended pages for service details: Managed Security Service Provider details and Cybersecurity services overview.

If you have been breached or need a rapid reality check, get emergency help now: https://cyberreplay.com/help-ive-been-hacked/.

References

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan.

Table of contents

What should we do next?

If you are evaluating providers now, use this plan as your acceptance test. Start with a focused pilot: pick 5 critical assets, require 30-day onboarding, and schedule tabletop tests for day 45 and a full IR exercise by day 85. If you want help scoped to nursing homes or healthcare providers, review managed options and service descriptions and request a pilot run from a vendor that understands HIPAA workflows. See recommended pages for service details: Managed Security Service Provider details and Cybersecurity services overview.

Two immediate, practical next steps you can take now:

If you have been breached or need a rapid reality check, get emergency help now: https://cyberreplay.com/help-ive-been-hacked/.

These two assessment links (scheduled assessment and scorecard) provide the two distinct next-step actions referenced in the plan: an external, hands-on assessment and a repeatable internal scorecard you can use to grade providers during the 30-60-90 pilot.

References

These references are all source pages and guidance documents you can cite in contracts and acceptance tests.

When this matters

Use this evaluation when you are evaluating a new MSSP or MDR provider, when your current managed service shows long dwell times or poor reporting, or when you must demonstrate compliance evidence quickly. Typical triggers:

  • Recent near-miss, suspicious activity, or a confirmed incident that exposed gaps in detection or reporting.
  • Upcoming regulatory audit or breach-notification requirement where you must show vendor-provided artifacts.
  • Mergers, acquisitions, or rapid growth that expand the telemetry surface and require third-party operational support.

This plan is time-boxed so you can fail fast and avoid long blind buys: if core onboarding or detection gates fail by day 30 or day 60, stop the pilot and remediate or change providers.

Definitions

Keep a short shared glossary for vendor evaluations to avoid ambiguity during acceptance tests:

  • MSSP: Managed Security Service Provider. Primarily delivers monitoring and basic incident triage at scale.
  • MDR: Managed Detection and Response. Includes active threat hunting, detection engineering, and incident response actions.
  • Onboarding time: elapsed time from kickoff to verified telemetry ingestion with timestamps and retention confirmed.
  • Triage time: time from alert creation to a documented triage action and analyst assignment.
  • Containment time: time from triage to an executed containment action such as host isolation or credential revocation.
  • Forensics-ready artifacts: disk or memory images, event log exports, network captures, and a signed chain-of-custody record suitable for regulators.

Use these definitions in SLAs and acceptance criteria so both parties test against the same expectations.

Common mistakes

Short list of recurrent pitfalls when running MSSP/MDR pilots and how to avoid them:

  • Too broad a scope early on. Limit initial pilot assets to avoid long onboarding tail and noisy alerts.
  • No single vendor liaison. Assign one internal coordinator to prevent delays and missed tests.
  • Vague SLAs. Put concrete time-based gates in writing for onboarding, triage, containment, and final reporting.
  • Ignoring export rights. Require log forwarding and forensic exports during contract negotiation so you are not locked out.
  • Skipping playbook validation. Insist on end-to-end tests that produce real artifacts and runbook steps rather than just alerts.

Avoid these mistakes by codifying scope, roles, and pass/fail gates in the pilot statement of work.

FAQ

Q: How long should the vendor pilot cost be? A: Budget a short pilot priced for a month-to-three-month engagement. Expect a modest onboarding fee plus hourly tuning and test execution. Use the 30-day stop rule if onboarding fails.

Q: What if a vendor needs more than 30 days to onboard legacy devices? A: Require a fall-back telemetry plan for legacy systems such as periodic log exports, agentless collectors, or compensating controls. If the vendor cannot provide a fallback, treat onboarding as failed for that asset class.

Q: How do we prove chain-of-custody for forensic artifacts? A: Ask the vendor to provide a signed delivery manifest, MD5/SHA checksums, and a documented transfer process. Verify these during the 90-day incident exercise.

Q: Can we run the plan if we lack internal IR capacity? A: Yes. The plan is designed for little internal staff bandwidth. Require the vendor to do core containment actions and provide clear runbooks and knowledge transfer so your team can take over post-pilot.

Next step

If you are ready to act, pick one of these two paths based on urgency:

  • Fast assessment path: Schedule a short vendor-assessment call that results in a 30-day onboarding plan and prioritized asset list. Book here: Schedule a 15 minute assessment.
  • DIY scorecard path: Use a repeatable vendor scorecard to rate candidates on onboarding, detection, playbook completeness, and export rights. Get the CyberReplay scorecard here: CyberReplay vendor scorecard.

Both options produce artifacts you can use immediately to run the 30-60-90 acceptance tests described in this guide.