What 24/7 MDR Actually Means: Inside the Kaimz Security Operations Centre

The Problem with “24/7 Monitoring”

Every MSSP claims 24/7 monitoring. The question is: monitoring what, by whom, and what happens when something fires at 3 AM on a Sunday?

This post is an honest account of how our Security Operations Centre works, what our analysts actually do, and where the line is between automated detection and human judgment.

Tiers of Coverage

Tier 1: Automated Detection and Triage

Aegis Sovereign runs continuously, evaluating every telemetry event against our Sigma rule library (currently 847 detection rules, updated weekly). The platform auto-triages alerts into priority buckets and suppresses known-good activity patterns.

Automated handling: approximately 94% of all alerts. These are either confirmed false positives or low-confidence noise that gets queued for analyst review during business hours.

Tier 2: Analyst Triage

Remaining 6% of alerts — those that are high-confidence or match multi-stage attack patterns — route to an on-call analyst. Our current SLA:

Critical (active breach indicators): 15-minute analyst response
High (suspicious multi-stage activity): 30-minute response
Medium (elevated risk, single indicator): 2-hour response
Low (informational, compliance): next business day

Tier 3: Active Incident Response

When an analyst confirms a live incident, our IR playbook activates. Depending on severity and client authorization level, we can:

• Isolate affected systems via Aegis network control (no client action required)
• Block malicious IPs at the perimeter
• Suspend compromised user accounts
• Initiate forensic evidence preservation
• Call the client emergency contact

What We Monitor

Covered in our standard MDR service:

Endpoint:     Process execution, file system, registry, network connections
Network:      DNS queries, firewall logs, proxy logs, NetFlow
Identity:     Authentication events, privilege changes, account modifications
Cloud:        CloudTrail, Azure Activity Log, GCP Audit Logs
Email:        (add-on) O365/Google Workspace mail security events
Application:  (add-on) WAF logs, application error rates

Threat Hunting

Reactive detection is not enough. Modern threat actors — especially APT groups targeting Canadian critical infrastructure — operate quietly for weeks or months before triggering noisy alerts. Our threat hunting practice proactively searches for indicators of compromise that automated rules do not catch.

Monthly threat hunts focus on:

• Living-off-the-land (LOLBins) abuse — attackers using legitimate Windows tools
• Beaconing patterns — regular outbound connections at suspicious intervals
• Credential abuse — legitimate accounts doing things they never normally do
• Data staging — unusual large file operations before potential exfiltration

Mean Time to Detect: The Real Number

Our advertised MTTD of under 5 minutes is an average across all confirmed incidents in 2025. The full breakdown:

Ransomware pre-encryption:   2.3 min average
Lateral movement:            4.1 min average
Data exfiltration:           6.8 min average
Privilege escalation:        3.7 min average
C2 beaconing:               11.2 min average (intentionally noisy to avoid false positives)

The industry average MTTD is 197 days. Our advantage comes entirely from Aegis — stateful, real-time detection versus asynchronous log analysis.

What MDR Does Not Replace

We are honest with clients about the scope of MDR:

• MDR does not replace vulnerability management — we detect exploitation, not prevent it
• MDR does not replace security awareness training — we catch phishing consequences, not the click
• MDR does not replace penetration testing — we test detection, not attack paths
• MDR is most effective when layered with these controls

Learn more about our full MDR service offering or speak with our team about coverage for your environment.