[CONTENT]
$ USD

Total Economic Impact

The Total Economic Impact™ Of Deepwatch MDR

Cost Savings And Business Benefits Enabled By Deepwatch MDR

A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Deepwatch , February 2026

[CONTENT]
 

Total Economic Impact

The Total Economic Impact™ Of Deepwatch MDR

A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Deepwatch , February 2026

Cost Savings And Business Benefits Enabled By Deepwatch MDR

Forrester Print Hero Background

Table Of Contents

M
K
[CONTENT]
[CONTENT]

Executive Summary

Organizations facing rising threat activity, expanding attack surfaces, and increasing operational complexity often struggle with fragmented security tooling, manual processes, and limited visibility across their environments. These conditions place pressure on resourceconstrained security teams and increase the likelihood of delayed detection, inconsistent response, and employee-facing disruptions.1 As a result, many enterprises are exploring partners that can provide continuous monitoring, deeper analytic support, and more consistent incident handling to help stabilize operations and strengthen security outcomes.2

Deepwatch MDR offers aroundtheclock visibility, expertled event analysis, validated detections, and structured escalation workflows. The solution works within an organization’s existing security stack and can support or manage security information and event management (SIEM)related workflows as part of its service, including helping organize log data, tuning detections, and refining dashboards and visibility. Together, these capabilities can help organizations reduce alert noise, identify suspicious activity earlier, and improve coordination between security and IT teams. This approach can be particularly valuable in environments where security staffing, tooling integration, or process maturity may be limited, potentially helping organizations improve resilience and operational consistency without significant internal expansion.

Deepwatch commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying MDR.3 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of MDR on their organizations.

187%

Return on investment (ROI)

 

$1.3M

Net present value (NPV)

 

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five decision-makers from four organizations with experience using MDR. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a North America-based enterprise with $2 billion in annual revenue, 5,000 employees, and a lean security operations (SecOps) team operating across a fragmented security and IT tooling environment.

Interviewees said that, prior to adopting Deepwatch MDR, their organizations relied on largely manual investigation processes; inconsistent visibility across endpoint, identity, and cloud environments; and reactive incident handling. Efforts to improve detection and response — whether through internal staffing or legacy tools — yielded limited progress due to alert overload, coverage gaps, and resource constraints. These limitations contributed to delayed identification of issues, repetitive manual effort, and difficulty maintaining a consistent security posture.

After adopting Deepwatch MDR, interviewees described a more proactive and predictable SecOps model supported by continuous monitoring, expertvalidated detections, and integrated escalation workflows. Reported outcomes included earlier identification of suspicious activity, reduced alert noise and false positives, improved coordination between security and IT teams, and fewer securityrelated disruptions affecting employee productivity and daytoday operations. Interviewees also noted that Deepwatch MDR enhanced the clarity and usefulness of activity flowing through their SIEM environments by improving dashboards, refining detections, and helping reduce alert noise.

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

  • Strengthened security outcomes through earlier detection and faster response. Deepwatch MDR’s continuous monitoring, expertled event analysis, and structured escalation workflows help the composite organization identify suspicious activity sooner, reduce noise, and respond more consistently across its hybrid environment. These improvements lower exposure to security incidents and reduce the likelihood that issues escalate into employee or businessimpacting disruptions.

  • Improved SecOps team operational efficiency due to reduced alert noise and more consistent investigation workflows. By reducing alert noise, improving detection fidelity, and providing analystvalidated triage and structured escalation workflows, Deepwatch MDR enables the composite organization’s SecOps personnel to work more efficiently. Analysts spend less time on manual investigation and repetitive alert handling and more time on highervalue activities such as proactive threat hunting, security engineering, and process improvement. These efficiency gains allow the organization to scale operational coverage and consistency without proportionally increasing internal headcount.

  • Employee productivity gains from fewer securityrelated interruptions. With compromised accounts, phishing attempts, and userimpacting security issues detected and escalated earlier, the composite organization’s employees experience fewer interruptions and shorter delays while waiting for remediation. Integrated ticketing and automated workflows further accelerate resolution and help employees remain focused on their core responsibilities.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

  • Improved analyst morale. By reducing alert noise and manual investigation effort, Deepwatch MDR enables the composite organization’s analysts to focus on highervalue security work, supporting improved morale and daytoday effectiveness.

  • Improved cyber insurance qualification and reduced premiums. Deepwatch MDR helps the composite organization meet cyber insurance requirements for monitoring and incident response, contributing to improved insurability and lower premiums.

  • Improved communications with key stakeholders. Dashboards, reporting, and structured escalation processes make it easier for the composite to communicate security posture and security operations center (SOC) activity to its executives and board, supporting greater transparency and more informed decisionmaking.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

  • Deepwatch MDR fees. These costs reflect ongoing access to expert analysis, continuous monitoring, response workflows, and platform capabilities.

  • Implementation and optimization of Deepwatch MDR. Some internal labor and platform configuration costs are incurred to connect data sources, establish workflows, and tune detections across the environment. Internal teams devote time to operational coordination, refinement of detection logic, and periodic reviews to align workflows, integrate new telemetry sources, and adopt emerging AIdriven insights.

The financial analysis that is based on the interviews found that a composite organization experiences benefits of $2.0 million over three years versus costs of $691,000, adding up to a net present value (NPV) of $1.3 million and an ROI of 187%.

Increased operational efficiency of SecOps team

$775K

“[Deepwatch] has improved our posture and our ability to detect and respond to threats. I can’t stress enough that one of the primary value propositions is helping us get to what needs action before it causes a bad day. Without their capability, we may not have been so fortunate against the backdrop of the current threat landscape.”  

Deputy CISO, manufacturing

Key Statistics

187%

Return on investment (ROI) 

$2.0M

Benefits PV 

$1.3M

Net present value (NPV) 

Benefits (Three-Year)

[CHART DIV CONTAINER]
Strengthened security Increased operational efficiency of SecOps team Employee productivity gains from reduced security-related incidents and remediation activities

The Deepwatch MDR Customer Journey

Drivers leading to the Deepwatch MDR investment
Interviews
Role Industry Region Revenue Employees SecOps Personnel
VP & CISO; Deputy CISO Manufacturing Global; North America headquarters $43 billion 75,000 15
CISO Government North America $5 billion 8,500 5
Manager of technical services Manufacturing North America $760 million 2,300 6
CISO Life sciences North America $620 million 1,900 3
           
Key Challenges

Security teams faced common operational and riskrelated challenges before implementing Deepwatch MDR. These pain points reflected the limitations of existing approaches — from manual alert handling and fragmented workflows, to underresourced internal SOCs, to legacy solutions that failed to provide clarity or meaningful threat reduction.

Interviewees described challenges, including:

  • Overwhelming alert volume, signaltonoise challenges, and analyst fatigue. Interviewees said their cybersecurity teams struggled with high alert volumes, false positives, lack of tuning, and difficulty interpreting what warranted action. Understaffed SOCs and scarce detection and response expertise amplified these burdens. The CISO in government said, “We did not have people who really knew incident response … [or] understand threat monitoring.”
    For others, the problem stemmed from opaque or underperforming legacy solutions. The deputy CISO in manufacturing explained: “[The legacy solution] was a black box. It was difficult for us to get our arms around what it was doing and detecting … and it was super challenging to understand the value prop and get things to improve.”

  • Critical gaps in continuous monitoring and incident coverage. Many interviewees said their organizations lacked reliable 24/7 coverage and tolerated elevated risk. Some attempted followthesun rotations or oncall models but struggled to maintain effective procedures. The life sciences CISO noted, “[Our organization] had a couple of near misses … and an actual incident [that was] scary enough for the organization to take notice.” The government CISO shared a similar experience: “We lacked proactive protection. … I was shocked at what was going on. … We were not meeting the risk.”

“Every time I come off a Deepwatch call, I feel a little smarter.”

CISO, life sciences

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

  • Description of composite. Headquartered in North America, the composite organization has annual revenue of $2 billion and 5,000 employees. It has eight FTEs on the SecOps team responsible for core security monitoring and response activities, including alert triage and investigation, incident coordination, tooling configuration, and collaboration with IT and business stakeholders on remediation and risk reduction efforts.

Prior to adopting Deepwatch MDR, the composite organization operated in a fragmented security environment with multiple security and IT tools generating large volumes of alerts and limited contextual integration. This contributed to reactive workflows, inconsistent prioritization, and frequent handoffs between security and IT teams, increasing operational friction and exposure to userimpacting issues.

  • Deployment characteristics. The composite begins using the Deepwatch MDR solution in Year 1 after a six-month implementation period. The initial rollout covers 50% of the workforce and scales to 100% by Year 3. The implementation includes all geographies and channels.

 KEY ASSUMPTIONS

  • $2 billion in annual revenue

  • 5,000 employees

  • Eight SecOps FTEs involved with threat detection and response

Analysis Of Benefits

Quantified benefit data as applied to the composite
Total Benefits
Ref. Benefit Year 1 Year 2 Year 3 Total Present Value
Atr Strengthened security $352,765 $470,353 $587,941 $1,411,059 $1,151,145
Btr Increased operational efficiency of SecOps team $237,120 $331,968 $379,392 $948,480 $774,960
Ctr Employee productivity gains from reduced security-related incidents and remediation activities $22,500 $22,500 $22,500 $67,500 $55,954
  Total benefits (risk-adjusted) $612,385 $824,821 $989,833 $2,427,039 $1,982,059
Strengthened Security

Evidence and data. After implementing Deepwatch MDR, interviewees reported stronger detection accuracy, faster incident escalation, and improved visibility across hybrid environments. Deepwatch’s 24/7 monitoring and analystdriven triage helped their organizations reduce noise and surface highfidelity alerts, enabling teams to shift from reactive incident response to more proactive threat management. Interviewees also highlighted clearer guidance, more consistent prioritization, and improved readiness to support vulnerability management workflows. They said Deepwatch’s ongoing enhancements, including AIdriven context and insight capabilities, further reinforced its focus on accelerating analysis and strengthening security outcomes over time.  

  • Interviewees described the impact of Deepwatch MDR as a contributor to a stronger security posture, maturity, and risk reduction. They also noted that Deepwatch MDR helped vulnerability management efforts by adding threat context and prioritization on top of existing tools and IT service management (ITSM) systems. By surfacing exploitable exposures aligned to active threats and tracking them through remediation queues, Deepwatch helped reduce windows of exposure. Several interviewees emphasized that having expert eyes on their environments around the clock increased confidence that emerging risks were addressed quickly.

  • Deepwatch provided the interviewees’ organizations with enhanced visibility into logging and telemetry, facilitating a shift to proactive security operations. The manager of technical services in manufacturing reported: “Once we onboarded with Deepwatch, our visibility into logging and telemetry was off the charts. … The alerting has become a lot clearer. They’re listing what we found, how we found it, how we can respond to it, and why we should respond to it. … It’s been very, very helpful on the [endpoint activity] side.”

  • The CISO in life sciences said: “[Deepwatch] is a key component in our security staff now. … We certainly have heightened visibility into behaviors in our environment that we did not previously have.” The interviewee added, “We have been able to thwart a couple of bad actors through that process.”

  • The deputy CISO in manufacturing reported: “They’ve remained below thresholds of significant materiality, [but] we have had true positives. … I credit that to the speed and detection capabilities that have been built up [with Deepwatch].”

Modeling and assumptions. Based on the interviews and Forrester Research, Forrester assumes the following about the composite organization:

  • The total annual risk exposure to security breaches for the composite organization is $2,424,000.4

  • The percentage of breaches originating from external attacks targeting organizations, external attacks targeting remote environments, and internal incidents is 77%.5

  • The percentage of those attacks that are addressable with Deepwatch MDR is 70%. This reflects the portion of threats aligned to monitored controls and telemetry sources (e.g., endpoint, identity, cloud) with the remaining 30% attributable to factors outside direct coverage such as user error, misconfigurations, disconnected or unmanaged devices, or externally driven ecosystem failures.

  • The reduced risk of exposure to breach costs from an addressable attack adjusted for the implementation maturity attributable to Deepwatch MDR is 30% in Year 1. This increases to 40% in Year 2 and 50% in Year 3. These improvement levels represent gradually increasing effectiveness as processes, integrations, and operational alignment mature over time.

Risks. The amount of this benefit can vary across organizations due to differences in:

  • The organization’s threat profile and industry exposure.

  • Baseline security maturity and tooling sophistication prior to adopting Deepwatch.

  • The complexity, scale, and level of integration across the technology environment.

  • The degree of adoption and consistent utilization of Deepwatch MDR processes, workflows, and recommendations.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.2 million.

“Deepwatch is elevating things that need action in a way that enables us to respond before it becomes a problem.”

Deputy CISO, manufacturing

Strengthened Security
Ref. Metric Source Year 1 Year 2 Year 3
A1 Total annual risk exposure to security breaches for the composite organization Forrester research $2,424,000 $2,424,000 $2,424,000
A2 Percentage of breaches originating from external attacks targeting organizations, external attacks targeting remote environments, and internal incidents Forrester research 77% 77% 77%
A3 Percentage of those attacks addressable with Deepwatch MDR Interviews 70% 70% 70%
A4 Annual risk exposure addressable with Deepwatch MDR A1*A2*A3 $1,306,536 $1,306,536 $1,306,536
A5 Reduced risk of exposure to breach costs from addressable attack adjusted for implementation maturity attributable to Deepwatch MDR Interviews 30% 40% 50%
At Strengthened security A4*A5 $391,961 $522,614 $653,268
  Risk adjustment ↓10%      
Atr Strengthened security (risk-adjusted)   $352,765 $470,353 $587,941
Three-year total: $1,411,059 Three-year present value: $1,151,145
Increased Operational Efficiency Of SecOps Team

Evidence and data. By automating alert triage, reducing false positives, and accelerating detection and response, Deepwatch MDR improved the operational efficiency of the interviewees’ organizations’ SecOps teams. Interviewees reported that analysts spent less time chasing alert noise and more time on higher-value activities, such as proactive threat hunting, security engineering, and strategic initiatives.

Deepwatch’s continuous monitoring, analystvalidated detections, and structured escalation workflows operated on top of the interviewees’ organizations’ existing security tooling, reducing manual workload and improving alert quality and day-to-day investigation efficiency. These capabilities eliminated time previously spent sorting through low-confidence alerts and enabled the interviewees’ teams to operate with greater consistency and focus. Several interviewees also described increased operational maturity and upskilling through recurring collaboration with Deepwatch, who provided context, guidance, and tailored insights during regular touchpoints. In addition, continued platform enhancements — including AIdriven context enrichment, agentassisted detection, and ticket analysis within its NEXA ecosystem — further strengthened visibility and decisionmaking while easing operational burden over time.

  • Several interviewees noted that Deepwatch’s integration with ITSM platforms, improved end-to-end visibility, streamlined workflows, and reduced operational friction, resulting in accelerated ticketing and reduced errors in incident management.

  • Interviewees also described SIEM-related workflow support from Deepwatch, such as improving how log data was organized and interpreted, tuning detections and alerts, and helping refine dashboards, which contributed to clearer visibility and fewer nonactionable alerts reaching internal teams.

  • Interviewees reported a significant decrease in false positives — estimated at 60% to 75% — and faster escalation of true threats. This improvement allowed their analysts to focus on meaningful investigations rather than chasing noise. The VP and CISO in manufacturing said: “We do see a good, solid SLA. After three years of running the solution, our rate of true positives — the things that get escalated to us and increasingly require our attention — has improved dramatically. I would credit that to the speed and detection capabilities that have been built up [in Deepwatch MDR].”

  • Deepwatch’s automation and expert triage reduced the manual workload for internal teams at the interviewees’ organizations. The CISO in life sciences summarized the impact: “Deepwatch’s expertise saves us significant time. They filter through massive volumes of SOC alerts we couldn’t handle with our current resources. Their platform intelligence and team insights make this possible.”

  • The same CISO noted that intelligent automation removed the need to hire two extra FTEs to manage alert noise and incident response, stating, “[Our organization] could never get two qualified FTEs for what we pay for Deepwatch.”

  • The manager of technical services in manufacturing added they would need to add eight to 10 additional people to replicate the efficiencies gained with Deepwatch.

  • The deputy CISO in manufacturing reported, “If we didn’t have Deepwatch, I would estimate that we would need another 20 FTEs to do [what] Deepwatch is doing.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • Eight SecOps personnel experience a net operational efficiency gain of 25% in Year 1 driven by reductions in manual investigation time, fewer false positives, improved alert prioritization, and the introduction of more structured workflows with Deepwatch’s solution. These gains reflect an initial productivity lift as the team transitions away from manual triage and begins leveraging continuous monitoring and analystsupported escalation.

  • The net efficiency gain increases to 35% in Year 2 and 40% in Year 3 as the composite organization benefits from a full year of operational familiarity, deeper integration with internal systems, more consistent adoption of recommended workflows, and the use of additional automation and AIsupported capabilities introduced over time. These gains represent natural maturation effects rather than stepfunction changes.

  • The average fully burdened annual salary for a SecOps team member is $156,000.

  • The SecOps team redirects 80% of the efficiency gains toward other value-added activities, such as process improvement, engineering work, threat hunting, and enhancements to governance and automation.

Risks. The amount of this benefit can vary across organizations due to differences in:

  • Baseline security maturity and tooling sophistication prior to adopting Deepwatch.

  • Team size, skill level, and allocation of responsibilities.

  • Level of integration with existing security tools and systems.

  • Extent of adoption of processes and procedures provided by Deepwatch.

Results. To account for these risks, Forrester adjusted this benefit downward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $775,000.

“The greatest benefit [is that Deepwatch] really became — and continues to be — an extension of our team … [and they are] actively engaged in [our] success.”

Manager of technical services, manufacturing

Increased Operational Efficiency Of SecOps Team
Ref. Metric Source Year 1 Year 2 Year 3
B1 SecOps personnel engaged with Deepwatch MDR Composite 8 8 8
B2 Net operational efficiency gains from MDR capabilities Interviews 25% 35% 40%
B3 Fully burdened average annual salary for a SecOps team member Composite $156,000 $156,000 $156,000
B4 Productivity recapture Composite 80% 80% 80%
Bt Increased operational efficiency of SecOps team B1*B2*B3*B4 $249,600 $349,440 $399,360
  Risk adjustment ↓5%      
Btr Increased operational efficiency of SecOps team (risk-adjusted)   $237,120 $331,968 $379,392
Three-year total: $948,480 Three-year present value: $774,960
Employee Productivity Gains From Reduced Security-Related Incidents And Remediation Activities

Evidence and data. Interviewees described how Deepwatch MDR reduced the frequency and severity of employeefacing security disruptions, including compromised accounts, phishing attempts, malwarerelated slowdowns, and other issues that previously interrupted daily work. By identifying threats earlier and escalating them through automated workflows, Deepwatch helped prevent user-impacting issues and reduced time employees spent noticing problems, troubleshooting, submitting tickets, or waiting for IT to remediate them. Integrations with IT service management tools further minimized manual handoffs at the interviewees’ organizations, accelerating ticket resolution and reducing the backandforth that often delayed employees from returning to full productivity. The interviewees’ organizations benefited from more consistent detection of userimpacting issues, helping staff stay focused on their work with fewer interruptions.

  • Interviewees explained that by reducing securityrelated disruptions and unplanned investigations, Deepwatch MDR helped improve daytoday operational stability for IT teams. With fewer urgent security escalations pulling staff away from planned work, interviewees’ organizations were able to execute projects more consistently and advance initiatives more quickly. The CISO in life sciences summarized the impact this way: “We are definitely not facing as many disruptions as we had previously. … IT has been able to advance different projects faster than they would have had we not had this implemented because the environment was a lot less stable prior to implementation.”

  • Several interviewees articulated that Deepwatch’s automated alerting and ticketing processes ensured issues could be escalated and addressed before they became user-facing problems and enabled IT teams to proactively address vulnerabilities or suspicious activity before employees were impacted. This proactive approach helped prevent lockouts, outages, and performance slowdowns, reducing the time employees spent waiting for IT to resolve issues.

  • Interviewees reported a reduction in compromised accounts and phishing-related disruptions. This improvement not only reduced the time their IT teams spent on remediation but also prevented employees from being locked out of applications and accounts. The manager of technical services in manufacturing said: “We used to have a couple of those [phishing compromises] a month. … We rarely see that now — maybe a couple of times a year.”

  • The deputy CISO in manufacturing explained how integrations with other tools reduced time to identify and remediate issues, stating, “[Deepwatch is] directly connected and integrated with [our ITSM solution] and that saves a ton of time. There aren’t any handoffs. … It increases speed and also improves overall quality and end-to-end visibility of what’s going on in the environment.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • Prior to the deployment of Deepwatch MDR, 20% of the composite organization’s 5,000 employees experience some form of disruption due to inconsistent coverage and manual security processes that expose them to issues such as account lockouts, phishing attempts, access delays, system slowdowns, or delays caused by extra safeguard steps meant to compensate for limited visibility.

  • The disrupted employees save 1 hour per year from the reduction of security-related incidents and remediation activities enabled by Deepwatch MDR.

  • The fully burdened average hourly rate for a disrupted employee is $50.

  • Employees recapture 50% of the time saved for other value-added activities.

Risks. The amount of this benefit can vary across organizations due to differences in:

  • Baseline security maturity and tooling sophistication prior to adopting Deepwatch.

  • Volume and type of end-user security incidents experienced by the organization.

  • Variability in employee roles, workflows, and reliance on technology.

  • Internal IT support processes and response models.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $56,000.

Employee Productivity Gains From Reduced Security-Related Incidents And Remediation Activities
Ref. Metric Source Year 1 Year 2 Year 3
C1 Employees Composite 5,000 5,000 5,000
C2 Portion of employees impacted by security-related incidents and remediation activities Composite 20% 20% 20%
C3 Average time saved per impacted employee (hours) Interviews 1 1 1
C4 Fully burdened hourly rate for an employee Composite $50 $50 $50
C5 Productivity recapture Composite 50% 50% 50%
Ct Employee productivity gains from reduced security-related incidents and remediation activities C1*C2*C3*C4*C5 $25,000 $25,000 $25,000
  Risk adjustment ↓10%      
Ctr Employee productivity gains from reduced security-related incidents and remediation activities (risk-adjusted)   $22,500 $22,500 $22,500
Three-year total: $67,500 Three-year present value: $55,954
Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

  • Improved analyst morale. Interviewees described morale improvements tied to reduced noise, clearer escalations, and fewer manual investigations. Analysts were able to focus more on meaningful work, such as tuning detections, strengthening engineering practices, and improving internal processes, rather than chasing false positives or managing alert fatigue.

  • Improved cyber insurance qualification and reduced premiums. Some interviewees reported that Deepwatch MDR helped their organizations satisfy cyber insurance requirements for SOC monitoring, incident response, and logging visibility. The manager of technical services in manufacturing noted that Deepwatch “checked a bunch of those boxes,” and that their cyber insurance rates “have gone down as a result,” estimating roughly an 8% reduction.

  • Improved communications with key stakeholders. Interviewees mentioned that Deepwatch’s dashboards, reporting tools, and structured escalation processes made it easier to communicate security posture and SOC activity to executives, CIOs, and boards. For the global manufacturing enterprise, leadership expressed confidence after Deepwatch benchmarked the organization’s security maturity. These improvements enhanced transparency and supported more informed decisionmaking.

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement MDR and later realize additional uses and business opportunities, including:

  • Scaling detection coverage and alert tuning over time. Interviewees described how Deepwatch’s rule sets and tuning capabilities evolved with their environments, supporting new log sources, detections, and architectural changes over time. Interviewees noted that Deepwatch continuously refined escalations, reducing noise and improving truepositive accuracy as their organizations’ environments grew more complex. This adaptability enabled their organizations to maintain effective detection coverage even as they expanded cloud workloads, device footprints, and security tooling.

  • Integrating with existing security and IT operations tools. Deepwatch’s ability to work within existing SIEM, ITSM, and endpoint detection and response (EDR) ecosystems provided deployment flexibility and avoided disruptions to established workflows. Interviewees highlighted that Deepwatch MDR overlays — rather than replaces — existing investments, allowing the interviewees’ organizations to continue expanding or modernizing their security stack without operational or architectural constraints. Several interviewees valued that Deepwatch worked natively with their organizations’ SIEM and ITSM systems, avoiding costly reinstrumentation.

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).

Analysis Of Costs

Quantified cost data as applied to the composite
Total Costs
Ref. Cost Initial Year 1 Year 2 Year 3 Total Present Value
Dtr Deepwatch MDR fees $0 $210,000 $210,000 $210,000 $630,000 $522,239
Etr Implementation and optimization of Deepwatch MDR $98,280 $49,140 $16,380 $16,380 $180,180 $168,796
  Total costs (risk-adjusted) $98,280 $259,140 $226,380 $226,380 $810,180 $691,035
Deepwatch MDR Fees

Evidence and data. Interviewees provided cost information regarding fees paid for Deepwatch MDR, which Forrester corroborated with Deepwatch. Actual costs will vary based on the service scope, coverage, and customer-specific requirements. Contact Deepwatch for additional details.

Modeling and assumptions. Based on the interviews, Forrester assumes that Deepwatch MDR annual fees for the composite organization are $200,000.

Risks. This cost can vary across organizations due to differences in the negotiated pricing and licensing structure.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $522,000.

Deepwatch MDR Fees
Ref. Metric Source Initial Year 1 Year 2 Year 3
D1 Deepwatch MDR fees Composite   $200,000 $200,000 $200,000
Dt Deepwatch MDR fees D1 $0 $200,000 $200,000 $200,000
  Risk adjustment ↑5%        
Dtr Deepwatch MDR fees (risk-adjusted)   $0 $210,000 $210,000 $210,000
Three-year total: $630,000 Three-year present value: $522,239
Implementation And Optimization Of Deepwatch MDR

Evidence and data. Interviewees described completing a limited amount of internal effort to support the implementation and ongoing optimization of Deepwatch MDR, which SecOps personnel largely absorbed.

  • Initial activities primarily focused on onboarding, integrating existing security and IT tools, enabling telemetry sources, and aligning escalation procedures between internal teams and Deepwatch analysts.

  • Several interviewees explained that modest, periodic effort continued after initial deployment to refine workflows, expand coverage to additional systems or environments, and incorporate recommendations provided through regular operational touchpoints.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

  • Three SecOps personnel spend 20% of their time during the initial deployment period performing implementation-related tasks, reflecting hands-on configuration, integration, and coordination efforts.

  • Over the course of Year 1, three SecOps personnel spend 10% of their time supporting stabilization, knowledge transfer, and early optimization activities.

  • In Years 2 and 3, two SecOps personnel dedicate 5% of their time to incremental integration and optimization activities.

  • The average fully burdened annual salary for personnel involved in implementation and optimization activities is $156,000.

Risks. This cost can vary across organizations due to differences in:

  • Variability in customer environment complexity and configuration requirements.

  • Internal resource availability and skill sets.

  • Scope and pace of deployment decisions.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $169,000.

“Deepwatch brought a level of expertise and technical prowess that helped make the onboarding process easier.”

CISO, life sciences

Implementation And Optimization Of Deepwatch MDR
Ref. Metric Source Initial Year 1 Year 2 Year 3
E1 FTEs involved with implementation and optimization of deployment Composite 3 3 2 2
E2 Effort level Interviews 20% 10% 5% 5%
E3 Fully burdened annual salary for implementation and optimization employee Composite $156,000 $156,000 $156,000 $156,000
Et Implementation and optimization of Deepwatch MDR E1*E2*E3 $93,600 $46,800 $15,600 $15,600
  Risk adjustment ↑5%        
Etr Implementation and optimization of Deepwatch MDR(risk-adjusted)   $98,280 $49,140 $16,380 $16,380
Three-year total: $180,180 Three-year present value: $168,796

Financial Summary

Consolidated Three-Year, Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

[CHART DIV CONTAINER]
Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3
Cash Flow Analysis (Risk-Adjusted)
  Initial Year 1 Year 2 Year 3 Total Present Value
Total costs ($98,280) ($259,140) ($226,380) ($226,380) ($810,180) ($691,035)
Total benefits $0 $612,385 $824,821 $989,833 $2,427,039 $1,982,059
Net benefits ($98,280) $353,245 $598,441 $763,453 $1,616,859 $1,291,024
ROI           187%

 Please Note

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in MDR.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that MDR can have on an organization.

Due Diligence

Interviewed Deepwatch stakeholders and Forrester analysts to gather data relative to MDR.

Interviews

Interviewed five decision-makers at organizations using MDR to obtain data about costs, benefits, and risks.

Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.

Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.

Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Total Economic Impact Approach
Benefits

Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.

Costs

Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.

Flexibility

Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.

Risks

Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

Financial Terminology
Present value (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.

Net present value (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.

Return on investment (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.

Discount rate

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.

Payback

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

Appendix A

Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

Appendix b

Endnotes

1 Source: The Managed Detection And Response Services Landscape, Q3 2024, Forrester Research, Inc., September 20, 2024.

2 Source: Global Cybersecurity Market Forecast, 2024 To 2029, Forrester Research, Inc., September 9, 2025.

3 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

4 Cumulative breach costs are computed using the composite organization’s size (revenue or number of employees) as an input to a regression analysis of reported total cumulative costs for all breaches for organizations that experienced at least one breach in the past 12 months. Source: Forrester’s Security Survey, 2025, “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” Base: 1,740 global security decision-makers who have experienced a breach in the past 12 months. The cumulative breach cost is then multiplied by a 67% likelihood for organizations to experience one or more breaches in a given year. Source: Forrester’s Security Survey, 2025, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 2,643 global security decision-makers

5 Percentage of breaches by primary attack vector for breaches, as reported by security decision-makers whose organizations experienced at least one breach in the last 12 months. Source: Forrester’s Security Survey, 2025, “Of the times that your organization’s sensitive data was potentially compromised or breached in the past 12 months, please indicate how many of each fall into the categories below.” Base: 1,766 global security decision-makers who have experienced a breach in the past 12 months.

Disclosures

Readers should be aware of the following:

This study is commissioned by Deepwatch and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in MDR.

Deepwatch reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Deepwatch provided the customer names for the interviews but did not participate in the interviews.

Consulting Team:

Kris Peterson

Published

February 2026

 

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

© Forrester Research, Inc. All rights reserved.

Privacy Policy Cookie Settings

The Total Economic Impact™ Of Deepwatch MDR

This study is commissioned by Deepwatch and delivered by Forrester Consulting.

Table Of Contents

https://mainstayadvisor.com/go/mainstay/gdpr/policy.html