BUYER BRIEF  ·  VENDOR-NEUTRAL  ·  UPDATED 2026-04-27
Question bankLast verified April 2026

Questions to ask XDR vendors (that force hidden-cost disclosure).

Vendor demos answer the questions you ask. These are the questions vendors hope you don't. Use them in the quote call, the demo, the reference check, and the contract review.

Every question below is designed to surface information a vendor is unlikely to volunteer but is likely to answer directly if you ask. Many of them have a standard answer the sales team has already rehearsed; your value in the call is to ask, and then to ask the follow-up question that pushes past the rehearsed answer. The follow-up is usually the question that starts “show me” or “write that in the contract”.

Use-pattern. Send the pricing and commercial sections as a written questionnaire before the quote call; run the architecture, detection, and operations sections in the demo itself with the technical lead in the room. Written answers bind the vendor more tightly than verbal commitments; verbal answers expose how well the vendor understands their own product.

01

Pricing

Most vendor quotes cover the base licence and leave the add-ons implicit. These questions force a complete all-in picture.

  1. Q01What is the all-in year-one cost, including onboarding fees, ingestion, retention, and any telemetry module add-ons?
  2. Q02What is the steady-state year-two cost, after year-one discounts expire and assuming a typical renewal escalation?
  3. Q03What is the overage rate on ingestion above the bundled daily allowance, and is it billed monthly or trued up annually?
  4. Q04What is the cost to retain queryable telemetry for twelve months versus thirty days? Show the per-GB-per-month hot and cold storage rates.
  5. Q05What is the onboarding fee, and precisely what is included (deployment, integration, detection content migration, analyst training)?
  6. Q06What is the cost of adding each additional telemetry module (identity, cloud workload, email, third-party log ingestion)?
  7. Q07Is there a minimum commitment, and what happens if we reduce endpoints mid-term?
02

Architecture

Architecture questions surface the vendor's genuine coverage and reveal integration costs that cover quotes usually hide.

  1. Q01Which of the six telemetry sources are first-party (your sensors) and which are integrated via third parties?
  2. Q02How are third-party telemetry logs priced: per source, per GB, or bundled into a base rate?
  3. Q03Where is our telemetry physically stored, under which jurisdiction, and what are the GDPR or regional-compliance implications?
  4. Q04What is the cost to replicate data to an alternative region for disaster recovery or regulatory reasons?
  5. Q05What is the data-residency commitment, and can we require it contractually?
  6. Q06What API is available for our team to automate workflows, and is there a rate limit or API-call fee?
  7. Q07What integration path supports our existing SIEM, SOAR, and ticketing tools? Are connectors pre-built or custom?
03

Detection

Detection capability is the reason to buy XDR. These questions separate platforms that detect well from platforms that market well.

  1. Q01How many MITRE ATT&CK techniques are covered by out-of-the-box detections, and where is the coverage matrix published?
  2. Q02Can we write custom detections, and what query language does the platform use?
  3. Q03What is the tuning process for reducing false positives, and what customer-facing tooling supports it?
  4. Q04How often does the platform release new detection content, and is there a changelog with customer-facing transparency?
  5. Q05What threat intelligence feeds are included, and can we integrate our own?
  6. Q06What is the publicly verifiable false-positive rate, and how is it measured (e.g. independent evaluation, customer case studies)?
  7. Q07Show an incident investigation in the console using an anonymised real incident, not a scripted demo.
04

Commercial terms

The contract is where the year-two surprises live. Each item below has burned at least one published case study.

  1. Q01What is the renewal escalation cap, and is it applied per year or compounded over the term?
  2. Q02What is the minimum term commitment, and what are the early-termination penalties?
  3. Q03Can we reduce our endpoint count mid-term if our environment shrinks, and at what rate?
  4. Q04What happens to our telemetry data if we choose not to renew? Is there an egress window or a pay-for-export clause?
  5. Q05Is there an assignment or change-of-control clause that would affect us during an acquisition?
  6. Q06What remedies apply if the platform fails to meet the uptime SLA, and how are credits calculated?
  7. Q07Are there any commercial restrictions on how we use the platform (e.g. can we resell to subsidiaries, MSPs, or regulated customers)?
  8. Q08What is the contractually-committed response time for support, and at what tier (sev-1, sev-2, etc.)?
05

Operations

Operational fit decides whether the platform becomes a useful tool or shelfware. Ask about the analyst-hour reality, not just the feature list.

  1. Q01What is the typical onboarding duration from contract signature to live detection content, and what is the customer time commitment?
  2. Q02What does training cost for analysts, administrators, and detection engineers? Is it included or billable?
  3. Q03What SLA applies to platform availability, and what is the historical uptime over the last twelve months?
  4. Q04What SLA applies to support response, and what is the historical median time-to-first-response?
  5. Q05Can we speak with two or three reference customers of similar size and industry, with their technical leads (not only their executive champions)?
  6. Q06What is the typical FTE allocation for customers of our size, split between platform administration, detection engineering, and incident response?
  7. Q07What is the cost to engage professional services for detection content development or incident response retainer?

How to use the question bank in a real evaluation

  1. Before the first vendor call, send the Pricing and Commercial sections as a written questionnaire. Ask for written answers with specific numbers, not ranges.
  2. In the technical demo, run the Architecture and Detection sections with the customer technical lead in the room. Insist on a real incident investigation, not a scripted walkthrough.
  3. At reference check, run the Operations section with the customer’s technical team, not the executive sponsor. Ask the FTE allocation and typical-onboarding questions to verify the vendor’s claims.
  4. At contract review, pull the Commercial questions back into the contract language. Any question answered verbally but not in the contract is a risk.
Read next