Five Questions Your MSSP Can't Answer (And Why That Should Worry You)

Your Managed Security Service Provider (MSSP) answers questions about what they have detected. Ask them what they didn't detect, and watch the tap dancing begin.

We built the case for why your SOC isn't hunting, why their Target Operating Model is outdated, and how recurring hunts complement continuous monitoring. Now you must test your own security program.

Here are five questions for your following MSSP review. See if their answers or silence reveal gaps in your security coverage.

Q1: What percentage of analyst time is spent on hypothesis-driven investigation versus alert response?

Real threat hunting starts with a hypothesis and involves thorough investigation. Alert response means triaging the event queue.

What you'll hear: "Our analysts balance proactive and reactive activities."
What that means: They dedicate less than 10% to investigation. They use the rest for alert triage.
Why it matters: You can't hunt while drowning in alerts.

Q2: How do you hunt for threats that don't generate alerts?

Modern adversaries avoid triggering detection rules. If your security depends on alerts, you only see threats that announce themselves.

What you'll hear: "We use behavioral analytics and machine learning."
What that means: The tools generate more alerts based on behavior instead of signatures. The process remains reactive.
Why it matters: Hunting means you actively investigate, regardless of whether an event generates an alert.

Q3: When did you last update your Target Operating Model to account for modern attack techniques?

What you'll hear: "We continuously update detection rules and threat intelligence."
What that means: They update what they detect, not how they operate.
Why it matters: The latest intelligence doesn't help if your operational model wasn't designed to detect modern threats.

Q4: Can you show me evidence we're NOT compromised right now?

Your MSSP can show investigated alerts and blocked threats, but can they prove the absence of threats?

What you'll hear: "We haven't seen any indicators of compromise."
What that means: No alert exists for that, which is very different from proving you're not compromised.
Why it matters: You must proactively investigate threats that haven't generated alerts to prove you're not compromised.

Q5: What's your process for discovering living-off-the-land attacks?

Living-off-the-land attacks utilize tools already present in your environment, such as PowerShell, Scheduled Tasks, and various legitimate utilities, files, scripts, and libraries. They likely generate minimal alerts, even in misuse.

What you'll hear: "We monitor for suspicious PowerShell execution."
What that means: The system generates alerts for suspicious usage. If attackers use tools legitimately, alerts won't fire.
Why it matters: You must investigate deviations that don't trigger alerts to detect these attacks.

What These Questions Reveal

Have you noticed the pattern? All questions probe the same gap: the difference between reactive monitoring and proactive investigation. Your MSSP is likely excellent at continuous alert-based monitoring, rapid incident response, and detecting known threats. We did not design these questions to criticize that work.

But if they can't answer with specifics, like actual time allocation, a hunting hypothesis, or reports from a TOM assessment, then you've identified the gap in your coverage.

The Follow-Up Question That Matters Most

After asking those five questions, ask the following question:

"If they're not doing hypothesis-driven threat hunting, who is?"

Because someone needs to be—the threats that matter most are the ones your monitoring wasn't designed to catch. If your MSSP says, "We can add that as an additional service," ask yourself: Do you want hunting from a team still building their process, or from specialists who do nothing but hunt?

What to Do with These Answers

Use these questions in your following security review or MSSP contract renewal. Please don't ask them to confront your MSSP or SOC; instead, ask them to understand your coverage.

If your provider can provide clear answers with data and processes, you may have the coverage you need. If they can't, or if their answers reveal hunting isn't happening, then you've identified a gap worth addressing.

The goal isn't to replace your MSSP. You must complement their monitoring with proactive investigation, which they weren't designed to do.

What Comes Next

You've now seen why SOCs don't hunt, why TOMs are outdated, why continuous hunting is unnecessary, how the hybrid model works, and which questions expose gaps in your monitoring.

The final question: What do you do about it?

The answer requires shifting how you think about security operations from trying to make one team do everything to building a model where different teams do what they do best. It's about focusing on "who" is best equipped to address each challenge, not just "how" the work gets done.

Next, we'll bring this full circle: why it's time to stop asking your reactive SOC to be proactive.

About the Series: This is Part 5 of a six-part series that examines the gap between how security operations are delivered and how modern threats operate. We're building a practical framework to complement your existing security investments.

Specialized services exist because these questions shouldn't have silence as answers. We perform independent threat hunting that your MSSP may not have been designed to handle, using hypothesis-driven investigation, historical analysis, and blind-spot discovery. We share all our methods openly because our value lies in identifying threats, not in hoarding techniques. Learn more at focusedhunts.com