What correlated detection actually means 

Kaseya SIEM launched at Kaseya Connect 2026 in late April with a specific claim: it correlates "signals from more than 60 data sources to detect and respond to threats across the full attack surface." That description is accurate for a modern SIEM. It is also, word for word, the value proposition that enhanced.io has built its detection platform around. 

When two vendors use the same language, the useful question is what they mean by it in practice. Correlation can describe anything from alert deduplication at the basic end to true multi-vector attack path reconstruction at the advanced end. The number of data sources matters. The depth of the correlation logic matters more. 

The comparison below is specific. It covers what each platform does, not what it claims. 

Eight-point comparison: Kaseya SIEM vs enhanced.io 

Data sources 

Kaseya SIEM: correlates from 60+ sources as of the April 2026 GA launch. Sources span endpoint, network and cloud telemetry within the Kaseya ecosystem and via third-party integrations. 

enhanced.io: built on Stellar Cyber Open XDR with 400+ native integrations. Sources cover endpoint, identity, email, network, cloud, OT and SaaS telemetry. The integrations page lists current supported sources. 

Log retention 

Kaseya SIEM: 400-day log retention included in the MDR bundle as of the April 2026 launch. 

enhanced.io: retention periods are defined in the MSP partner agreement. Contact enhanced.io for current retention terms. 

Pricing model 

Kaseya SIEM: per-user pricing, bundled with Kaseya MDR. Bundle discounts apply for Kaseya stack customers. 

enhanced.io: per-user and per-endpoint pricing with no stack dependency. Pricing is the same regardless of which RMM or PSA the MSP uses. 

Named analyst access 

Kaseya SIEM: analyst access is provided through the Kaseya MDR SOC layer. Named analyst assignment varies by tier. 

enhanced.io: named analysts are part of the standard service. MSPs have a consistent contact for escalations rather than routing to a general queue. 

Response action capability 

Kaseya SIEM: response actions are coordinated through Kaseya MDR. Automated response capabilities are available for defined threat scenarios within the Kaseya ecosystem. 

enhanced.io: containment actions are coordinated by named analysts with the MSP rather than taken unilaterally. The model is co-managed by design. 

Integrations 

Kaseya SIEM: integrates natively with Kaseya RMM, Kaseya BMS and other Kaseya stack products. Third-party integrations are available but the product is optimized for the Kaseya ecosystem. 

enhanced.io: vendor-agnostic. Integrates with ConnectWise, N-able, Datto and other major RMM and PSA platforms alongside Kaseya. 

Compliance reporting 

Kaseya SIEM: SIEM-level compliance reporting is available. NIST CSF-aligned onboarding and vCISO-style reporting are not part of the standard product. 

enhanced.io: NIST CSF-aligned onboarding is part of the standard service. Compliance-ready reports are produced for client QBRs and audit purposes. Fractional Security Director guidance is available as part of the partner program. 

Channel terms 

Kaseya SIEM: available through Kaseya's partner program. Bundle pricing is structured to reward Kaseya stack consolidation. 

enhanced.io: channel-only delivery. enhanced.io does not sell direct to end clients. MSP margins and white-label options are standard rather than tier-dependent. 

Five questions to ask any SIEM vendor 

1. How does the correlation engine handle multi-stage attacks? 

Single-vector detection is table stakes. The question that distinguishes SIEM platforms is whether correlation logic can reconstruct an attack path across lateral movement, privilege escalation and data exfiltration over multiple days and multiple data sources. Ask for an example from a real client environment, not a lab scenario. 

2. What is the false positive rate, and how is it measured? 

A SIEM that ingests 60 data sources and correlates them at low fidelity generates more false positives than one that ingests fewer sources at higher fidelity. Ask for the false positive rate per 1,000 alerts in a production MSP environment. Vendors with this data will share it. Vendors without it are not measuring the metric that matters most to MSP operations teams. 

3. Does the SIEM work across all your clients' environments or only within the vendor's ecosystem? 

The answer to this question determines whether the SIEM covers the full attack surface or only the portion of it that the vendor's tooling can see. If a client runs a third-party firewall or an endpoint tool outside the vendor's ecosystem, the question is whether that telemetry is ingested and correlated or excluded from the detection coverage. 

4. Who acts on the correlated detection, and what is their escalation path? 

Correlated detection that produces an alert and then waits for MSP staff to action it is a detection product, not an MDR product. The question is whether the vendor provides a human SOC layer that acts on the correlation output, and whether that layer is a general queue or a named analyst with context on your clients' environments. 

5. What happens to your log data if you change vendor? 

400-day retention is a useful feature. Portability is a separate question. Ask specifically whether log data can be exported in a usable format and whether investigation history and incident records travel with the MSP if the commercial relationship ends. The answer to this question has practical implications for regulatory compliance in some industries. 

The bigger picture 

Kaseya SIEM entering GA with 60+ data source correlation is a meaningful development for the MSP market. It raises the baseline expectation for what a bundled SIEM product should do and puts pressure on vendors that have been offering narrower correlation coverage at similar price points. 

For MSPs evaluating the options, the useful comparison is not the headline data source count. It is the depth of the correlation logic, the quality of the human layer acting on it and whether the vendor's model preserves the MSP's flexibility or deepens their lock-in to a single stack. 

Those three variables are where the real differences in MDR outcomes show up. The comparison between SIEM, XDR and EDR approaches is worth reading as a reference point before committing to any new SIEM implementation.