What a response time SLA actually covers

ConnectWise launched Modern Threat Protection in April 2026 with delivery guarantees it described as "setting a new standard for MSP cybersecurity." The headline figure was 15 minutes. That number will come up in procurement conversations for months, possibly years.

The question worth asking before you quote it back to a client or use it to evaluate a competitor is: 15 minutes to do what, exactly? Detection and containment are not the same thing. Notification and remediation are not the same thing. A response time SLA that covers one of those four actions tells you very little about the others.

What this means in practice is that two vendors can both quote 15 minutes and be describing completely different things. One measures time from alert ingestion to analyst triage. Another measures time from confirmed threat to containment action. A third measures time to notify the MSP that something has been detected. All three are defensible uses of the phrase "response time." None of them are interchangeable.

Seven vendor SLA commitments compared

The table below draws on publicly available vendor documentation and press releases as of May 2026. Where a vendor does not publish a specific figure, that is noted.

ConnectWise Modern Threat Protection: 15-minute detection SLA, published April 2026. Scope is described as detection-to-alert. Containment timeline not separately specified in the launch release.

Huntress: publishes time-to-detect metrics and mean time to respond (MTTR) data via its threat ops reporting. No single headline SLA figure published as a marketing commitment.

Arctic Wolf: publishes response workflow commitments as part of its Concierge Security team model. Escalation timelines are covered in MSP contracts rather than marketing materials.

Blackpoint Cyber: anchors its 2026 Threat Report on credential intrusion response. Detection-to-containment figures are cited in case studies rather than guaranteed SLAs.

Kaseya MDR: launched with AI-enhanced SOC positioning in April 2026. Response commitments tied to ticket escalation workflows rather than published detection SLAs.

Heimdal: AI Wingman launched April 2026. Response time positioning focuses on triage automation rather than a specific SLA figure.

enhanced.io: response commitments are scoped to detection, triage and escalation, with named analysts handling escalation rather than automated-only triage. Containment actions are coordinated with the MSP rather than taken unilaterally.

Five things an MDR SLA must specify to be meaningful

1. What the clock starts on

An SLAH3:  that measures from alert ingestion treats log noise the same as a confirmed threat. An SLA that measures from analyst confirmation is a better proxy for actual risk reduction. The question to ask is: does your SLA timer start when data arrives or when a human analyst has reviewed and confirmed the threat?

2. What action the SLA covers

DeteH3: ction, triage, containment and remediation are four different actions with four different timelines. A vendor that guarantees 15 minutes to detect and hours to contain has a 15-minute detection SLA, not a 15-minute response SLA. Get confirmation of which actions are covered before treating a headline figure as a complete commitment.

3. How breaches are measured and reported

If a vendor misses its SLA, how do you know? Some vendors provide per-incident SLA reporting. Others report aggregate metrics monthly. The question to ask is whether the MSP receives documented confirmation when an SLA commitment is met or missed for a specific incident.

4. What the remedy is when an SLA is missed

Service credits, contract review rights and escalation paths are all different remedies, and most MSP contracts include at least one. The question to ask is what the vendor's obligation is when the SLA is not met, not just what the target figure is.

5. How the SLA interacts with your clients' existing tools

An MDR SLA measured against a single EDR platform tells you nothing about detection across identity, email and network layers. If your clients have hybrid environments with multiple data sources, the relevant question is whether the SLA applies to correlated detection across the full environment or only to the EDR layer.

The bigger picture

The 15-minute figure from ConnectWise will drive more MSP conversations about SLA commitments in 2026 than any comparable claim in recent years. That is not a bad thing. Clarity on response time commitments is useful for MSPs and their clients.

What matters is whether MSPs evaluate those commitments with the right questions. A headline SLA figure is a starting point, not a complete answer. The five questions above give you the framework to compare MDR providers on terms that actually reflect how a threat response plays out in practice.

The difference between a 15-minute SLA that covers detection-to-alert and one that covers detection-to-containment is not a footnote. For an MSP whose client is mid-breach, it is the difference that determines the outcome.