Shortlist fit
Mid-market and enterprise teams that want outside SOC capacity without replacing their SIEM
Provider handles
Service shares SOC workflow with your team or MSP while you keep control.Check before buying
Keeping SIEM, EDR, cloud, identity and SaaS telemetry connected and usefulAlso fits
- Splunk, Microsoft Sentinel, Google Security Operations or Securonix buyers that need alerts operated
- Lean security teams that want named analysts, engineers and threat hunters working with their internal team
- Buyers willing to define response authority, escalation paths and tool ownership before go-live
Can replace
- Some Tier 1 and Tier 2 alert triage, validation and investigation work
- Some detection engineering, threat hunting and SIEM monitoring workload
- Some after-hours SOC coverage for connected data sources and approved workflows
Coverage
Provider covers
- 24/7 monitoring, alert validation, investigation and threat hunting across supported data sources
- SIEM-specific MDR for Splunk, Microsoft Sentinel, Google Security Operations and Securonix
- Named analysts, engineers and threat hunters who collaborate through the Deepwatch Security Center
Your team still owns
- Granting the access Deepwatch needs to investigate and run approved workflows
- Deciding which active response actions are guided, approved or delegated
- Handling internal IT remediation, recovery, user communication and business-owner decisions
Tradeoffs
Works well
- Fits buyers that want to keep an existing SIEM while adding operating capacity
- Public material supports monitoring, investigation, hunting, detection engineering and active response workflow
- Named expert teams can be a better fit than pooled analyst queues for high-context environments
Watch out for
- Buyers need a detailed quote because public list pricing is not available
- The service depends on supported tools, connected telemetry and agreed access rights
- Active response needs rules of engagement before buyers can rely on delegated actions
Reviews
Review synthesis
Gartner and G2 reviewers commonly describe Deepwatch as useful for 24/7 monitoring, named analysts, detection tuning, Splunk-heavy environments and lean security teams. Repeated caveats include price for smaller buyers, customer-success continuity, communication channel expectations and limits caused by partner tools or slow searches.Customers like
- Gartner reviewers mention named squads, Slack collaboration, custom detection work and reduced internal SOC load
- G2 reviewers repeatedly cite 24/7 monitoring, analyst responsiveness and false-positive reduction
- Public reviews describe Deepwatch as useful for buyers that need outside Tier 1 and Tier 2 capacity
Watch out for
- Gartner includes a visible critique about value compared with similar providers
- G2 reviewers mention price, communication preferences and integration or Splunk-search limits
- Reddit discussion is sparse and should be treated as onboarding context, not broad market consensus
Pricing
- Billing
- Custom
Quote-based. AWS Marketplace and public review text point to subscription scoping around logs, data volume, assets, endpoint monitoring and selected MDR services, but no current public list price was found.
Questions to ask
- Which response actions can Deepwatch run in our tools without waiting for approval?
- Which SIEM, EDR, cloud and identity data sources are included in the quoted MDR scope?
- Who owns detection changes, ServiceNow routing, tuning requests and after-hours escalation after onboarding?
Integrations
- SIEM
- Splunk Enterprise
- Splunk Cloud
- Microsoft Sentinel
- Google Security Operations
- Securonix
- EDR / Endpoint
- CrowdStrike
- Supported EDR partners
- Cloud
- Other
- Deepwatch Security Center
- NEXA Agentic AI Ecosystem
- ServiceNow
- AWS GuardDuty
- AWS CloudTrail
- AWS Security Hub
Editorial notes
Why co-managed SOC
Deepwatch operates across the buyer's existing security stack with 24/7 monitoring, named experts, detection engineering, threat hunting and response workflow support. That is more than advice-only MDR, but the buyer still keeps the tools, access model, telemetry quality and approval boundaries.
Response boundary
Official pages support active response, endpoint isolation, quarantine and guided remediation language. The public profile keeps response framed as approved workflow support because buyers need to confirm which actions Deepwatch can run in their connected tools.
Stack boundary
Deepwatch is best matched to buyers with a supported SIEM such as Splunk, Microsoft Sentinel, Google Security Operations or Securonix. Buyers should verify coverage depth before assuming every EDR, identity, email or SaaS source is equally operated.
Pricing boundary
Deepwatch does not publish current list pricing. AWS Marketplace supports marketplace procurement context, and review text says pricing depends on logs, data volume, assets, endpoint monitoring and MDR service level, so the public profile stays quote-based.
Customer evidence
Gartner and G2 provide enough customer review depth to mention repeated themes. Buyers praise monitoring, named experts, tuning and SOC capacity, while concerns center on pricing, customer-success continuity, communication channels and integration or query performance.