Red Canary

MDR

Red Canary is an MDR service, now a Zscaler company, that layers analyst investigation, detection engineering and response playbooks over the endpoint, cloud, identity, email, network and SaaS tools a buyer already runs.

Service
MDR
Handles
Contain threats
Price
Quote-based. Public reviews mention roughly $100/device/year*
  • Contain threats
  • Denver, Colorado
  • Founded 2013
Visit website

Shortlist fit

Teams that already run a major EDR and need 24/7 MDR coverage

Provider handles

Service can take or orchestrate containment actions within the approved scope.

Check before buying

Approving which response playbooks can run automatically

Also fits

  • Mid-market and enterprise buyers that want to keep their current endpoint stack
  • Security teams adding identity, cloud or email detection without replacing every tool

Can replace

  • Internal alert triage for supported EDR and security-tool alerts
  • After-hours investigation coverage for lean security teams
  • Manual endpoint isolation workflows when playbooks are approved

Coverage

Provider covers

  • MDR investigations across supported endpoint, cloud, identity, email, network and SaaS sources
  • Agentless MDR model that ingests telemetry and alerts from the buyer's existing tools
  • Endpoint isolation playbooks for all Red Canary-supported EDRs, with optional approval before execution

Your team still owns

  • Remediation work outside supported EDR remote actions or Active Remediation scope
  • Maintaining the endpoint, identity, cloud and email controls that feed Red Canary
  • Confirming whether each data source is investigated, used for context or stored only

Tradeoffs

Works well

  • Lets buyers keep supported EDR tools while adding analyst investigation and response playbooks
  • Reviewers often mention reduced alert noise and clearer investigation detail
  • Public threat reports show detection research across real customer telemetry

Watch out for

  • Active Remediation is an add-on, not included in every MDR quote
  • Integration depth depends on the selected plan and the connected source
  • Custom detection control and SIEM-style visibility may be less flexible than an internal SOC

Reviews

Review synthesis

In reviews and practitioner threads, buyers describe Red Canary as useful for taking security-tool alert triage off lean teams. They repeatedly mention clear investigations, 24/7 coverage and support. The cautions are price, integration scope, limited custom detection control and occasional alert or support delays.

Customers like

  • Less time spent sorting noisy EDR alerts before a human investigates
  • Investigations include context that teams can act on without jumping across every console
  • Smaller teams value after-hours coverage and configured response playbooks

Watch out for

  • Reviewers mention price as high for smaller companies
  • Some buyers report gaps when a needed integration or data source is not fully covered by the selected plan
  • Several reviews ask for more custom detection control or faster alert handling

Pricing

Price
Quote-based. Public reviews mention roughly $100/device/year
Billing
Per-endpoint, Per-user, Per-asset, Tiered, Custom

Questions to ask

  1. Which data sources are included in the quoted plan, and which are storage-only or context-only?
  2. Which response actions can run without approval, and which require customer confirmation?
  3. Is Active Remediation, Managed Phishing Response or Security Data Lake included, or priced as a separate add-on?

Integrations

SIEM
  • Microsoft Sentinel
  • Red Canary Security Data Lake
EDR / Endpoint
  • CrowdStrike Falcon Insight XDR
  • Microsoft Defender for Endpoint
  • SentinelOne Singularity
  • VMware Carbon Black
  • Palo Alto Cortex XDR
Cloud
  • AWS
  • Azure
  • GCP
Other
  • Microsoft Entra ID
  • Okta Workforce Identity
  • Google Workspace
  • Microsoft Defender for Office 365
  • Cisco Duo
  • Cisco Umbrella
  • Zscaler OneAPI

Editorial notes

Market position

Red Canary functions as tool-flexible MDR, not a replacement for the buyer's whole security operations program. It fits buyers that already run security tools and want Red Canary to investigate alerts, tune detection logic and orchestrate response without forcing a new endpoint platform.

Scope boundary

Red Canary's pricing page separates Core, Complete and Enterprise plans. Core is single-domain MDR, Complete adds multi-domain MDR, API access and data export, while Enterprise adds strategic support and unlimited integrations. Add-ons include Active Remediation, Managed Phishing Response and Security Data Lake.

Response boundary

Red Canary supports automated and manual endpoint isolation through supported EDRs. Hands-on remediation is documented as Active Remediation, an annual add-on for MDR for Endpoint subscriptions, so it should be verified in the quote.

Ownership change

Zscaler completed its acquisition of Red Canary on August 1, 2025, and Red Canary is now branded as a Zscaler company. Buyers should confirm roadmap, commercial ownership and renewal terms, especially if they already use or are evaluating Zscaler security operations products.

Channel buying

Red Canary is available direct, through MSP and solution-provider partners, through AWS Marketplace and through Carahsoft for public-sector buyers. Buyers should confirm whether the seller of record changes support escalation, procurement terms or included services.

Questions

Does Red Canary replace a whole SOC team?
No. Red Canary provides MDR and SOC augmentation around supported security tools. Buyers still own the underlying controls, response approvals, security program decisions and any work outside the quoted MDR or Active Remediation scope.
Does Red Canary require its own agent?
Red Canary says its MDR service is agentless and relies on telemetry or alert data from existing security investments. Endpoints still need the buyer's EDR or EPP sensors to collect and send telemetry.
What does Red Canary pricing depend on?
Official pricing is quote-based and resource-based. Red Canary says pricing varies by endpoints, identities and cloud resources. Public review sources mention device-based pricing, but buyers should treat that as a rough signal only.