Shortlist fit
Teams that already run a major EDR and need 24/7 MDR coverage
Provider handles
Service can take or orchestrate containment actions within the approved scope.Check before buying
Approving which response playbooks can run automaticallyAlso fits
- Mid-market and enterprise buyers that want to keep their current endpoint stack
- Security teams adding identity, cloud or email detection without replacing every tool
Can replace
- Internal alert triage for supported EDR and security-tool alerts
- After-hours investigation coverage for lean security teams
- Manual endpoint isolation workflows when playbooks are approved
Coverage
Provider covers
- MDR investigations across supported endpoint, cloud, identity, email, network and SaaS sources
- Agentless MDR model that ingests telemetry and alerts from the buyer's existing tools
- Endpoint isolation playbooks for all Red Canary-supported EDRs, with optional approval before execution
Your team still owns
- Remediation work outside supported EDR remote actions or Active Remediation scope
- Maintaining the endpoint, identity, cloud and email controls that feed Red Canary
- Confirming whether each data source is investigated, used for context or stored only
Tradeoffs
Works well
- Lets buyers keep supported EDR tools while adding analyst investigation and response playbooks
- Reviewers often mention reduced alert noise and clearer investigation detail
- Public threat reports show detection research across real customer telemetry
Watch out for
- Active Remediation is an add-on, not included in every MDR quote
- Integration depth depends on the selected plan and the connected source
- Custom detection control and SIEM-style visibility may be less flexible than an internal SOC
Reviews
Review synthesis
In reviews and practitioner threads, buyers describe Red Canary as useful for taking security-tool alert triage off lean teams. They repeatedly mention clear investigations, 24/7 coverage and support. The cautions are price, integration scope, limited custom detection control and occasional alert or support delays.Customers like
- Less time spent sorting noisy EDR alerts before a human investigates
- Investigations include context that teams can act on without jumping across every console
- Smaller teams value after-hours coverage and configured response playbooks
Watch out for
- Reviewers mention price as high for smaller companies
- Some buyers report gaps when a needed integration or data source is not fully covered by the selected plan
- Several reviews ask for more custom detection control or faster alert handling
Pricing
- Price
- Quote-based. Public reviews mention roughly $100/device/year
- Billing
- Per-endpoint, Per-user, Per-asset, Tiered, Custom
Questions to ask
- Which data sources are included in the quoted plan, and which are storage-only or context-only?
- Which response actions can run without approval, and which require customer confirmation?
- Is Active Remediation, Managed Phishing Response or Security Data Lake included, or priced as a separate add-on?
Integrations
- SIEM
- Microsoft Sentinel
- Red Canary Security Data Lake
- EDR / Endpoint
- CrowdStrike Falcon Insight XDR
- Microsoft Defender for Endpoint
- SentinelOne Singularity
- VMware Carbon Black
- Palo Alto Cortex XDR
- Cloud
- Other
- Microsoft Entra ID
- Okta Workforce Identity
- Google Workspace
- Microsoft Defender for Office 365
- Cisco Duo
- Cisco Umbrella
- Zscaler OneAPI
Editorial notes
Market position
Red Canary functions as tool-flexible MDR, not a replacement for the buyer's whole security operations program. It fits buyers that already run security tools and want Red Canary to investigate alerts, tune detection logic and orchestrate response without forcing a new endpoint platform.
Scope boundary
Red Canary's pricing page separates Core, Complete and Enterprise plans. Core is single-domain MDR, Complete adds multi-domain MDR, API access and data export, while Enterprise adds strategic support and unlimited integrations. Add-ons include Active Remediation, Managed Phishing Response and Security Data Lake.
Response boundary
Red Canary supports automated and manual endpoint isolation through supported EDRs. Hands-on remediation is documented as Active Remediation, an annual add-on for MDR for Endpoint subscriptions, so it should be verified in the quote.
Ownership change
Zscaler completed its acquisition of Red Canary on August 1, 2025, and Red Canary is now branded as a Zscaler company. Buyers should confirm roadmap, commercial ownership and renewal terms, especially if they already use or are evaluating Zscaler security operations products.
Channel buying
Red Canary is available direct, through MSP and solution-provider partners, through AWS Marketplace and through Carahsoft for public-sector buyers. Buyers should confirm whether the seller of record changes support escalation, procurement terms or included services.