Author: Emmanuel Adjah
As a new year begins, many African scale-ups are once again reviewing their security posture.
Managed Detection and Response, or MDR, often sits at the centre of that discussion. It promises continuous monitoring, expert investigation, and active response without the cost of building a full internal security operations team. For fast-growing companies, it appears to be a sensible and responsible decision.
In many cases, it is.
Modern MDR services do more than raise alerts. They investigate suspicious activity, confirm threats, isolate compromised endpoints, block malicious indicators, and contain incidents on behalf of the organisation. When a machine is compromised, MDR teams can and often do take immediate action.
Yet despite this, many African mid-market companies disengage from MDR within months. Some keep the contract but stop acting on recommendations. Others downgrade, pause, or quietly walk away. Incidents are technically contained, but security outcomes do not improve in a meaningful way.
This is not because MDR does not work.
It is because MDR is being asked to solve a problem that is not purely technical.
This is not a question of improving how MDR is implemented. It is a question of whether the industry has correctly defined what MDR is responsible for in the first place.
Where MDR response stops in practice
MDR providers are highly effective within clearly defined technical boundaries.
They can isolate endpoints, terminate malicious processes, block command-and-control traffic, and provide detailed incident timelines. These actions reduce immediate risk and are often executed quickly and correctly.
What MDR cannot do is own organisational risk.
Once containment is complete, a different class of decisions begins. Decisions that sit outside the authority of any external security provider.
Can the affected system be safely returned to production. Was sensitive customer or employee data accessed. Does the incident trigger regulatory or contractual disclosure obligations. Should a product release be delayed. Who accepts residual risk if remediation is incomplete.
These are not detection or response tasks. They are governance decisions.
By treating governance and decision authority as out of scope, the MDR market has embedded a structural blind spot into its delivery model.
Africa exposes the gap earlier
African scale-ups operate under conditions that surface this blind spot quickly.
Teams are lean. Security leadership is often part-time or combined with IT or engineering roles. Regulatory obligations vary by country and evolve rapidly. Decision making is fast, but formal escalation paths are still forming.
These conditions are not unique to Africa. They simply appear earlier and with less insulation.
When MDR performs well technically but security outcomes still stall, it reveals a structural issue. The service assumes the customer has clear internal authority to complete the response lifecycle. Many organisations do not.
Africa is not an exception. It is a stress test.
The patterns visible here are not regional anomalies. They are early indicators of how MDR fails when organisational complexity outpaces governance maturity.
Why MDR adoption weakens over time
A familiar pattern plays out across many mid-market environments.
MDR is often purchased in response to board pressure, investor expectations, or compliance requirements. The service is positioned as comprehensive coverage and reassurance.
During early use, alerts are investigated and incidents are contained. Reports are shared. Recommendations are issued.
Then friction emerges.
Who approves system rebuilds. Who prioritises security remediation against product delivery. Who decides when an incident is fully resolved. Who owns long-term corrective action.
MDR teams can advise, but they cannot decide.
Over time, unresolved recommendations accumulate. Alerts are handled tactically, but strategic follow-through slows. The organisation remains exposed, not because threats are missed, but because decisions stall.
The failure is not technical. It is operational.
Rethinking MDR readiness
The cybersecurity industry often frames MDR as a complete security function. In reality, it is a powerful component of a broader operating model.
Across mid-market organisations, MDR effectiveness tends to align with three readiness states.
The first is containment-only readiness. The organisation can receive MDR response actions, but lacks clear internal authority to close incidents decisively.
The second is partial response readiness. Technical teams can act on recommendations, but escalation slows when decisions cross team or leadership boundaries.
The third is integrated response readiness. Security, engineering, legal, and leadership roles are aligned. Authority is clear. MDR actions translate into completed outcomes.
Most MDR services are designed with the third state in mind. Many mid-market companies operate in the first or second.
The problem is not that organisations sit at different readiness levels. It is that the MDR industry designs and markets its services as if those differences do not materially affect outcomes.
This mismatch explains why MDR can appear effective on paper but disappointing in practice.
What the industry needs to change
If MDR is to deliver consistent outcomes for African scale-ups and the global mid-market, the industry needs to shift how it defines success.
Readiness cannot be treated as an afterthought. Governance, ownership, and escalation authority shape security outcomes as much as detection capability.
Response design must extend beyond technical containment. Organisations need clarity on who decides, who signs off, and how risk is accepted once the immediate threat is controlled.
And success metrics must evolve. Counting alerts handled or endpoints isolated is not enough. The real measure is how quickly organisations reach clear, accountable decisions.
This requires MDR providers to act as operational partners, not just responders. It also requires buyers to recognise that MDR cannot replace internal accountability.
Why this matters beyond Africa
What is visible in African tech ecosystems today will appear elsewhere tomorrow.
As companies operate with smaller teams, decentralised ownership, and faster release cycles, the gap between technical response and organisational decision making will widen.
Struggles with MDR in the mid-market are not isolated cases. They are early warnings of how current security service models fail under modern operating conditions.
Africa is not the edge case. It is the early signal.
The path forward
MDR remains valuable. Technical containment reduces risk and buys time. But containment without decision authority does not complete the security cycle.
For fast-growing organisations, security must be designed around how decisions are made, not just how threats are detected.
For vendors, investors, and regulators, the lesson is clear. Strong security outcomes depend less on tools and more on who is empowered to act.
As the new year begins, the opportunity is not to abandon MDR, but to use it more honestly. As part of a shared operating model, not a substitute for it.
Until the industry redraws the boundary between technical response and organisational risk ownership, MDR will continue to be oversold and under-effective in the mid-market.
