The Challenge

The Motley Fool had worked with established MDR providers for several years. The team was not new to outsourced detection and response, and they understood how traditional MDR models operated.

Over time, as the team matured its cloud security program, they began taking a closer look at how investigations were being handled.

Service was positioned as premium, yet responsiveness lagged behind.

“Anything that involved talking to a human being was very cumbersome and difficult.”

More fundamentally, the team began scrutinizing coverage.

As they relied more heavily on Wiz to surface cloud findings, they compared Wiz alerts against what their MDR had actually investigated. They identified that not all findings were receiving a documented determination. Static filters were applied upstream to manage volume, meaning certain alerts were closed automatically without full investigation.

“It didn’t seem like we were catching the things that truly matter,” del Mundo explained. “Threats are constantly evolving. Your static filters might work yesterday, but how do you know that they’ll work a month from now?”

Over time, the backlog began to accumulate. Some findings were addressed quickly, while others remained unresolved for extended periods. The team wanted stronger assurance that every relevant signal had received a determination.

Manual dependencies further slowed investigations, particularly during phishing or user-impacting events. Case closure often required internal follow-up, creating friction and extending resolution times.

As the renewal date came closer, the decision was made internally to evaluate alternatives. The issue was not a single failure, but a structural gap between expectations and delivery.

Evaluating AI, Without Losing Human Judgment

As AI-driven SOC investigations gained momentum, The Motley Fool began evaluating next-generation solutions, including an AI MDR vendor and an AI SOC tool.

The AI MDR vendor they evaluated demonstrated potential but did not fully align with their operational requirements during testing. While the approach showed promise, it did not provide the level of completeness and confidence the team was looking for. The AI SOC platform performed well, and at one stage the team was close to moving forward.

Throughout the evaluation, one requirement remained central. “The thing I really wanted to see was being able to make a determination for all the findings. Not just a subset.”

That requirement was validated during Daylight’s evaluation. Every relevant finding correlated with Wiz and SentinelOne received a well-documented decision. Each determination included detailed reasoning that could be revisited months later. “You can follow the thinking end to end,” del Mundo noted.

That level of completeness and explainability represented a meaningful step forward from prior engagements.

The team was also impressed by Daylight’s operating model, which combines an agentic platform with a SOC team of highly experienced security experts.

“AI only gets maybe 80% there.
‍‍There’s that 20% where human intuition still makes sense.”

High-impact decisions, particularly those that could disrupt user workflows, required experienced judgment. “Every analyst that we've worked with has been top caliber.”

By the end of the PoC, the decision was unanimous.

From Growing Backlog to Zero Backlog

“Prior to Daylight, you would see our backlog constantly going up,” del Mundo said. “Today, we are at zero backlog.” With Daylight, every relevant finding now receives a determination within hours, either escalated as an active threat with full context and explanation or closed with documented reasoning.

Shortly after implementing Daylight, the team deployed Wiz Defend to enhance real-time cloud detection. Wiz Defend provides important value but also generates substantial volume.

“What I have found is that it's very chatty,” del Mundo explained. “If you don’t actively scope down those tickets, it can get overwhelming.”

With Daylight managing triage and investigation, that volume is manageable. “If I see a finding in the morning, I know that within a few hours Daylight would have made a recommendation.”

Operationally, that shift removed the need to expand headcount simply to comb through alerts.

“I don’t need to hire another engineer. I know Daylight can handle it.”

The security team was able to shift focus from managing alert volume to making informed risk decisions.

Resetting the Standard for MDR

For The Motley Fool, the transition to Daylight was not incremental.

They moved from filtered coverage to full determination, from backlog growth to backlog elimination, and from limited engagement to direct collaboration with experienced analysts.

Most importantly, they regained confidence that every relevant signal is examined and that every decision is documented, explainable, and defensible.

For an experienced security organization operating in a modern cloud environment, that confidence defines what effective detection and response should look like.

Daylight did not simply replace an MDR provider. It helped redefine what the team expects from one.