Service Tiers
Service Tiers
KYRA AI MDR offers three service tiers designed to meet the security needs of organizations from SMB to Enterprise.
Tier Overview
| Tier | Target Market | Key Value Proposition |
|---|---|---|
| Detect | SMB (50-200 employees) | 24/7 threat detection with automated alerts |
| Respond | Mid-market (200-1,000) | Detection + incident response + containment |
| Hunt | Enterprise (1,000+) | Full MDR + proactive threat hunting + custom playbooks |
Service Capabilities
| Capability | Detect | Respond | Hunt |
|---|---|---|---|
| 24/7 Threat Detection | Yes | Yes | Yes |
| MITRE ATT&CK Mapping | Yes | Yes | Yes |
| Automated Alert Triage | Yes | Yes | Yes |
| AI-Powered Analysis | Basic | Advanced | Premium + Custom |
| Incident Response | Alert Documentation Only | Yes | Yes + On-site |
| Threat Containment | No | Yes | Yes + Advanced Automation |
| Proactive Threat Hunting | No | No | Yes |
| Custom Detection Rules | No | Limited (10 rules) | Unlimited |
| Executive Reporting | Basic Dashboard | Yes | Yes + Custom |
| Compliance Templates | No | SOC 2, ISO 27001 | All frameworks + Custom |
| Dedicated TAM | No | No | Yes |
| On-site Incident Response | No | No | Yes (within 24h) |
| Threat Intelligence | Basic IOCs | Premium Feeds | Custom + Private CTI |
| API Access | Read-only | Limited Write | Full API Access |
Ingestion Quotas
| Tier | Sustained EPS | Burst EPS (15min) | Grace Period |
|---|---|---|---|
| Detect | 500 EPS | 1,000 EPS | 30 minutes |
| Respond | 2,500 EPS | 5,000 EPS | 1 hour |
| Hunt | 15,000 EPS | 25,000 EPS | 4 hours |
Overage pricing: Detect $0.15/1K events, Respond $0.10/1K events, Hunt $0.05/1K events.
SIEM Query Limits
| Tier | Max Date Range | Max Rows/Query | Concurrent Queries | Export Limit |
|---|---|---|---|---|
| Detect | 7 days | 10,000 | 3 | 50 MB |
| Respond | 90 days | 100,000 | 10 | 1 GB |
| Hunt | 2 years | 5,000,000 | 50 | 50 GB |
Report Quotas
| Tier | Executive Reports | Compliance Reports | Custom Reports | Scheduled Reports |
|---|---|---|---|---|
| Detect | 4/month | No | No | No |
| Respond | 12/month | 6/month | No | 4/month |
| Hunt | Unlimited | Unlimited | 20/month | Unlimited |
Data Retention
| Tier | Alert Retention | Raw Log Retention | SIEM Index | Analytics | Investigation Data |
|---|---|---|---|---|---|
| Detect | 90 days | 30 days | 30 days | 1 year | 90 days |
| Respond | 1 year | 6 months | 1 year | 3 years | 2 years |
| Hunt | 5 years | 2 years | 5 years | 7 years | 7 years |
Legal hold override: All retention periods extended indefinitely during active legal proceedings.
Incident Severity Matrix (SEV1-SEV4)
SEV1 — Critical (Active Compromise with Business Impact)
Indicators: Active ransomware, real-time data exfiltration (>1GB), domain admin compromise, critical infrastructure breach, public data exposure, active C2 communication.
Business Impact: Service disruption >50% of users, financial loss >$100K, regulatory breach requiring immediate notification.
Response: Detection to acknowledgment <15 minutes (all tiers), war room activation immediate, executive notification within 30 minutes, customer notification within 1 hour.
SEV2 — High (Confirmed Compromise, Limited Immediate Impact)
Indicators: Confirmed malware execution, lateral movement, non-privileged credential compromise, successful privilege escalation, persistent backdoor deployment.
Response Times:
- Detect: Acknowledged within 4 hours, contained within 8 hours
- Respond: Acknowledged within 1 hour, contained within 8 hours
- Hunt: Acknowledged within 30 minutes, contained within 4 hours
SEV3 — Medium (Suspicious Activity Requiring Investigation)
Indicators: Policy violations, authentication anomalies, network reconnaissance, suspicious downloads, phishing attempts, unsuccessful exploitation.
Response Times:
- Detect: Documented analysis within 24 hours
- Respond: Investigation within 4 hours
- Hunt: Investigation within 2 hours
SEV4 — Low (Informational/Routine)
Indicators: Routine vulnerability scan findings, expected security tool alerts, minor configuration drift, certificate expiration warnings.
Response Times:
- Detect: Analysis within 72 hours
- Respond: Batch processing within 24 hours
- Hunt: Analysis within 8 hours
Severity Escalation Rules
| Escalation | Trigger |
|---|---|
| SEV4 → SEV3 | >5 related events from same asset within 24 hours |
| SEV3 → SEV2 | IOC match confirmed or successful exploitation evidence |
| SEV2 → SEV1 | Lateral movement detected or business-critical system affected |
| Any → SEV1 | Customer declares business impact or regulatory trigger |
SLA Response Times
| Severity | Detect | Respond | Hunt |
|---|---|---|---|
| SEV1 | 15 min | 15 min | 15 min |
| SEV2 | 4 hours | 1 hour | 30 min |
| SEV3 | 24 hours | 4 hours | 2 hours |
| SEV4 | 72 hours | 24 hours | 8 hours |
SLA Resolution Times
| Severity | Detect | Respond | Hunt |
|---|---|---|---|
| SEV1 | 8 hours* | 4 hours | 2 hours |
| SEV2 | 16 hours* | 8 hours | 4 hours |
| SEV3 | 3 days* | 24 hours | 12 hours |
| SEV4 | 5 days* | 3 days | 2 days |
Detect tier resolution = comprehensive analysis and recommendations (no active containment)
Containment SLAs (Respond and Hunt Only)
| Severity | Respond | Hunt |
|---|---|---|
| SEV1 | 2 hours | 1 hour |
| SEV2 | 6 hours | 3 hours |
| SEV3 | 12 hours | 6 hours |
| SEV4 | 24 hours | 12 hours |
Platform Availability
| Component | Detect | Respond | Hunt |
|---|---|---|---|
| Event Ingestion | 99.5% | 99.9% | 99.99% |
| Management Console | 99.0% | 99.5% | 99.9% |
| REST API | 99.0% | 99.5% | 99.9% |
| Alert Notifications | 99.5% | 99.9% | 99.99% |
SLA Credits
| Availability Breach | Credit | Max Monthly |
|---|---|---|
| Below Hunt SLA (99.99%) | 5% | 25% |
| Below Respond SLA (99.9%) | 10% | 50% |
| Below Detect SLA (99.5%) | 10% | 50% |
| Below 99.0% (any tier) | 25% | 100% |
Feature Access by Tier
| Category | Feature | Detect | Respond | Hunt |
|---|---|---|---|---|
| Detection | Basic Rule Library | Yes | Yes | Yes |
| Detection | Advanced ML Models | No | Yes | Yes |
| Detection | Custom Rule Builder | No | Limited | Yes |
| Detection | Threat Intel Feeds | Basic | Premium | Premium + Private |
| Investigation | Automated Triage | Yes | Yes | Yes |
| Investigation | Forensics Tools | No | Basic | Advanced |
| Investigation | Case Management | Basic | Yes | Yes |
| Response | Alert Notifications | Yes | Yes | Yes |
| Response | Automated Containment | No | Yes | Yes |
| Response | Playbook Execution | Templates | Yes | Yes |
| Reporting | Standard Dashboards | Yes | Yes | Yes |
| Reporting | Executive Reports | Limited | Yes | Yes |
| Reporting | Compliance Reports | No | Yes | Yes |
| Reporting | Custom Reports | No | No | Yes |
| API | Read-only API | Yes | Yes | Yes |
| API | Write API | No | Limited | Yes |
| API | Webhooks | No | Yes | Yes |
Tier Migration
Customers can upgrade or downgrade their service tier at any time:
- Upgrades: New features and quotas are activated immediately
- Downgrades: Features are adjusted at the end of the current billing period
- Data Retention: On downgrade, existing data remains accessible until the original retention period expires; new data follows the new tier’s retention schedule