Expel vs Critical Start
Expel
Founded in May 2016 by ex-Mandiant/FireEye veterans Dave Merkel, Justin Bajko, and Yanek Korff, Expel takes a deliberate stance: no proprietary agent, full transparency into SOC activity via the Workbench portal, and integration with whatever security tools the customer already owns. The company reached unicorn status in November 2021 and was named a Leader in The Forrester Wave for MDR Services, Q1 2025. Independent and private.
Pros
- Genuinely vendor-neutral: no Expel agent, integrates with existing EDR/SIEM/cloud stack
- Transparent operations via Workbench (customers see every analyst action in real time)
- Strong public commitments such as a 13-minute MTTR for critical threats
- Founding team's Mandiant lineage gives credibility in IR and detection engineering
Cons
- 'Bring your own tech' means customers must already own (and license) suitable EDR/SIEM/cloud tooling
- Premium pricing relative to bundled MSSP offerings
- Limited public pricing; sales-led
Pricing: Custom (contact sales)
Critical Start
Founded in 2012 by Rob Davis to address alert fatigue, Critical Start's Trusted Behavior Registry (TBR) auto-resolves known-good behaviours at scale so analysts focus on true positives. The MOBILESOC iOS/Android app lets customers triage, escalate, and contain incidents from a phone. The firm runs MDR across multiple third-party EDR/XDR/SIEM stacks rather than shipping its own endpoint agent.
Pros
- Trusted Behavior Registry materially reduces alert noise at scale
- MOBILESOC is one of the more mature mobile SOC apps in the MDR market
- Multi-EDR / multi-XDR coverage gives customers stack optionality
- Strong transparency posture; customers see every alert decision and SLA in the portal
Cons
- Smaller scale than Arctic Wolf, Sophos/Secureworks, or eSentire
- Service quality depends on customers having a supported EDR/XDR already licensed
- Limited public pricing
Pricing: Custom (contact sales)