top of page

The Great MDR Realignment: Why LevelBlue Is Rescuing the Industry’s “Orphan” Technologies

Updated: Feb 3

Managed detection and response (MDR) is a mature market. Buyers know what “good” looks like. Providers know what they must deliver. The industry has clearly entered a period of rapid consolidation and realignment.


Against that backdrop, LevelBlue’s acquisition of Alert Logic’s MDR business from Fortra may look, at first glance, like another tuck-in in an increasingly crowded market, one where a larger company purchases a smaller company—often with similar products, services, or customer segments—and fully absorbs it into its existing operations,

People working at desks with multiple monitors in an office. Light from large windows, casual atmosphere, some text visible on screens.

dismantling the target's brand and structure. And this may ultimately be the case, but “tuck-in” does not fully reflect the strategic reality of the deal. This deal (and others LevelBlue has recently crafted) is a deliberate separation of software and services, with a broader intent to find and put to better use technologies that don’t quite fit where they landed. This signals further maturation in this already-consolidating industry and a movement to grab good tech that might otherwise fail. 


Rehoming Good Technology

In cybersecurity, strong technologies do not always fail because they lack capability. More often, they struggle because they are placed inside organizations whose business rhythm does not match their operational needs. When that happens, otherwise viable technologies stop “breathing,” meaning research and development diminishes, attrition of good talent occurs, and revenue declines.

LevelBlue’s approach to M&A resembles what might be described as a rehoming of good tech.

LevelBlue appears to actively look for these assets that require some resuscitation, like Alert Logic and Cybereason, that retain strong DNA, proven teams, and market relevance, but perhaps lacked the right environment to thrive.


The root cause of respiratory arrest is often business rhythm. Software-centric organizations optimize for product velocity, transactional sales, and channel scale. Managed services operate on a fundamentally different cadence, one which requires

Robotic hand raised against a teal background, displaying intricate mechanical details and a futuristic design.

continuous operations, human expertise, and accountability for outcomes. When Alert Logic was folded into a software-first organization, in Richmond Advisory’s opinion, it became an orphaned asset. Inside LevelBlue, it becomes more core to its original services mission.


MDR Has Matured and That Changes the M&A Equation

Just a few years ago, providers defined MDR very differently, with inconsistent tooling assumptions and outcome promises that made consolidation far more difficult than it is today. Vendors differentiated themselves primarily by how detection and response were implemented, what technologies were used, and what “response” meant. Integration risk was high, customer expectations varied widely, and tuck-in acquisitions were often where tech went to die (e.g. Cylance within Blackberry).

This rescue strategy is only possible because the MDR market itself has matured.

That environment has changed. Buyers now expect a relatively standard set of outcomes: detection, investigation, response, reporting, and continuous improvement regardless of the underlying technology stack. That normalization has lowered integration risk and made acquisitions like Alert Logic not just viable, but logical.


Alert Logic fits cleanly into this more mature MDR landscape as a part of an MSSP. Its service delivery model, operational rhythm, and customer expectations align well with LevelBlue’s existing platform. This is not a reinvention exercise; it is a reinvigorate and incorporate play.


Scale Matters but Coverage and Continuity Matter More

The acquisition undoubtedly strengthens LevelBlue’s position among the world’s largest MDR providers. But scale alone is not the most important takeaway.


What matters more is coverage and continuity. Alert Logic extends LevelBlue’s reach into the mid-market and SME without forcing the company to dilute its enterprise-grade operating model.


Historically, Alert Logic performed well in environments that needed reliable detection and response but were not ready for heavyweight enterprise complexity. Cloud-centric deployments, self-service-friendly models, and “SIEM-lite” approaches filled a real gap in the market.


That capability complements LevelBlue’s enterprise footprint and creates a natural growth path. As customers mature, their needs increasingly map to deeper MDR services, consulting, and adjacent managed offerings. They don’t wish to replace one product with another but rather preserve continuity across the customer lifecycle.


Software–Service Separation and a Mid-Market Opportunity

With this news, Fortra intentionally pivots toward a pure-software, channel-first strategy under the “Fortra Protect” banner. LevelBlue, by contrast, commits fully to managed outcomes and service delivery. This separation is not a weakness; it is an acknowledgment that software and services scale differently.


Nowhere is this more evident than in the mid-market. These buyers want outcomes, not toolchains. They want simplicity, not architectural sprawl. And they often prefer to buy through trusted channel partners rather than direct enterprise sales motions.


Alert Logic’s channel ecosystem becomes a strategic asset in this model. Rather than a forced direct-sales expansion downstream, LevelBlue can enable channel-led service delivery as Fortra’s marquee channel partner.


WAF, APIs, and the Shift Left

While much of the market focus remains on MDR headcount and customer numbers, the quieter strategic sweetener in this deal is Alert Logic’s Web Application Firewall and its native API protection capabilities.


In an era defined by AI-driven applications and API-centric architectures, APIs have become one of the most critical, but most vulnerable, attack surfaces. API protection as an afterthought is no longer a viable strategy.


The Alert Logic WAF enables LevelBlue to advance a more credible shift-left strategy, which emphasizes prevention earlier in the attack chain rather than downstream detection and response. Just as importantly, it provides architectural flexibility.


LevelBlue remains a close partner with Akamai, particularly for CDN-centric WAF and DDoS protection. But unlike those offerings, the Alert Logic WAF does not require a specific CDN to function. This allows LevelBlue to remain platform-agnostic and to sell managed outcomes rather than “managed Akamai” or “managed Fortra.”


Combined with Alert Logic’s lighter-weight, SIEM-lite capabilities, this gives LevelBlue more room to serve down-market customers who find enterprise SIEM deployments overly complex or costly.


Agentic AI: The SOC’s Newest Capability Layer

Alongside platform expansion, LevelBlue is also investing heavily in agentic AI.

Instead of AI as a replacement for analysts, the company will embed autonomous agents into specific operational workflows: investigations, enrichment, integration, and development acceleration. These are not chatbots. They are task-specific agents designed to increase speed and consistency inside the SOC.


Glowing network pattern forms a human head silhouette against a starry night sky, with a bright light in the center, symbolizing ideas.

One notable capability discussed was the use of AI agents to detect unfamiliar data structures and automatically build integrations, normalize data, and make it usable in near real time. Internally, agents also accelerate product development and assist with product requirements documents and design mockups.


At the same time, LevelBlue is deliberately cautious. Synthetic identities, agent sprawl, and governance failures are real risks. Human-in-the-loop controls remain central to the design and use AI functions as a force multiplier rather than an operational liability.


Brand, Memory, and the Long Game

Despite its scale, LevelBlue still faces a brand challenge.

CISOs have long memories. Legacy associations with AT&T, Trustwave, or other prior identities do not disappear quickly. LevelBlue appears realistic about this reality and knows that rebranding is a journey, not a single event.


The strategy is not to erase the past overnight, but to out-execute it through customer advisory boards, visible innovation, and consistent delivery. Over time, proof points replace perception. For risk-averse buyers, testimonials and outcomes will matter more than messaging.


The Gist

  • This is a classic tuck-in executed at the right moment, but with broader goals. In its goal to become the largest MSSP, the ability to find and put to better use those technologies that don’t quite fit where they landed is a keen one. 

  • LevelBlue is rehoming orphaned technologies. This strategy targets assets with strong DNA that simply lacked the right operational environment.

  • Coverage matters more than raw scale. Alert Logic extends LevelBlue’s reach into the mid-market and SMB without diluting its enterprise platform.

  • The software–services split is intentional. Fortra’s software focus and LevelBlue’s services focus reflect necessary specialization, not fragmentation.

  • WAF and API protection signal platform intent. These capabilities enable shift-left security and platform-agnostic managed outcomes.

  • Agentic AI is applied pragmatically. Human-in-the-loop remains central, with agents focused on acceleration, not replacement.

  • This is quiet portfolio construction. The long-term direction points toward a cleaner, more coherent pure-play managed services platform.

bottom of page