Service Tiers
KYRA AI MDR offers four service tiers designed to meet the security needs of organizations from solo developers to enterprises.
Tier Overview
| Tier | Pricing | Target Market | Key Value Proposition |
|---|---|---|---|
| FREE | $0/mo | Small (1-30 employees) | Security posture check, basic monitoring |
| MDR | $230/mo | SMB (10-100 employees) | 24/7 AI-powered detection + auto-response |
| PRO | $600/mo | Mid-market (30-300 employees) | Full MDR + dedicated analyst + compliance |
| CUSTOM | Negotiated | Enterprise (300+) | Tailored MDR with on-site support |
Annual Pricing
| Tier | Monthly | Annual | Savings |
|---|---|---|---|
| MDR | $230/mo | $1,380/yr ($115/mo effective) | 50% off |
MDR Annual ($1,380/yr) offers 50% savings compared to monthly billing.
Service Capabilities
| Capability | FREE | MDR | PRO | CUSTOM |
|---|---|---|---|---|
| 24/7 Threat Detection | Yes | Yes | Yes | Yes |
| MITRE ATT&CK Mapping | Yes | Yes | Yes | Yes |
| AI Alert Triage | Summary only | Full (99% FP filter) | Full (99% FP filter) | Full (99% FP filter) |
| Auto-Response | No | Standard SOAR | Custom SOAR | Custom playbooks |
| Proactive Threat Hunting | No | No | Monthly | Weekly |
| Custom Detection Rules | No | No | Limited | Unlimited |
| Dashboard | Read-only | Full interactive | Full + custom | Fully custom |
| Reports | Monthly score email | Monthly threat brief | Weekly + compliance | Custom cadence |
| Compliance | No | Basic ISMS-P checklist | ISMS-P + SOC 2 | Multi-framework |
| Dedicated Analyst | No | No | Shared | Assigned |
| On-site Support | No | No | No | Yes |
| EASM Scan | Monthly | Weekly | Daily | Real-time |
| Support | Community/docs | Email (24hr) | Dedicated (4hr SLA) | Dedicated (1hr SLA) |
| Onboarding | Self-serve | Guided (1-click) | White-glove | On-site |
Ingestion Quotas
| Tier | Max EPS | Daily Ingestion | Collectors | Endpoints | Users |
|---|---|---|---|---|---|
| FREE | 50 | 500 MB | 1 | 40 | 3 |
| MDR | 500 | 5 GB | 1 | 120 | 25 |
| PRO | 2,000 | 20 GB | 5 | 350 | 50 |
| CUSTOM | Unlimited | Unlimited | Unlimited | Unlimited | Unlimited |
Overage
| Tier | Overage Policy |
|---|---|
| FREE | Hard cap (logs stop ingesting) |
| MDR | $0.02/GB beyond daily limit |
| PRO | $0.015/GB beyond daily limit |
| CUSTOM | Negotiated |
Log Retention
| Tier | Log Retention |
|---|---|
| FREE | 7 days |
| MDR | 90 days |
| PRO | 180 days |
| CUSTOM | 365+ days |
Legal hold override: All retention periods extended indefinitely during active legal proceedings.
Incident Severity Matrix (SEV1-SEV4)
SEV1 — Critical (Active Compromise with Business Impact)
Indicators: Active ransomware, real-time data exfiltration (>1GB), domain admin compromise, critical infrastructure breach, public data exposure, active C2 communication.
Business Impact: Service disruption >50% of users, financial loss >$100K, regulatory breach requiring immediate notification.
Response: Detection to acknowledgment <15 minutes (all tiers), war room activation immediate, executive notification within 30 minutes, customer notification within 1 hour.
SEV2 — High (Confirmed Compromise, Limited Immediate Impact)
Indicators: Confirmed malware execution, lateral movement, non-privileged credential compromise, successful privilege escalation, persistent backdoor deployment.
Response Times:
- FREE: Acknowledged within 4 hours, contained within 8 hours
- MDR: Acknowledged within 1 hour, contained within 8 hours
- PRO/CUSTOM: Acknowledged within 30 minutes, contained within 4 hours
SEV3 — Medium (Suspicious Activity Requiring Investigation)
Indicators: Policy violations, authentication anomalies, network reconnaissance, suspicious downloads, phishing attempts, unsuccessful exploitation.
Response Times:
- FREE: Documented analysis within 24 hours
- MDR: Investigation within 4 hours
- PRO/CUSTOM: Investigation within 2 hours
SEV4 — Low (Informational/Routine)
Indicators: Routine vulnerability scan findings, expected security tool alerts, minor configuration drift, certificate expiration warnings.
Response Times:
- FREE: Analysis within 72 hours
- MDR: Batch processing within 24 hours
- PRO/CUSTOM: Analysis within 8 hours
Severity Escalation Rules
| Escalation | Trigger |
|---|---|
| SEV4 → SEV3 | >5 related events from same asset within 24 hours |
| SEV3 → SEV2 | IOC match confirmed or successful exploitation evidence |
| SEV2 → SEV1 | Lateral movement detected or business-critical system affected |
| Any → SEV1 | Customer declares business impact or regulatory trigger |
SLA Response Times
| Severity | FREE | MDR | PRO / CUSTOM |
|---|---|---|---|
| SEV1 | 15 min | 15 min | 15 min |
| SEV2 | 4 hours | 1 hour | 30 min |
| SEV3 | 24 hours | 4 hours | 2 hours |
| SEV4 | 72 hours | 24 hours | 8 hours |
SLA Resolution Times
| Severity | FREE | MDR | PRO / CUSTOM |
|---|---|---|---|
| SEV1 | 8 hours* | 4 hours | 2 hours |
| SEV2 | 16 hours* | 8 hours | 4 hours |
| SEV3 | 3 days* | 24 hours | 12 hours |
| SEV4 | 5 days* | 3 days | 2 days |
FREE tier resolution = comprehensive analysis and recommendations (no active containment)
Containment SLAs (MDR, PRO, CUSTOM Only)
| Severity | MDR | PRO / CUSTOM |
|---|---|---|
| SEV1 | 2 hours | 1 hour |
| SEV2 | 6 hours | 3 hours |
| SEV3 | 12 hours | 6 hours |
| SEV4 | 24 hours | 12 hours |
Platform Availability
| Component | FREE | MDR | PRO / CUSTOM |
|---|---|---|---|
| Event Ingestion | 99.5% | 99.9% | 99.99% |
| Management Console | 99.0% | 99.5% | 99.9% |
| REST API | 99.0% | 99.5% | 99.9% |
| Alert Notifications | 99.5% | 99.9% | 99.99% |
SLA Credits
| Availability Breach | Credit | Max Monthly |
|---|---|---|
| Below PRO/CUSTOM SLA (99.99%) | 5% | 25% |
| Below MDR SLA (99.9%) | 10% | 50% |
| Below FREE SLA (99.5%) | 10% | 50% |
| Below 99.0% (any tier) | 25% | 100% |
Feature Access by Tier
| Category | Feature | FREE | MDR | PRO | CUSTOM |
|---|---|---|---|---|---|
| Detection | Basic Rule Library | Yes | Yes | Yes | Yes |
| Detection | Advanced ML Models | No | Yes | Yes | Yes |
| Detection | Custom Rule Builder | No | No | Limited | Yes |
| Detection | Threat Intel Feeds | Basic | Premium | Premium + Private | Premium + Private |
| Investigation | Automated Triage | Summary only | Full (99% FP filter) | Full (99% FP filter) | Full (99% FP filter) |
| Investigation | Forensics Tools | No | Basic | Advanced | Advanced |
| Investigation | Case Management | No | Yes | Yes | Yes |
| Response | Alert Notifications | Yes | Yes | Yes | Yes |
| Response | Automated Containment | No | Standard SOAR | Custom SOAR | Custom playbooks |
| Response | Playbook Execution | No | Standard | Custom | Custom |
| Reporting | Standard Dashboards | Read-only | Full interactive | Full + custom | Fully custom |
| Reporting | Executive Reports | No | Monthly threat brief | Weekly + compliance | Custom cadence |
| Reporting | Compliance Reports | No | Basic ISMS-P | ISMS-P + SOC 2 | Multi-framework |
| Reporting | Custom Reports | No | No | Yes | Yes |
| API | Read-only API | Yes | Yes | Yes | Yes |
| API | Write API | No | Limited | Yes | Yes |
| API | Webhooks | No | Yes | Yes | Yes |
Tier Migration
Customers can upgrade or downgrade their service tier at any time:
- Upgrades: New features and quotas are activated immediately
- Downgrades: Features are adjusted at the end of the current billing period
- Data Retention: On downgrade, existing data remains accessible until the original retention period expires; new data follows the new tier’s retention schedule