In our world of managed services and security solutions, it’s all too easy to fall into the trap of shiny brochures, marketecture and high-level vendor promises. But real trust, the kind that builds lasting relationships, comes from doing the hard, honest work. That’s why we recently carried out a thorough Proof of Concept (PoC) for a cybersecurity solution with one of our strategic clients, a government-backed manufacturing organisation.
The goal of the PoC was to evaluate whether Cisco XDR could replace their existing MDR platform, not just like-for-like, but by also bringing added value in terms of Extended Detection and Response (XDR) capabilities. We set a clear scope: test XDR’s ability to ingest and correlate data from a complex, real-world ecosystem including Azure AD, Entra ID, Microsoft Defender, Cisco Stealthwatch (SNA), and Fortigate firewalls.
Expectations vs. Experience: What we discovered
Our initial research indicated the integrations would be relatively straightforward, an impression supported by Cisco’s marketing materials. But as we got deeper into the technical trenches, we encountered more complexity than anticipated, revealing some important nuances not immediately apparent at the outset.
Fortigate logs, for example, could be ingested, but required custom python development effort and the events weren’t actively used in detection logic or response playbooks. Entra ID integration, a key piece for endpoint identity and behavioural telemetry, simply wasn’t available yet. While Cisco assured us that this functionality was on the roadmap (targeting a September release), the absence meant that XDR was missing significant visibility compared to their existing MDR platform, especially from a user endpoint perspective.
The importance of real testing, real environments
This is exactly why PoCs exist. Had we bypassed this step and gone straight into production, we’d have been implementing a solution that couldn’t yet meet the client’s needs. Our role as a trusted advisor isn’t to sell tech, it’s to ensure the right solution lands at the right time, for the right reasons.
In this PoC, we ran side-by-side comparisons of detections across both platforms and quickly saw that the existing solution was surfacing more alerts. We traced this to telemetry gaps in the XDR platform. Rather than glossing over the findings, we had honest conversations with both the client and Cisco. We laid out the facts: XDR shows real promise, but it’s not yet ready to deliver the full capabilities our client requires.
A paused PoC isn’t a failed one
The outcome? The PoC has been paused. But this isn’t failure. It’s the process working as it should.
By setting clear acceptance criteria and testing against real-world data, we avoided costly missteps. By staying engaged with Cisco’s business unit and engineering teams, we’ve ensured our client is first in line to revisit the solution when the roadmap catches up. And by putting integrity before revenue, we’ve deepened the trust our client places in us.
The takeaway: Trust is earned in the PoC
If there’s one thing this project reinforced, it’s that a PoC isn’t just a technical process; it’s a moral one. It’s our chance to prove that our guidance is grounded in outcomes, not incentives. That our loyalty lies with the client, not just the vendor. That we’re here to solve, not to sell.
We’re still actively running Cisco XDR PoCs in other environments, each one offering a valuable opportunity to explore, validate, and refine our understanding of its evolving capabilities. These efforts not only keep us ahead of the curve but also help us build the internal expertise needed to support our clients when the time is right.
And in this specific use case, we’ll be ready to restart as soon as those critical features land. The groundwork is already laid.
PoCs also play a vital role in securing stakeholder buy-in, which is why we believe in being transparent about both the wins and the roadblocks. By sharing what we’ve learned, we help our clients position the technology more effectively when it’s truly ready to deliver.
Until then, our approach remains the same: test thoroughly, advise honestly, and never stop asking the hard questions. That’s how trust is built. And in cybersecurity, trust is everything.