Managed Detection and Response (MDR)

TL;DR: Managed detection and response is an outsourced security service that provides 24/7 threat detection, investigation, and response using a combination of endpoint, network, and cloud telemetry plus human threat hunters. Unlike traditional MSSPs, MDR providers don't just alert you to problems — they investigate anomalies, contain active threats, and deliver root-cause analysis. For organizations without a fully staffed internal SOC, MDR is the most practical path to detection and response maturity.

What managed detection and response is

Managed detection and response is a category of security service that delivers threat detection, investigation, and active response as an outsourced capability. The "managed" part means the provider operates the detection and response function on your behalf — staffing analysts, tuning detection logic, investigating alerts, and taking containment actions when threats are confirmed.

MDR emerged because most organizations found themselves in one of two positions: they had deployed detection tools (EDR, SIEM, NDR) but lacked the analysts to operate them around the clock, or they had engaged an MSSP that monitored logs and forwarded alerts but didn't investigate or respond to anything. MDR fills the gap — it pairs detection technology with human expertise to deliver outcomes, not just notifications.

The core deliverables of a managed detection and response service include:

• 24/7 monitoring — continuous analyst coverage across all ingested telemetry sources
• Threat detection — combining behavioral analytics, threat intelligence, and custom detection rules to identify malicious activity
• Alert triage and investigation — separating true positives from false positives and determining the scope and severity of confirmed threats
• Active response — containing threats through endpoint isolation, account disablement, firewall rule changes, or other pre-authorized actions
• Root-cause analysis — determining how the attacker gained access, what they did, and what must be remediated to prevent recurrence
• Reporting and threat briefings — regular reporting on detection activity, threat trends, and security posture improvements

What distinguishes MDR from other security services is the response element. Detection without response is just an expensive alerting service. The best MDR providers integrate with a company's broader security strategy — feeding findings into security KPI tracking, informing risk assessments, and escalating issues that require executive decision-making to the strategic oversight function.

MDR vs MSSP vs SOC-as-a-service

These three terms are used interchangeably in vendor marketing, but they describe different capabilities with different operating models. Understanding the differences is essential to buying the right service.

Managed Security Service Provider (MSSP)

An MSSP provides broad security operations: log aggregation, alert monitoring, firewall and IDS/IPS management, vulnerability scanning, and compliance reporting. MSSPs typically operate at scale — they manage thousands of customers using shared platforms and tier-1 analysts who triage alerts against known signatures and playbooks.

The MSSP model works well for organizations that need baseline monitoring and compliance documentation but don't face advanced threats. The limitation is depth: MSSPs route alerts to your team for investigation and response. They tell you something happened — they don't tell you what it means or stop it from spreading.

Managed detection and response (MDR)

MDR providers are narrower in scope but significantly deeper in execution. They focus on threat detection and response — combining endpoint, network, cloud, and identity telemetry with human analysts who investigate alerts, hunt for threats proactively, and take containment actions. The analyst-to-customer ratio is lower than an MSSP, which allows for more thorough investigation.

MDR providers typically deploy their own technology stack (or integrate with your existing EDR) and maintain detection engineering teams that write and tune custom detection rules. The deliverable is not an alert — it is a confirmed finding with investigation context, containment status, and remediation guidance.

SOC-as-a-service

SOC-as-a-service is a broader label that can mean anything from a rebranded MSSP to a fully outsourced security operations center that includes detection, response, vulnerability management, and compliance. The term lacks a consistent industry definition, which makes it harder to evaluate.

When a provider uses "SOC-as-a-service," ask specifically what is included: Do they investigate alerts or just forward them? Do they take response actions or require your team to act? Do they provide threat hunting, or only reactive monitoring? The answers will reveal whether the service is closer to MSSP or MDR.

The right choice depends on threat profile, internal capability, and budget. Organizations facing sophisticated adversaries — or those in regulated industries where breach response timelines are measured in hours — typically need MDR. Those that need operational security coverage and compliance reporting may be well-served by an MSSP. Many mid-market companies use both, with an MSSP handling broad monitoring and an MDR provider covering high-value assets and advanced threat detection. A cybersecurity services provider guide can help map the right provider types to your organization's needs.

How managed detection and response works

MDR operates as a continuous cycle of data collection, detection, investigation, response, and improvement. Understanding each stage helps organizations set realistic expectations and evaluate providers against concrete capabilities rather than marketing claims.

Telemetry collection

MDR starts with data. The provider deploys agents on endpoints, sensors on network segments, and API integrations with cloud platforms and identity providers. This telemetry — process execution, network connections, authentication events, file system changes, API calls — feeds the detection engine. The breadth and depth of telemetry directly determines what the provider can detect. Providers that only collect endpoint data will miss lateral movement via cloud APIs. Providers that only collect network metadata will miss fileless attacks that never touch the wire.

Detection engineering

Raw telemetry is processed through multiple detection layers: behavioral analytics that identify deviations from baseline activity, threat-intelligence-driven rules that match known indicators of compromise (IOCs), and custom detection logic written by the provider's detection engineering team. The most capable MDR providers maintain hundreds or thousands of detection rules mapped to the MITRE ATT&CK framework, covering techniques from initial access through data exfiltration.

Detection engineering is the intellectual property of an MDR provider. Ask about detection coverage: How many ATT&CK techniques do they cover? How frequently do they ship new detections? Do they write custom rules for your environment, or rely entirely on generic detections?

Triage and investigation

When a detection fires, a human analyst triages the alert. Tier-1 analysts perform initial classification — determining whether the alert is a true positive, a benign true positive (expected behavior that looks suspicious), or a false positive. Confirmed threats escalate to senior analysts who investigate scope: Which systems are affected? How did the attacker gain access? What data was accessed or exfiltrated? Is the threat still active?

Investigation quality is what separates premium MDR from commodity monitoring. A good investigation produces a timeline of attacker activity, identifies the root cause, and determines the full blast radius — not just the initial alert.

Response and containment

MDR providers take pre-authorized response actions to contain confirmed threats. These actions are defined during onboarding in a response authorization matrix — a document that specifies what the provider can do without calling your team first (isolate an endpoint, disable a compromised account) and what requires approval (shutting down a production server, blocking a business-critical IP).

Response speed matters. The difference between containing a threat in 15 minutes versus four hours can be the difference between a contained incident and a reportable breach. This is why response authorization matrices should be biased toward action — every approval gate adds latency. An incident response plan should define escalation thresholds for the MDR provider alongside internal response procedures.

Reporting and continuous improvement

After every confirmed incident, the MDR provider delivers a post-incident report covering the attack timeline, containment actions taken, root-cause analysis, and remediation recommendations. Monthly or quarterly threat briefings aggregate activity trends, detection metrics (alerts triaged, true positive rate, mean time to detect, mean time to respond), and posture improvements. These reports feed directly into cybersecurity KPI frameworks and board-level reporting.

What managed detection and response covers

MDR coverage has expanded significantly from its endpoint-only origins. Modern providers offer detection and response across four primary domains, though coverage depth varies by provider.

Endpoint detection and response

Endpoints — laptops, desktops, servers — remain the primary attack surface and the most mature MDR coverage area. Endpoint MDR uses agent-based telemetry to detect malicious process execution, credential theft, persistence mechanisms, lateral movement, and data staging. Most MDR providers either deploy their own EDR agent (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) or integrate with the customer's existing deployment.

Network detection and response

Network MDR monitors east-west and north-south traffic for command-and-control communication, lateral movement, data exfiltration, and protocol anomalies that endpoint agents cannot see. This is particularly valuable in environments with unmanaged devices (IoT, OT, BYOD) that cannot run endpoint agents. Network sensors are deployed at key choke points — data center boundaries, cloud VPC peering connections, and internet egress points.

Cloud detection and response

Cloud MDR ingests telemetry from cloud control planes (AWS CloudTrail, Azure Activity Log, GCP Audit Logs), workload runtime environments, and cloud security posture management tools. Detection covers unauthorized API calls, privilege escalation, resource misconfigurations exposed to the internet, cryptomining, and cross-account lateral movement. Cloud-native threats move fast — a compromised IAM key can spin up hundreds of instances in minutes — so cloud MDR requires detection rules purpose-built for cloud-specific attack patterns.

Identity detection and response

Identity-focused MDR monitors authentication and authorization events from identity providers (Entra ID, Okta, Ping), SaaS platforms, and VPN concentrators. Detection covers impossible travel, credential stuffing, MFA fatigue attacks, privilege escalation, and service account abuse. Identity is the connective tissue of most attacks — compromised credentials are the initial access vector in the majority of breaches — so identity telemetry is increasingly considered a baseline requirement for MDR, not an add-on.

When evaluating coverage, ask the provider for a telemetry source matrix: which data sources they ingest, which detection rules map to each source, and which ATT&CK techniques are covered per domain. A maturity assessment can help determine which coverage domains are most critical for your environment based on current gaps.

Evaluating managed detection and response providers

The MDR market is crowded. Gartner, Forrester, and IDC each track dozens of providers, and the differences between them are not always obvious from marketing materials. The following evaluation framework focuses on the dimensions that actually predict service quality.

Detection coverage and transparency

Ask for the provider's ATT&CK coverage matrix — a mapping of their detection rules to MITRE ATT&CK techniques and sub-techniques. Providers who can produce this are operating with engineering discipline. Providers who can't are running generic detections without tracking coverage. Also ask how many new detections they ship per month and whether they publish a detection changelog.

Analyst staffing model

The analyst-to-customer ratio determines investigation depth. Ask how many customers each analyst supports. Ratios above 1:80 typically mean analysts are triaging alerts by playbook, not investigating them. Ask whether you get a named analyst or team familiar with your environment, or whether alerts rotate through a global pool. Named teams produce better outcomes because they develop institutional knowledge of your normal baseline.

Response capability

Confirm what response actions the provider can take and how quickly. Some MDR providers stop at "detect and advise" — they tell you what happened and recommend actions, but your team must execute the containment. Others provide full response: endpoint isolation, account lockout, firewall rule insertion, and cloud resource quarantine. Full response is more valuable, but it requires a well-defined authorization matrix and trust in the provider's judgment.

Technology stack

Determine whether the provider requires you to deploy their technology or integrates with your existing stack. Providers with proprietary-only stacks create lock-in — switching providers means ripping out and replacing agents across your fleet. Providers who integrate with multiple EDR platforms offer more flexibility but may have shallower integration with each. Neither approach is universally better; the right choice depends on whether you have existing investments.

Reporting and metrics

Request sample reports. Evaluate them for actionability: Do incident reports provide enough context for your team to remediate? Do monthly reports include metrics you can present to your board? Are KPIs defined and tracked over time? Reporting quality is a reliable proxy for service quality — providers who invest in clear, actionable reporting tend to invest similarly in their detection and response operations.

Red flags

• No ATT&CK coverage mapping or detection engineering transparency
• Refusal to share analyst-to-customer ratios or SOC staffing details
• "Unlimited" response with no defined authorization framework
• No post-incident reports or root-cause analysis — just ticket closures
• Pricing that seems too low — it usually means shallow triage, not deep investigation
• Multi-year contracts with no performance-based exit clauses

Managed detection and response costs and pricing models

MDR pricing is less standardized than MSSP pricing, which makes comparison difficult. Understanding the common pricing models and cost drivers helps organizations budget accurately and avoid hidden costs.

Common pricing models

• Per-endpoint per-month: $15 to $50 per endpoint/month, the most common model. Includes endpoint agent, monitoring, and response. Cloud and network coverage may be priced separately.
• Flat monthly retainer: $5,000 to $25,000/month depending on environment size and scope. Simpler to budget but harder to scale — adding endpoints or cloud workloads may trigger pricing tier jumps.
• Per-user per-month: $25 to $75/user/month, increasingly common for identity-focused MDR. Covers all endpoints and identities associated with each user.
• Consumption-based: Priced on telemetry volume (GB ingested per day). Least predictable — data volumes spike during incidents, which is exactly when you can't afford surprises.

Cost drivers

Beyond the base pricing model, several factors influence total MDR cost:

• Endpoint count: The primary scaling variable. More endpoints means more agents, more telemetry, and more analyst time.
• Cloud workload count: Cloud VMs, containers, and serverless functions each generate telemetry that requires monitoring and detection rules.
• Response depth: "Detect and advise" is cheaper than full response. Full response includes containment actions, which require higher-skilled analysts and tighter SLAs.
• SLA commitments: Guaranteed MTTD and MTTR targets command premium pricing. A 15-minute MTTR SLA costs more than a 4-hour one.
• EDR licensing: Some MDR providers include EDR licensing in their price. Others require you to purchase it separately. Confirm which model applies — EDR licensing can add $5 to $20 per endpoint/month.
• Onboarding and tuning: Most providers charge a one-time onboarding fee ($5,000 to $25,000) covering agent deployment, baseline establishment, and initial detection tuning.

What mid-market companies should expect

For a mid-market organization with 200 to 1,000 endpoints, two to three cloud environments, and a standard identity stack, expect total MDR costs of $8,000 to $30,000 per month — inclusive of endpoint coverage, cloud monitoring, and full response capability. Budget an additional $10,000 to $25,000 for initial onboarding. Annual cost: $100,000 to $385,000.

Compare this to building an in-house SOC, which requires eight to twelve analysts (at $90,000 to $150,000 each) plus a SIEM/SOAR platform ($100,000 to $500,000/year), plus detection engineering headcount. Fully loaded, an in-house SOC costs $1.5 million to $3 million per year — making MDR the more cost-effective option for most organizations below 5,000 employees.

When to build in-house vs buy managed detection and response

The build-versus-buy decision for detection and response capability depends on three variables: headcount, threat sophistication, and organizational maturity.

Buy MDR when:

• Your security team has fewer than five full-time staff — you cannot sustain 24/7 coverage with a team this size, and gaps in coverage are gaps in detection
• You lack detection engineering expertise — writing, tuning, and maintaining detection rules is a specialized discipline that most security teams don't have
• You need 24/7 response capability but can't justify the cost of a fully staffed SOC
• Your compliance requirements mandate continuous monitoring and documented incident response, and you need to demonstrate this capability to auditors, board members, or investors during maturity assessments
• You're a growth-stage company scaling faster than your security team can hire — MDR provides immediate coverage while you build internal capability over time

Build in-house when:

• Your organization has more than 5,000 endpoints and the budget to sustain 8+ analysts — at this scale, in-house may be more cost-effective
• You operate in a sector with unique threat profiles (defense industrial base, critical infrastructure) where generic MDR detection rules are insufficient
• Your regulatory environment requires that security operations be performed by employees, not contractors — some government and financial sector mandates restrict outsourcing
• You have mature detection engineering capability and want full control over detection logic, response procedures, and telemetry

The hybrid model

Most organizations don't make a binary choice. The hybrid model uses MDR for 24/7 baseline coverage — after-hours monitoring, weekend and holiday coverage, and surge capacity during incidents — while an internal security team handles daytime operations, threat hunting on high-priority assets, and strategic integration of detection findings into the broader risk management program. This model scales well for mid-market companies as they grow: the MDR provider handles operational coverage while the internal team matures.

Where managed detection and response fits in your security program

MDR is a capability, not a strategy. It provides detection and response — one layer of a security program that also requires governance, risk management, compliance, vulnerability management, identity and access management, and strategic leadership. Buying MDR without the surrounding program is like buying a fire alarm without a fire escape plan.

The most effective MDR deployments are overseen by a CISO — full-time or fractional — who sets the risk context the MDR provider operates within. The CISO defines which assets are critical, which threats are most relevant, what response authorities the provider has, and how detection findings feed into board reporting and risk quantification. Without this strategic layer, MDR providers operate in a vacuum — detecting threats without understanding which ones matter most to the business.

Integration points between MDR and the broader security program include:

• Risk assessment: MDR detection findings inform risk assessments by providing empirical data on actual threats facing the organization — not theoretical risks from a framework checklist
• Incident response: The MDR provider's response actions should align with the organization's incident response plan, with defined escalation paths for incidents that exceed the provider's authority
• Compliance: MDR logs, reports, and response documentation support compliance requirements for continuous monitoring (SOC 2 CC7.2, ISO 27001 A.12.4, NIST CSF DE.CM)
• Board reporting: Monthly MDR metrics — threats detected, incidents contained, MTTD/MTTR trends — are core inputs to board-level security KPIs
• Vendor management: The MDR provider is a critical vendor that requires oversight, performance review, and contractual management — typically owned by the CISO or strategic oversight function

Managed detection and response works best as the operational engine of a program led by strategic security leadership. The MDR provider handles the around-the-clock detection and response work. The CISO — whether full-time or through a strategic oversight engagement — ensures that work is directed toward the organization's actual risk priorities, that the provider is held accountable to defined outcomes, and that detection and response findings are translated into the business-level risk language the board needs to make informed decisions.