Skip to content
← All articles

What Is MDR (Managed Detection and Response)?

Managed Detection and Response (MDR) is an outsourced cybersecurity service in which an external provider delivers 24/7 threat detection, investigation, and active response across endpoints, networks, and cloud. MDR combines EDR, XDR, and SIEM technology with human SOC analysts, going beyond alerts to contain and remediate threats on the customer's behalf.

The defining word in the acronym is Response. It is what separates MDR from classic monitoring services: the provider does not merely send a notification that "something happened" — it isolates the infected host, disables the attacker's account, or rolls back malicious changes. Per Gartner, MDR services deliver remotely provided modern security operations center (SOC) functions that let customers rapidly detect, analyze, investigate, and actively respond through threat mitigation and containment.

How MDR works

MDR is built around a continuous loop: collect data → detect → investigate → respond → learn. The provider deploys a set of sensors at the customer — EDR agents on endpoints, network probes, cloud and log connectors — and streams that telemetry into its own analytics platform. Three pillars then do the work: technology, process, and people.

Telemetry collection and normalization

The first layer is data. An MDR platform collects process events, network connections, authentications, and registry and file-system changes. The broader the sensor coverage, the fewer blind spots an attacker can exploit. Many providers use EDR as the foundation and extend it to XDR by adding network, email, and cloud context.

Detection and correlation

Collected events are matched against detection rules, indicators of compromise, and behavioral models. Mature MDR teams map their detections to MITRE ATT&CK — the open knowledge base of adversary tactics and techniques — to measure coverage and expose gaps. Machine learning helps cut noise and surface anomalies, but the final call almost always stays with a human analyst.

Investigation and triage

When a detection fires, a SOC analyst performs triage: separating false positives from real threats, reconstructing the chain of events, and scoping the impact. Here the provider leans on the incident response methodology described in NIST SP 800-61 (Computer Security Incident Handling Guide): preparation; detection and analysis; containment, eradication, and recovery; and post-incident lessons learned.

Response

Once a threat is confirmed, MDR executes containment actions. The scope of authority is fixed in the contract: from "full managed response" (the provider isolates hosts and disables accounts itself) to "response with approval" (actions are taken only after the customer signs off). A good practice is to pre-define playbooks for common incidents: ransomware, business email compromise, and credential theft.

MDR vs MSSP

MDR and MSSP (Managed Security Service Provider) are often confused, but they are different models. An MSSP historically manages security tooling — firewalls, antivirus, VPN, SIEM — and forwards event alerts. The MSSP is responsible for the availability and configuration of the tools, but deep investigation and response usually stay with the customer. MDR, by contrast, sells an outcome: threats detected and stopped, not boxes managed.

Put simply: an MSSP answers "are our security controls working?" while MDR answers "are we being attacked right now, and what do we do about it?" Many MSSPs now bolt on an MDR module, and MDR providers expand into managed services, so the line is blurring. We break down all three models in a dedicated piece, MDR vs MSSP vs SOC.

CriterionMDRMSSPIn-house SOC
Core valueDetection and response as an outcomeManagement of security toolingFull control inside the company
Incident responseActive, often on the customer's behalfLimited, mostly alertingFull, by in-house staff
Operating hours24/724/7Depends on budget and staffing
TechnologyProvider's EDR/XDR + SIEMCustomer or provider toolsOwned stack
Time to launchWeeksWeeks–monthsMonths–years
Cost of entryModerate, subscriptionModerate–highVery high (CapEx + people)

MDR vs EDR

This is a comparison of a service and a technology, not two competitors. EDR (Endpoint Detection and Response) is a software product: an agent on endpoints that collects telemetry, detects suspicious behavior, and provides response tooling. But EDR does not run itself — someone has to tune the rules, work the alerts, and make decisions at three in the morning.

MDR is a service that often uses EDR (or XDR) as one of its data sources and adds the thing the product lacks: a round-the-clock team of experts, triage processes, and the readiness to respond. A company can buy the best EDR on the market, but without people it becomes a generator of unread alerts. MDR closes exactly that gap between tool and outcome. For more on the technology itself, see our article on EDR.

What's included in an MDR service

The exact scope varies by provider, but a mature MDR offering typically includes the following components:

  • 24/7/365 monitoring — continuous observation of endpoints, network, cloud, and identities.
  • Managed threat detection — detection rules maintained and updated by the provider and mapped to MITRE ATT&CK.
  • Proactive threat hunting — hypotheses and manual searches for attacker traces that automated rules missed.
  • Incident investigation and triage — filtering out false positives and reconstructing the full attack picture.
  • Active response — host isolation, account lockout, and artifact removal per agreed playbooks.
  • Threat intelligence integration — enriching detections with adversary data. See also our article on threat intelligence.
  • Reporting and post-incident review — regular reports, MTTD/MTTR metrics, and hardening recommendations.

It is essential to clarify the boundaries of responsibility: which actions the provider performs automatically, which require approval, and which stay entirely with the customer. These terms are codified in the SLA — the service level agreement.

Who needs MDR

MDR is most valuable where threats are serious but in-house expertise or headcount falls short. Typical candidates:

  • Mid-market companies without their own SOC — building an internal 24/7 monitoring center is expensive and slow; MDR delivers mature capabilities as a subscription.
  • Fast-growing organizations — when infrastructure and attack surface grow faster than the security team.
  • Teams facing a skills shortage — experienced SOC analysts are chronically scarce and hard to retain.
  • Companies in regulated industries — finance, healthcare, and retail, where detection and response requirements are high.
  • Mature SOCs that need 24/7 coverage — MDR covers nights, weekends, and holidays, or owns specific workstreams.

To understand how a monitoring center is structured and whether to build or outsource it, it helps to read our article on what a SOC is.

How much does MDR cost

We deliberately avoid quoting specific figures: prices depend heavily on market, scale, and model, and any "average" number ages quickly. What matters instead is understanding what drives MDR cost and what to look for when comparing offers.

Pricing is most often tied to the size of the protected environment: the number of endpoints, users, or the volume of processed data (events, GB of logs). Cost is further shaped by the depth of response (alerting only versus full managed response), coverage (endpoints only versus full XDR across network, cloud, email, and identity), guaranteed SLAs for detection and response time, and whether threat hunting and threat intelligence are bundled in.

When assessing TCO (total cost of ownership), compare MDR not with the price of a single tool but with the cost of running your own SOC: analyst salaries and retention, SIEM/EDR licensing, 24/7 staffing, and time to reach an operational level. Very often that arithmetic is what makes MDR economically justified for the mid-market.

Key questions to ask a provider before signing: exactly which response actions do you take, and on whose authority? What are the measurable SLAs for MTTD and MTTR? How do you map coverage to MITRE ATT&CK? How does onboarding work, and who owns the telemetry data after the contract ends?

FAQ

How is MDR different from antivirus?

Antivirus (and even a modern EPP) is a preventive technology that tries to block known malware on a device. MDR is a managed service that assumes some attacks will slip past preventive controls and provides detection, investigation, and response by a team of experts 24/7.

Does MDR replace an internal security team?

Usually not. MDR augments and complements the internal team by taking over round-the-clock monitoring and first-line triage. Strategy, risk management, compliance, and business alignment remain in-house. MDR is a shared-responsibility model, not a full handoff of security.

What are MTTD and MTTR in the context of MDR?

MTTD (Mean Time To Detect) is the average time to detect a threat; MTTR (Mean Time To Respond) is the average time to respond. These are the key MDR effectiveness metrics: the lower they are, the smaller the attacker's window of opportunity. Insist that SLA targets for these metrics are written into the contract.

How does MDR use MITRE ATT&CK?

MITRE ATT&CK is an open base of adversary tactics and techniques. Mature MDR providers map their detection rules to this matrix to objectively measure coverage, show the customer which techniques they are protected against, and systematically close detection gaps.

How quickly can MDR be deployed?

Deployment typically takes weeks rather than months: the provider installs or connects sensors, configures integrations and rules, and agrees on response playbooks. This is markedly faster than building your own SOC from scratch, where the path to a mature 24/7 operation is measured in months and years.

What should I verify in an MDR provider's SLA?

Check measurable MTTD/MTTR guarantees, a clear split of response actions (what is automatic versus what needs approval), 24/7/365 operating hours, coverage of environments (endpoints, network, cloud, identity), and the terms for data ownership and contract exit.

Check your website right now

Check your site's security →
More articles: Security
Security
Prevent XSS Attacks: Escaping, CSP and Trusted Types
15.04.2026 · 123 views
Security
API Security: Best Practices for Protection
11.03.2026 · 165 views
Security
Clickjacking Prevention: X-Frame-Options vs frame-ancestors
15.04.2026 · 189 views
Security
Security Headers: The Complete Guide
14.03.2026 · 184 views