beazley.security
©2025 Beazley Security. All rights reserved
Everything You Should Know About MDR
A complete guide to Managed Detection and Response functions, trends, shortcomings, and more
Start
What is business email compromise?
How BEC occurs
Common forms of BEC
How to protect against BEC
How can you reduce the risk of financial losses?
Contact us
The Why Behind Detection and Response
Cybersecurity is fundamentally a protective discipline. Ideally, all malicious and dangerous activity would be prevented at its source. Unfortunately, this is impossible.
Consider the NIST Cybersecurity Framework (CSF) 2.0 Core Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Notice that fully half occur after protective measures have failed. Threats continually evolve to bypass security measures, and human errors provide opportunities for attackers to access privileged systems and assets. So, even the best cybersecurity programs cannot rely exclusively on protection. This is why Security Operations Centers (SOCs) and Incident Response (IR) teams are at the heart of cybersecurity.
Detection and response capabilities:
Lessons learned from detection and response should feed back into the wider security program to help prevent similar threats in the future. Through this circular process, organizations grow more secure and learn to allocate cybersecurity resources effectively.
Pick up where protective security controls end
Identify, analyze, contain, and remediate threats
Minimize harm from threats
Feed into recovery efforts where necessary
In-House or Outsource?
The need for detection and response is unavoidable, but its form can vary.
Very large organizations often build and maintain these capabilities in-house. While this is expensive and difficult, it can be worth the investment for organizations with sufficiently large and complex IT environments, specialized requirements, and the capacity to hire and retain the necessary expertise. However, most organizations lack the resources or inclination to invest so heavily in a function outside their core competencies. This is unsurprising given the logistics of building and maintaining an effective function and the resources needed to staff and maintain it. It’s for these organizations that Managed Detection and Response (MDR) exists.
You may notice that monitoring isn’t prominently featured in the NIST Core Functions. That’s because monitoring isn’t an outcome. Despite this, it’s a fundamental requirement, and without it, the Detect, Respond, and Recover Functions are impossible. All detection and response functions must be built on top of a comprehensive and continuous monitoring capability that covers the entire IT environment. This means monitoring data from all tools and systems, including endpoints, networks, identities, email systems, and cloud services, applications, and containers.
There’s No Detection or Response Without Monitoring
Defining Managed Detection and Response (MDR)
The term Managed Detection and Response (MDR) has been used and abused to sell a wide range of services, from technology offerings with minimal human intervention to fully outsourced SOCs. However, MDR does mean something specific — even if it’s frequently misused.
According to Gartner, MDR “provides customers with remotely delivered security operations center (SOC) functions”. This isn’t a great definition, which may explain why the term has been so misused. However, a closer reading of recent Gartner reports finds that — while there is wiggle room — criteria must be met for an offering to truly constitute MDR.
This must be delivered remotely, and threats must be identified, investigated, contained, and remediated rapidly to minimize harm to the client’s IT systems and resources. MDR offerings invariably use technologies such as Endpoint Detection and Response (EDR). However, the heart of true MDR is a fully staffed and experienced Security Operations Center (SOC). While technology-centric offerings are often sold as “MDR,” they don’t meet the criteria. Note: MDR offerings frequently include additional services such as threat hunting and Cyber Threat Intelligence (CTI). These are value-added services rather than core MDR functions.
Continuous monitoring that covers all endpoints, networks, identities, cloud instances and applications, containers, etc.
Rapid threat detection to uncover malicious or dangerous activity within the client’s environment.
Investigation and analysis to understand the extent of discovered threats and determine the best course of action.
Containment of threats to prevent further spread and harm.
Response actions to eliminate all traces of the threat and enable the client to return to normal operations.
At a minimum, MDR must include:
There is no definitive “best” way to implement detection and response. It comes down to each organization’s circumstances and needs.
Three Models for Detection and Response
Building an internal SOC or IR function gives total control over all tooling, processes, and resources. Large organizations generally favor this, as they have the economies of scale to fund and staff a detection and response capability that includes all necessary skills and experience and is tailored to their IT environment and threats. The drawback to this approach is cost. Often, organizations cannot maintain a 24/7/365 function, leaving them vulnerable to attacks outside office hours. Since many attacks are initiated out-of-hours — at night, over the weekend, and on public holidays — this poses an unacceptable risk.
Build an Internal SOC or IR Function
Fully bespoke and customized to need Potentially highly effective for risk reduction Potential for full integration and data ingestion
Usually more expensive than outsourcing May not be feasible 24/7/365 No “second set of eyes” to validate effectiveness
Benefits
Challenges
Since most organizations can’t afford to (or choose not to) build in-house, outsourcing to an MDR provider is common. Gartner estimates that in 2025, 50% of organizations will use MDR services. This offers several benefits. MDR is generally delivered 24/7/365, includes most — if not all — of the technology required, and is far lower cost than building in-house. Some MDR providers can deliver a full solution using the client’s existing technology stack.
Outsource to an MDR Provider
However, there are potential pitfalls. Some MDR providers structure their pricing and delivery in ways that don’t serve the client. For example: “Black box” services that provide little insight into what the provider is doing. “Nickle-and-dime” pricing models that disincentivize full coverage and data ingestion. Limited threat analysis that misses deeper indicators and threat trends. All this can be avoided by organizations choosing the right provider for their needs — but they should be considered when evaluating vendors.
Many MDR providers use “nickel-and-dime” price models where clients pay extra for integrations, data volume, and storage. Since clients want to keep costs down, they frequently opt to minimize the sources and quantity of data their provider ingests. This is a problem for two reasons:
MDR should include detailed analysis of incidents and threat patterns, but this is only possible if the provider has access to all relevant telemetry data. Lacking this data means potentially missing the underlying cause of attacks, making it impossible to draw conclusions and harden protective controls. Lack of access to critical data sources can mean missing threats altogether until they have already gained a foothold — by which time, some degree of harm is inevitable.
Generally delivered 24/7/365 Usually more cost-effective than building in-house Access to a fully equipped and staffed SOC May come with provided technology (e.g., EDR) Full detection and response life cycle expertise Full integration and data ingestion (some providers) The most hands-off option
Some pricing models disincentivize full coverage Data may be “held hostage” (lost if switching away) Deep threat analysis is usually not provided Some providers can’t respond on client’s behalf Often a “black box” service that’s opaque to clients Technology-first solutions often mislabeled MDR
2
1
How Pricing Can Disincentivize Full Coverage (and Why it Matters)
May fit the client’s use case Potentially the lowest cost option No two-way access to the client’s environment
Increased risk of gaps and human error Requires significant in-house expertise Risk of time delay in responding to threats Additional risk for “out of hours” attacks
Hybrid MDR
Many offerings sold as MDR are really a “hybrid MDR”, where duties are shared between the provider and client. There are several forms of hybrid MDR that may suit some organizations. The most common is where providers handle monitoring, detection, and analysis, and provide response recommendations to the client as a ticket. At Beazley Security, we call this “small R” response: providers supply guidance on containing and remediating incidents, and clients complete response actions themselves.
Other variants of hybrid MDR include:
Note: This was the dominant form of MDR until recently. Many organizations saw allowing providers to take action inside their environment as an unacceptable risk. They preferred to respond themselves, accepting the alternative risk that the inevitable time delay might lead to additional harm. Client preferences have changed radically, and most now prefer to allow MDR providers to respond on their behalf.
These technology-led offerings are usually provided by EDR vendors or system integrators. Typically, these are the lowest-cost MDR-style offerings and provide the least human expertise. As a result, clients must have more internal staffing and expertise to make this approach work, and will have to take response actions internally.
While briefly popular a few years ago, SOCaaS has largely been overtaken by modern MDR. SOCaaS is a managed monitoring and advice service, often with consultancy and staff augmentation components. These offerings are often heavily customized, may include dedicated staff and technology, and come with a high price tag. SOCaaS providers generally do not have access to respond directly.
Co-Managed Security Monitoring
SOC-as-a-Service (SOCaaS)
Preemptive identification of threats before they gain a foothold and become an incident or breach. This could take the form of hypothesis-driven threat hunting.
Identification of threat trends and guidance to support and enhance protective controls. By analyzing past incidents, MDR providers can help clients understand their threat profile and take action to manage threats.
Assessment of security controls and configuration can enable MDR providers to advise clients on changes and additions that will meaningfully reduce risk.
Proactivity
While detection and response are reactive, they can and should support proactive security. Gartner states: “Increasingly, MDR buyers are asking providers to extend their requirements beyond the detection of and response to threats to include the proactive identification of threat exposures and preemptive security responses.” There are several opportunities for MDR providers to be more proactive, including:
“Big R” Response
Gartner highlights the importance of MDR providers that can “remotely initiate measures for active containment or disruption of a threat”.
Until recently, customers had little desire for MDR providers to act directly inside their environment. However, the prevalence of ransomware and other destructive attacks — many of which occur outside business hours — has led to a change in preference. The reason is simple: speed in response can dramatically reduce the impact of serious incidents.
If a provider can only create a ticket for the client’s internal team to action, the same response could take hours — even days if an attack occurs over the weekend. Meanwhile, MDR providers acting directly within a client’s environment can contain and remediate an attack within minutes.
Going Beyond the Endpoint
The MDR market has historically been closely tied to Endpoint Detection and Response (EDR) tools. Gartner rightly lambasts offerings that are merely managed EDR tools, which it calls “misnamed technology-first offerings that fail to deliver human-driven MDR services”.
Another undesirable artifact of dependence on EDR was an unhealthy obsession with threats affecting endpoints, to the exclusion of other asset classes. As EDR has evolved into XDR (eXtended Detection and Response), organizations have sensibly looked for MDR providers that can monitor and detect threats across a much broader range of assets and systems.
MDR providers should monitor the client’s entire environment, including endpoints, email, identities, cloud instances, containers, IoT/OT, edge devices, and SaaS applications like Microsoft 365.
Continuous Threat Exposure Management (CTEM) and Attack Surface Management (ASM)
Many organizations struggle to understand their attack surface in real time, which seriously hinders monitoring, detection, and response. If an organization is unaware of assets and systems, it cannot monitor them, creating risk. Gartner believes MDR will increasingly include CTEM and ASM to ensure coverage of the client’s full environment and enable effective monitoring, detection, and response.
Going beyond traditional vulnerability analysis
Basic incident analysis is essential for MDR providers to understand what has happened and how to contain and prevent any harmful effects. A deeper analysis can help them understand why an incident occurred and recommend ways to prevent similar issues in the future. MDR providers can uncover valuable insights into a client's risk profile through deeper incident analysis (e.g., using digital forensics) and hypothesis-driven threat hunting. In turn, they can recommend proactive risk management strategies and security controls appropriate to the client. Note that deeper analysis often requires tracking activity across multiple log sources, so MDR providers must have access to logs from all relevant tools and systems.
Expansion into Security Operations
This is another way MDR providers can support clients with increasingly proactive security measures. It falls mainly into two categories:
Black box services
MDR offerings are often opaque, meaning organizations have little visibility into the actions and analyses taken on their behalf. For example, a provider may determine an incident is a false positive and take no action, but provide no rationale. This makes it impossible for the client to know if appropriate investigations have occurred or to spot-check past activity.
Exorbitant data storage costs
In addition to pricing structures that disincentive full coverage, some providers charge far too much for data storage beyond a minimum term. This leads clients to opt for the minimum storage period, severely limiting how much trend analysis the provider can conduct — and reducing value for the client.
Holding client data storage
Data co-management should be a feature of all MDR offerings. Clients should always have access to review and analyze data held on their behalf. However, some providers do not allow the client access, and others even delete data if a client leaves — with no option for data to be transferred to a client-owned system or another provider.
Data Management and Transparency
This trend is based on our experience, client interactions, and industry observations. There are several negative practices related to data and transparency that harm the value clients receive from MDR offerings, including:
Trend 1
Trend 2
Trend 3
Trend 4
Trend 5
How MDR is Changing To Reflect Client Needs
Building an internal SOC is not feasible for most organizations. Hybrid MDR fits some use cases, but falls short of the full value proposition. That’s why organizations are increasingly opting for MDR.
Still, several aspects of MDR have left clients wanting more — and some corners of the market are responding. In its MDR Market Guide, Gartner highlights some significant evolutions organizations should consider when choosing a provider.
11 Capabilities You Should Expect from MDR
Discover the 11 essential components to look for when choosing an MDR provider.
MDR solutions must be based around the right tooling (e.g., EDR, XDR) for your needs — whether from your technology stack or sold as part of the offering.
Modern tooling
The offering must integrate with all relevant tools, systems, and logs in your IT environment. Data should be retained for long enough to enable trend analysis.
Complete coverage
Both the provider and your internal team must have access to all data stored and used for detection and response.
Co-managed data
“Nickle and dime” pricing models (e.g., based on data volume or integrations) are a warning sign. A flat price is ideal.
Simple pricing that incentivizes full coverage.
For most clients, providers must be able to contain and remediate threats directly to prevent harm from ransomware and other destructive attacks.
Big "R" Response
Speed is crucial for harm reduction. Look for a provider that can demonstrate a track record of rapid response.
Rapid containment and remediation
MDR providers should routinely conduct detailed analyses of incidents (individual and group) to identify learning points and recommend improvements.
Detailed investigation
You should have complete visibility of all actions taken on your behalf and their rationale. This enables spot-checking and allows you to conduct additional analyses.
Transparency
MDR is often bought in response to a serious incident, but even if that’s not the case, MDR providers should be able to onboard new clients promptly.
Fast onboarding
When the worst happens, your MDR provider should go beyond response to help your organization fully recover and return to normal operations.
Recovery capabilities
Hypothesis-driven threat hunting, forensic analysis, BAS, and other consultancy-style services should be available as part of the offering or as additional services.
Value-added services
MDR Capabilities
The MDR Life Cycle as It Should Be
The table below shows the full detection and response life cycle and highlights which steps are covered by different levels of MDR.
Not all offerings are equal. “MDR” has been used (and misused) to describe a wide range of offerings — many of which aren’t fit for purpose. When choosing a provider, make sure you understand precisely what you’re getting. To maximize risk reduction, choose an MDR provider that covers the entire life cycle, conducts deeper analyses, and recommends ways to improve your wider security program.
Detect suspicious activity
Small "R" MDR
Standard MDR
Full MDR
Alert received or activity detected via threat hunting
Analyze to determine the issue and next steps
Identify ransomware on an endpoint, escalate to incident, and create a ticket
Contain threat
Isolate endpoint to prevent spread of infection
Remediate threat
Reimage endpoint to remove infection and restore functionality
Deeper investigation to identify cause
Review and cross-reference relevant logs
Identify learning points
Infection occurred because a user downloaded a Microsof Office file containing a malicious macro
Determine actions to prevent future incidents
Consider turning off macros by default in Office 365
Implement actions
Alert client to the risk posed by malicious macros and suggest changing Office 365 settings
Identifying Deeper Trends
Detection and response shouldn’t end with per-incident analysis. MDR providers should analyze past incidents to uncover broader trends and identify the highest-value actions to reduce risk. For instance, a single incident caused by malicious macros may not warrant action. However, if multiple incidents have the same cause over time, turning off macros by default may be a priority.
MXDR: Detection & Response that Fuels Your Security Program
Beazley Security’s MXDR is a complete detection and response solution that covers the entire MDR life cycle. Built around the industry’s most advanced XDR platform, our service helps your organization withstand any cyber threat — and ensures you don’t make the wrong kind of headlines. In addition to everything recommended in this guide, MXDR provides:
Continuous Threat Exposure Management
(CTEM) to help you understand your entire IT environment and track changes in your attack surface over time.
Proactive risk management
recommendations based on in-depth analysis of both individual incidents and broader trends in incidents and threats.
Hypothesis-driven threat hunting
to uncover evidence of malicious activity, preventing attackers from dwelling in your IT environment or expanding their access.
Expert recovery support
delivered by our crisis management team, which handles over a dozen serious incidents per day, every day of the year.
Designed to Address Common MDR Shortcomings
MXDR was specifically designed to provide a complete detection and response solution while eliminating the most common MDR weaknesses and frustrations.
Comprehensive Visibility
24/7 Monitoring across the threat landscape (Cloud, Identity, Endpoint, etc)
No Nickel & Diming
All Integrations at no additional cost
Data Retention Included
3 months of data retention included
In-Depth Multifaceted Investigations
Multifaceted investigations across Endpoint, Email, and identity data
MDR Client Portal
Instant visibility into Cases, SLOs, Advisories, & Real time reporting
Managed XDR
We help clients build cyber resilience
Beazley Security is a global cyber security firm committed to helping clients develop true cyber resilience: the ability to withstand and recover from any cyberattack.
We combine decades of cyber security protection, detection, response, and recovery expertise with the actuarial precision and risk mitigation capability of our parent company, Beazley Insurance.
Find out more about our cyber security solutions.
FR
DE
French
Deutsch
Get in touch to discuss how MXDR can help your organization.
