Managed Detection and Response (MDR) services offer their clients 24/7 turnkey threat monitoring, detection and remote response capabilities. These services are managed by outsourced teams of experts to help remove some of the need for dedicated onsite security staff and to decrease the amount of day-to-day work for their clients.
Despite the similarity in name to endpoint detection and response (EDR) technology, MDR providers are more like general managed security service providers (MSSPs), operating on all layers of an organization’s infrastructure, including the network, endpoints, applications and other IT resources. Having an entire external team devoted solely to threat detection and response increases the chances of identifying threats that may otherwise elude internal teams.
For this article, we’ve put together a list of the top MDR providers.
Top MDR Solutions
Here is our list of the top MDR services for 2022.
Jump ahead to:
- eSentire Atlas
- LMNTRIX Active Defense
- CrowdStrike Falcon Complete
- Arctic Wolf Managed Detection and Response
- Blackpoint Cyber
- Armor Anywhere
- Alert Logic MDR
- Binary Defense
- Red Canary
eSentire is a global leader in MDR. The service uses a proprietary cloud-native Extended Detection and Response (XDR) platform called Atlas to proactively hunt down threats across all environments. This next-gen solution uses patented artificial intelligence (AI) to analyze log data in real-time to identify and respond to threats as they arise.
The Atlas platform collects and analyzes data from clients’ systems and the vendor’s global threat sources help orchestrate threat response capabilities. Atlas can respond to threats in under 20 minutes across an entire environment.
eSentire’s rapid growth has landed it on the Deloitte Technology Fast 500 for six straight years. The company currently secures $5.7 trillion AUM in the financial sector.
- Proprietary next-gen XDR solution
- Artificial intelligence-powered threat identification
The Secureworks Threat Engagement Manager platform provides threat detection and response to cloud environments, including AWS, Office 365 and Microsoft Azure. Secureworks was built to streamline threat detection and response by eliminating the clutter of false alarms that other platforms can suffer from.
Their technology and team of experts offer robust and detailed investigation capabilities. The service will only bring attention to potential threats that have been properly vetted and deemed worthy of a response.
What sets Secureworks apart from the competition is its focus on collaboration with its clients. Even though one of the main purposes of MDR is to take the work off of internal security teams, collaboration can be hugely beneficial in maintaining a strong security posture. The platform includes a collaborative user interface feature with a number of live chat options to interact with Secureworks experts.
Secureworks is owned by Dell Technologies, so it has a presence in the technology space to offer some extra credibility.
- Cloud-native architecture for use with cloud systems
- Focus on collaboration
LMNTRIX Active Defense
LMNTRIX offers a multilayered approach to MDR with its Active Defense platform. Active Defense consists of three main components. LMNTRIX GRID is a SaaS XDR tool that offers automated threat hunting, detection, prevention, investigation, validation and forensic exploration on-demand. GRID is a completely cloud-based solution.
LMNTRIX Technology Stack is a proprietary threat detection stack that is deployed on-premises for hardware-based and hybrid cloud systems. This stack uses machine learning to power multiple threat detection systems, threat intel and correlation to identify legitimate threats in real-time.
The third component is the LMNTRIX Cyber Defence Centers made up of a global network of teams of certified cybersecurity experts. These teams continuously monitor networks to perform in-depth analyses of potential threats as they arise.
- Supports cloud-based, on-premises and hybrid cloud systems
- A global network of defence centers
Rapid7 Managed Detection and Response services use a variety of solutions for detecting advanced threats, including proprietary threat intelligence technology, human experts, analysis and behavioral analytics. Rapid7 is highly scalable to cater to the needs of organizations of all sizes.
Rapid7 offers a few additional benefits along with its MDR service. Every client receives a dedicated security advisor to streamline questions and support. Clients also have full access to Rapid7’s cloud SIEM InsightIDR for internal use.
Rapid7 has experienced substantial growth and expansion of capabilities over the last few years through acquisitions. It first acquired cloud security posture management (CSPM) company DivvyCloud in 2020. Then in 2021 it acquired the Israeli Kubernetes security company Alcide.IO for $50 million.
- Dedicated security advisor
- Full access to Rapid7 InsightIDR
CrowdStrike Falcon Complete
CrowdStrike is a leader in cloud-based security software. CrowdStrike Falcon Complete Team is an MDR service that specializes in endpoint protection. Falcon Complete Team offers 24/7 endpoint threat detection and response. The MDR service is just one module of the Falcon Complete platform that also includes Falcon Prevent, Falcon Insight, Falcon Discover and Falcon OverWatch.
With Falcon Complete Team, an expert team of cybersecurity professionals proactively monitor and investigate incidents across all environments. This team uses all of CrowdStrike’s modules to offer comprehensive protection against malware and malware-free attacks.
CrowdStrike is well-known for offering easy-to-use solutions and its MDR service is no exception. The vendor has so much faith in its service that it offers a Breach Prevention Warranty of up to $1 million.
- Offers a Breach Prevention Warranty up to $1 million
- Easy to use and deploy
Arctic Wolf Managed Detection and Response
Arctic Wolf Managed Detection and Response provides dedicated Concierge Security teams that use machine-learning technology to offer reliable threat detection, prevention and response. Arctic Wolf aims to tailor its service to each clients’ unique needs. The service customizes its methods according to each client’s operational and security policies for detection and response.
The vendor also offers clear visibility into the security posture of a network with graphical representations of external vulnerability scans.
Arctic Wolf raised $200 million in Series E funding in 2020, raising its valuation to a total of $1.3 billion. It’s the only MDR vendor with a valuation exceeding $1 billion. Arctic Wolf is expected to launch an initial public offering (IPO) in the near future.
- Substantial funding for expansion
- Customized policies
Mandiant – soon to become part of Google – takes an analyst-driven approach to MDR. A team of over 1,000 defense consultants, analysts and cybersecurity experts work continuously to identify impactful threats, perform a thorough investigation and incident scoping, as well as provide the most effective responses based on analytics.
Mandiant offers robust investigation reports that offer clear visibility and context into current and past threats. This helps prioritize the most critical threats that require remediation and helps defend against similar attacks in the future.
- Analyst-driven approach
- Robust contextual reporting
Blackpoint Cyber uses a proprietary security operations and incident response platform called SNAP-Defense. The company and platform were built by former U.S. Department of Defense and Intelligence cybersecurity experts. Their wealth of knowledge and real-life experience makes Blackpoint Cyber a formidable force against threats for organizations of all sizes.
Blackpoint launched its MDR 4.0 platform in 2020, which uses the MITRE ATT&CK framework for detecting threats. This framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
SNAP-Defense is primarily an MDR service but is also offered as a product. This ensures Balckpoint’s real-time threat detection and response is affordable for any organization.
- Intelligence and defense background
- Available as an MDR service or product
Armor Anywhere was built to simplify threat detection and response for private, public and hybrid cloud systems. Its 24/7 monitoring and robust security capabilities offer protection for mission-critical applications and sensitive data.
Armor provides a focus on maintaining compliance. Its audit-ready compliance capabilities ensure that an organization’s security meets key standards for compliance frameworks, including Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR) and HITRUST.
Armor Anywhere is available on the AWS Marketplace. It supports Amazon GuardDuty, AWS CloudTrail and Amazon CloudWatch.
- A strong focus on compliance
- Available on the AWS Marketplace
Alert Logic MDR
Alert Logic – in the process of being acquired by HelpSystems – is an award-winning MDR service that can support any environment, including AWS, Microsoft Azure, Google Cloud Platform, hybrid cloud, public cloud and on-premises systems.
Alert Logic MDR provides a SOC full of experienced security experts to continuously monitor clients’ networks. But what sets this vendor apart is its additional focus on automation. It offers security orchestration and response (SOAR) capabilities to ensure that no vulnerabilities or gaps in security go unresolved.
Alert Logic took large steps toward positioning itself as the industry leader in SaaS-enabled MDR and SOAR. In 2021 the vendor promoted CFO John Post to CEO and brought on multiple executives from Carbonite and Webroot to round out an experienced team of technology leaders.
- Offers effective SOAR capabilities
- Supports any environment
SentinelOne Vigilance Respond Pro takes MDR to a new level by combining it with digital forensic analysis and incident response (DFIR). The platform uses AI for advanced threat detection and to effectively prioritize threats that are particularly dangerous to a client’s unique system.
The DFIR portion of Vigilance Respond Pro performs deep forensic investigations to identify root causes of vulnerabilities and reverse engineer malware. SentinelOne also works hard to make their findings and methods of detection easy to understand for clients. They provide detailed explanations of how data and machine learning are used to protect their clients. This not only offers peace of mind, but also helps internal teams understand how to improve their overall security.
Vigilance Respond Pro offers a rich yet intuitive interface. However, clients report that SentinelOne could improve support for enterprise ticketing and case management. Users nonetheless can rest assured that they’re getting top security.
- Digital forensic analysis and incident response (DFIR)
- Visibility into methods
Sophos Managed Threat Response (MTR) fuses machine learning with human expert research to proactively hunt, detect and respond to complex threats. Sophos is known in the industry for its powerful endpoint protection capabilities.
Sophos Central, the vendor’s research lab, provides enhanced telemetry for extensive visibility into the scope and severity of threats to prioritize response efforts. Sophos also provides actionable steps for addressing configuration and architecture vulnerabilities to improve overall security posture.
Sophos was named Best Managed Services Offering by Channel Partner Insight in 2020. They were also a winner of Channel Partner Insight’s Channel Innovation Awards, in the same year.
One downside to Sophos is its seemingly outdated user interface.
- Enhanced telemetry
- Powerful endpoint protection
Note: F-Secure’s enterprise security business has been renamed WithSecure. The consumer business will retain the F-Secure name.
WithSecure MDR acts immediately when threats are detected. Multiple teams at WithSecure are alerted and take action, as well as the clients’ teams.
This collaboration is a key factor in WithSecure’s service offering. Seamless teamwork between organizations leads to quick and effective decision-making and remediation.
Control is a WithSecure feature that guides investigation, containment and remediation. It uses data collected from all endpoints in the Context feature of the platform to inform how to best contain and remediate threats.
Clients report having close and interactive relationships with the teams at WithSecure, which greatly helps them understand the cause of threats and vulnerabilities in their systems. But the development of agents can be costly and time-consuming.
- Highly collaborative
- Guided investigation, containment and remediation
Cybereason uses the MITRE ATT&CK framework across every step of its services. This gives valuable context into incidents to help clients improve their detection engineering.
Cybereason is an industry leader in next-gen endpoint protection. The platform identifies suspicious behaviors across every endpoint in a network.
Clients report satisfaction with the endpoint visibility offered by Cybereason. However, the metrics it provides clients are limited. It also doesn’t have the most intuitive interface.
- Strong endpoint protection
- MITRE ATT&CK framework
Trustwave started out as an MSS but eventually expanded its services to include MDR as well. Combining their services with SpiderLabs, they offer expert threat intelligence and security research.
The Trustwave platform offers support for cloud infrastructure and APIs. This offers clear visibility and context into detection and response workflows.
Where Trustwave falls short is its inefficient and complex client onboarding.
- Offer both MDR and MSS
- Supports cloud infrastructure and APIs
Expel was rated the leader in MDR in the Forrester Wave Managed Detection and Response Q1 2021 report. This is in part due to its impressive user interface that offers a clear view into the most relevant metrics. Expel uses cloud API telemetry to provide advanced threat hunting capabilities.
Clients also praise the vendor’s focus on collaboration and the sharing of valuable information. Expel hosts a blog that covers a wide variety of topics, such as cloud detection techniques and SOC metrics, that can be accessed by anyone.
Expel is not the cheapest option but the transparency and aggressive remediation techniques go above and beyond.
- Cloud API telemetry for threat hunting
- Intuitive user interface
Binary Defense is another leader in the Forrester Wave Managed Detection and Response report. This vendor’s approach to detection is unique in that it starts by taking an attacker’s perspective. This is achieved through a strong emphasis on security research.
Binary Defense’s in-depth research allows them to rapidly detect innovative threat techniques. They also use a sibling consulting company to further bolster their research and detection capabilities.
Users report satisfaction with the Binary Defense team’s impressive skills with detection and service delivery. However, they also report a clear skills gap between the vendor’s junior analysts as compared to more experienced team members.
- Attacker-focused approach to detection
- Impressive team of researchers
Red Canary Makes an effort to provide their clients with all of the tools and capabilities to enhance their own detection engineering profile. They offer extensive data on threats and allow flexible ad hoc response actions that clients can customize through the Red Canary portal. It also provides Automated playbooks.
Red Canary uses the MITRE ATT&CK framework to keep up with the newest, most advanced threats. Users praise its lack of false positives thanks to its well-vetted detection alerts.
On the downside, the vendor is on the pricey side and users have experienced trouble with its API integrations and lightweight network.
- MITRE ATT&CK framework
- A customer-centric approach to detection
MDR service attributes
The offerings of MDR services can be broken down into three main categories.
Threat monitoring, detection and investigation
MDR continuously monitors networks and endpoints for security incidents. This entails collecting security logs and analyzing that data to identify attack signatures and anomalies.
After detecting a threat, MDR will also investigate the incident to identify points of entry, vulnerabilities in a system and the methods used by attackers. This information will be used to help prevent future attacks.
The next phase of MDR is to remotely respond to threats without requiring intervention by internal security teams. The services can contain and block threats, implement patches and update systems to remediate the issue and eradicate vulnerabilities. They can also provide detailed instructions to security teams for remediation if needed or requested.
Threat intelligence and analytics
MDR combines advanced analytics and human expertise to maintain the most up-to-date threat intelligence. This ensures that the most advanced and evolving threats can be identified and blocked.
Why is MDR important?
MDR services have grown in popularity in recent years for multiple reasons. Some organizations may be looking to save money on hiring more employees and reducing operation costs. But for some, hiring an MDR is a necessity due to the current state of employment in the cybersecurity industry.
There will be an estimated 3.5 million open cybersecurity positions across the world in 2021. There is also currently a 0% unemployment rate in a security field that’s maintained that rate since 2011. The issue for organizations is that they simply can’t find enough employees to handle all of their security in-house and must lean on outsourcing.
The skills gap
Even if an organization is able to round up the number of employees needed for a sufficient team, there’s no guarantee that they can effectively handle all of the tasks involved. A Devo-Ponemon report showed that 78% of cybersecurity professionals state that working in a security operations center (SOC) is “very painful” due to the stress of excessive duties and inexperience dealing with them.
Around 74% of companies report that the skills gap is impacting their ability to secure sensitive information from data breaches, which is also leading to issues with maintaining regulatory compliance. 58% of CISOs report concern that this skills gap will continue to increase.
Benefits of MDR services
There are a variety of benefits organizations receive from using MDR services.
Fill the skills gap
MDR services can be the solution to filling the skills gap. They’ve already done the job of building a team of experienced professionals for you. This helps bolster security but also reduces the need for organizations to spend time and money hiring professionals and paying full salaries.
MDR services won’t completely eliminate the need for internal security professionals but they will allow teams more time and resources to improve their skills and carry out other tasks.
Regulatory compliance should be top of mind for all organizations that collect data. MDR services securing data from breaches and attacks greatly help maintain compliance. They can also provide reporting on compliance measures they’re taking to offer more peace of mind.
Decreased response time
MDR removes the middle man (or woman) between identifying threats and responding to them. Other solutions, such as Managed Security Service Providers (MSSP), will send out an alert but it’s still up to the internal team to take action to remediate the problem. MDR services will act immediately when a potential threat is identified, cutting down response time. This reduces the damage that can be done by data breaches and other attacks.
Improved threat intelligence
MDR services are able to pull threat intelligence from incidents that have occurred across all of their clients’ systems. They can use this intelligence to improve the security posture of all other clients and protect against similar attacks.
MDR vs. MSSP vs. Managed SIEM
MDR is similar to other offerings, such as MSSPs and Managed Security Information and Event Management (SIEM).
MSSP is the predecessor to MDR but lacks some key offerings. MSSPs only monitor events and anomalies and send alerts to teams. But they typically do not offer threat investigation or response, leaving that up to internal security teams. They may offer other services, such as antivirus or firewall management.
SIEM solutions offer capabilities that stack up closer to MDR than MSSP. They are also often cheaper than both other alternatives. Where MDR and SIEM differ most is that even managed SIEM services require clients to purchase and deploy a software solution. MDR, on the other hand, can leverage an organization’s existing technology stack. So the price difference between the two becomes less of a factor.
How to choose an MDR provider
The primary factor to consider when choosing an MDR provider is the quality of their team. This may seem self-explanatory but it is the whole purpose behind the solution. The quality of their services relies heavily on the skills of their team of experts.
When shopping around for a service, ask them about the credentials, past experience, certifications and achievements of their teams and individual members. It’s also a good idea to review case studies of their past work and get references.