What Is MDR (Managed Detection and Response)

An MDR (Managed Detection and Response) is an outsourced service in which a specialised provider handles 24/7 detection, investigation and containment of threats in the client's infrastructure, combining technology (EDR, SIEM, XDR), security analysts and incident response processes. It is how many mid-sized companies get real SOC capability without building one from scratch, and the category that has grown most in managed cybersecurity over the last few years.

This guide explains what an MDR is, what a mature MDR service actually includes, how it differs from an internal SOC, an MSSP, an EDR and an XDR, what kinds of companies really need it and how it fits NIS2 and DORA.

What an MDR is

An MDR is a managed service that combines detection tooling (EDR/XDR), 24/7 monitoring, SOC analysts, threat hunting and incident response under a single contract. The provider deploys or connects to the client's technology, receives telemetry, detects threats, investigates alerts and executes initial response (isolate endpoint, block IoCs, escalate to IR).

What it brings operationally:

• Continuous detection without the client having to build and maintain their own SOC.
• Reduced MTTD/MTTR (mean time to detect / respond) thanks to a dedicated team.
• Proactive threat hunting, not just reactive alert handling.
• Automated or assisted initial response (isolate host, kill processes, contain lateral movement) without waiting for the client team.
• Periodic reporting for compliance and leadership.

What an MDR is not: it is not IT support, it is not consulting and it does not replace the client's IT/security team. The MDR detects and contains; deeper remediation (patching, configuration changes, organisational decisions) still requires the client.

What a mature MDR service includes

A serious MDR service covers at minimum these six blocks:

1. Deployment and operation of detection technology. Usually the provider's own EDR or one the client already has (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Bitdefender), complemented with network, identity and cloud telemetry.
2. 24/7 monitoring by human analysts. Shifts covering every time band, not just automation. Serious providers publish the SLA for mean response time to critical alerts (usually between 5 and 15 minutes).
3. Triage and investigation. Each alert enters a queue, gets contextualised with historical telemetry and is classified as benign, suspicious or confirmed. What escalates to the client comes already investigated.
4. Proactive threat hunting. Periodic search for TTP patterns (MITRE ATT&CK techniques) over stored telemetry, even in the absence of alerts. It is the difference between a mature MDR and an "alert watching" service.
5. Automated or assisted response. Predefined actions (isolate host, kill process, block hash, terminate sessions) that the provider executes directly or with the client's authorisation.
6. Reporting and communication. Monthly or quarterly activity report, escalated alerts, KPIs (MTTD, MTTR, incidents by category), recommendations.

Top providers also add: post-incident forensics, SOAR integration, incident response (IR retainer), strategic advisory and, in some cases, financial guarantees (breach warranty).

How the operational flow works

The day-to-day of an MDR always follows the same steps:

1. Telemetry. EDR agents, network logs, identity events (Active Directory, Entra ID, Okta) and cloud telemetry (CloudTrail, Azure activity logs, GCP audit logs) ship to the provider's platform.
2. Detection. Rules, ML models and signatures map every event to known techniques. The platform groups related events into incidents.
3. Triage by L1/L2. The analyst validates whether the incident is real, dismisses false positives and enriches with context (is this host critical? is there lateral movement?).
4. Containment. If malicious activity is confirmed, the analyst executes response actions or requests client authorisation.
5. Communication. Phone call or ticket to the client with an actionable summary: what happened, what was contained, what remains to do.
6. Periodic hunting. Outside the alert flow, the team runs proactive queries searching for specific TTPs based on recent threat intelligence.
7. Reporting. Consolidated report of the period's activity.

The core promise of MDR is that the client receives a small number of emails, almost all actionable, instead of thousands of raw alerts that would have to be filtered internally.

MDR, internal SOC, MSSP, EDR, XDR and SIEMaaS

A category with plenty of overlap. Practical differences:

Internal SOC

• What it covers: own team plus own technology, 8x5 or 24x7.
• Key difference vs MDR: built and operated by the client. Higher fixed cost, maximum control.

MSSP (Managed Security Service Provider)

• What it covers: firewall, IDS, antivirus, patching and compliance operations.
• Key difference vs MDR: much broader in technology, shallower in detection and response.

Managed EDR

• What it covers: only the endpoint agent and its console.
• Key difference vs MDR: the MDR uses the EDR as one of its sources; managed EDR stops at the endpoint.

XDR (Extended Detection and Response)

• What it covers: platform that correlates endpoint, network, identity and cloud.
• Key difference vs MDR: XDR is the technology; MDR is the service that operates it.

SIEM as a service

• What it covers: a managed SIEM platform (ingestion, queries, alerts).
• Key difference vs MDR: SIEMaaS delivers the platform; MDR also delivers analysts and response.

MDR

• What it covers: EDR or XDR plus 24/7 analysts, threat hunting and initial incident response.
• Key difference: the category that combines technology and human operation in a single contract.

For a company that already runs a mature SIEM and SOC, an MDR can be redundant. For a company without a SOC, MDR is probably the most efficient way to get 24/7 detection.

When MDR makes sense

Not every company needs MDR. Signs that it does:

• No internal SOC and building one would cost more than outsourcing.
• The IT/security team does not cover 24/7. Attackers often work outside business hours, and this is exactly where MDR delivers clear value.
• Regulatory obligation for continuous monitoring (NIS2, DORA, ENS high category).
• Heterogeneous stack (multi-cloud, mixed endpoints, federated identity) where unifying detection internally would be expensive.
• Attack surface growing faster than the team. Companies in growth phase multiplying employees, devices and cloud applications without scaling security at the same pace.

Signs against:

• A very small company without critical assets or regulation, with limited surface. A well-configured standard EDR can be enough.
• A company with a mature internal SOC and dedicated team. MDR becomes a specific add-on (managed hunting or IR services), not a primary service.
• A sector with an explicit requirement for an internal SOC (some financial entities, national critical infrastructure) where outsourcing is restricted.

Main providers in the market

The names that come up most often:

• CrowdStrike Falcon Complete. MDR built on Falcon EDR. Market top in detection and response.
• SentinelOne Vigilance / Vigilance Respond. MDR on the Singularity EDR, with an emphasis on automation.
• Sophos MDR. Backed by Sophos Intercept X. Good adoption in SMB and mid-market.
• Microsoft Defender Experts for XDR. Microsoft's MDR on Defender XDR. Reasonable when the whole stack is already Microsoft.
• Arctic Wolf. Concierge-style operation, multi-vendor across EDR.
• Red Canary. Historical detection specialist, integrates with several EDRs.
• Bitdefender MDR. On GravityZone, strong European presence.
• eSentire. Enterprise MDR with proprietary XDR (Atlas).
• Trustwave, Secureworks, Rapid7 MDR. Other established options.

In the Spanish market, alongside the global names, there are local providers with MDRs tuned to regulated sectors (banking, energy, public sector). The choice depends on coverage hours, SOC working language, underlying technology, integration with the client's stack and sector experience.

MDR and compliance

Frameworks where the MDR delivers evidence or directly covers requirements:

• NIS2 (article 21). Requires technical and organisational measures for detection and incident response. The MDR contract documents 24/7 capabilities, SLAs and notification processes. The obligation to notify incidents within 24/72 hours leans operationally on detection capability. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (articles 17 and 28). Requires financial entities to have detection, response and ICT incident reporting processes. Outsourcing to MDR must comply with article 28 rules on critical ICT providers (due diligence, formal contracts, provider monitoring). More in DORA compliance guide for financial entities 2026.
• ENS (Spanish Royal Decree 311/2022, op.exp.7 and op.mon.x). Detection, monitoring and activity logging system. MDR fits into the operational measures grid.
• ISO 27001:2022 (controls 8.16, 5.24-5.26). Activity monitoring, incident management, response planning.
• PCI DSS v4.0 (req. 10 and 12.10). Continuous logging and monitoring, incident response plan.

Important: outsourcing to MDR does not relieve the client of regulatory responsibility. Provider due diligence, contract terms (SLAs, audit rights, data location, notification) and service oversight remain with the client.

Frequently asked questions

How is MDR different from a SOC?

The SOC is the function (team + technology + processes to detect and respond to incidents). MDR is one way to consume that function as an outsourced service. A company can have an internal SOC, contract MDR, or combine both (MDR outside business hours, internal SOC during business hours).

What is the minimum company size that justifies MDR?

There is no fixed threshold, but it tends to make sense from 100-150 employees onward, or earlier if there are NIS2/DORA obligations, regulated sensitive data (healthcare, financial) or high exposure (e-commerce, B2B SaaS). Below that, a well-configured EDR plus solid CVE management can be enough.

Can an MDR respond autonomously without client authorisation?

It depends on the contracted model. Most MDRs offer two modes: authorised automated response (predefined actions such as isolating a host execute without asking permission, to save time) and supervised response (every action requires sign-off). The first model drops MTTR drastically; the second gives maximum control. For serious incidents the usual practice is to pre-agree what can happen without waiting.

Does MDR cover full incident response (IR)?

It covers the initial response: containment, isolation, investigation. For full IR (detailed forensics, communication with authorities, recovery, lessons learned), providers usually offer an additional retainer or hand off to a specialised IR team. Worth reviewing the contract: many MDRs cover "X hours of IR included" and bill the rest separately.

What happens with client data in an MDR?

The provider processes sensitive telemetry (processes, connections, identities, files). The contract has to specify data location (inside the EU for NIS2/DORA), retention, provider personnel access, subcontracting and client rights over the information. It is a critical point for audits and for the GDPR DPA.

Does MDR replace pentesting?

No. MDR detects and responds to attacks in progress. Pentesting looks for vulnerabilities before they are exploited. They are complementary controls: pentesting reduces the offensive surface, MDR reacts when something slips through. Mature companies run both.

Related resources

• What is a SOC (Security Operations Center): the function MDR delivers as a service.
• What is SIEM and how it works: the correlation platform many MDRs use under the hood.
• What is EDR (Endpoint Detection and Response): the main telemetry source of a modern MDR.
• What is a CVE: vulnerabilities explained: how CVE feeds enrich MDR detections.
• NIS2 in Spain: compliance guide for 2026: the framework driving MDR adoption in mid-sized companies.
• DORA compliance guide for financial entities 2026: the financial-specific detection and response requirements.
• Penetration testing pricing in Spain: how a pentest sits alongside MDR in a defensive budget.

MDR at Secra

At Secra we help companies that are evaluating whether to outsource detection and response, or that already have an MDR and want to validate the service. The usual scope includes analysis of the provider's technical proposal (real coverage, included telemetry, SLAs), contract review from a NIS2/DORA lens, purple team exercises to verify MDR detection capability against real TTPs and a proposal to improve the operating model. If you want support on the decision or on auditing the service, get in touch through contact or check our managed cybersecurity services.