Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Security Operations Glossary

MDR (Managed Detection & Response)

An outsourced security service in which an external provider detects, analyzes, and responds to threats around the clock. MDR combines XDR technology with human expertise—offering the most efficient solution for 24/7 security monitoring for companies without their own SOC team.

MDR (Managed Detection & Response) is an outsourcing approach to security monitoring. Instead of setting up their own SOC (Security Operations Center), companies hire an external provider to monitor, analyze, and respond to incidents around the clock.

Why MDR? The SOC Challenge for SMEs

Setting up an in-house SOC

  • 3–5 analysts required for 24/7 operation
  • Annual costs: €300,000–€600,000 (personnel alone)
  • Additional costs: Technology (SIEM, XDR, Threat Intel): €100,000+/year
  • Timeframe: 12–18 months to become operational
  • Problem: Talent shortage – SOC analysts are hard to find

MDR Service

  • Timeline: Weeks until go-live
  • Costs: €5,000–€30,000/month (depending on scope)
  • 24/7 monitoring by experienced analysts
  • Immediate access to threat intelligence
  • Scalable without staffing requirements

MDR Service Components

Technology

  • Agent deployment on endpoints (EDR)
  • Log ingestion (firewall, AD, cloud, email)
  • XDR platform for correlation
  • Threat intelligence feeds

Monitoring

  • 24/7/365 alert analysis by human analysts
  • Alert triage: separating real incidents from false positives
  • Incident investigation: determining cause and scope
  • Reporting: daily/weekly security reports

Response (varies by contract)

Option 1 - Guided Response:

  • MDR informs customers and provides recommendations
  • Customer implements measures independently

Option 2 - Active Response:

  • MDR isolates devices, blocks IPs, and removes malware
  • Without consultation (pre-authorized)

Option 3 - Co-Managed:

  • MDR and customer IT work together

Threat Hunting

  • Proactive search for attackers (not just reactive)
  • Hypothesis-based: "Search for Kerberoasting indicators"
  • Result: Detection of attacks that bypass alerts

MDR Providers Compared

International Providers

ProviderTechnologySpecial Feature
CrowdStrike Falcon CompleteProprietary technology (Falcon EDR)1-hour response time guarantee (SLA); €15–25/endpoint/month
Microsoft Defender ExpertsDefender for Endpoint + SentinelIdeal for Microsoft environments; affordable for MS-E5 customers
Rapid7 MDRInsightIDR (Open XDR)Good integration with non-Microsoft environments; vendor-agnostic
Arctic Wolf"Security Operations as a Service"Concierge Security Team (dedicated analyst); focus on SMBs

German/EU Providers

  • G DATA Advanced Analytics
  • Atos | Eviden (France)
  • Deutsche Telekom Security
  • Secunet (BSI-accredited)

MDR vs. MSSP

FeatureMSSP (traditional)MDR (modern)
ModelTraditional outsourcingModern Security-as-a-Service
FocusPerimeter protection (firewall, IDS/IPS, VPN)End-to-end kill chain
ApproachReactive: Forward and escalate alertsProactive: Threat hunting, in-depth investigation
ResponseMinimal active investigationActive response: more than just alert forwarding
CostAffordableMore expensive, but significantly better results

MXDR (Managed XDR):

  • Combination: MDR approach + XDR platform
  • Term often used synonymously with MDR
  • Microsoft, CrowdStrike, and Palo Alto use this term

Choosing an MDR – the 7 most important questions

  1. What response rights are in place? "Are they allowed to isolate devices without prior consultation?" - important for MTTD/MTTR

  2. What are the SLAs? "How long until alert analysis? Until response?" - typical: Alert triage < 15 min, Response < 1 hr

  3. What data leaves my company? "Where are logs stored? GDPR-compliant?" - EU data center essential

  4. What technology is used? "Proprietary platform or third-party provider?" - Consider vendor lock-in

  5. How many endpoints/logs are included? "Cost per endpoint or flat rate?" - Know the scaling points

  6. What is the onboarding process? "How long until the service is active?" - typically: 2–6 weeks

  7. Is threat hunting included? "Proactive search or only reactive?" - distinguishing feature of good providers

MDR for NIS2 Compliance

NIS2 Art. 21 requires

  • Incident Detection
  • Incident Handling
  • Continuous Monitoring
  • Business Continuity Measures

MDR fulfills

  • 24/7 Detection (Art. 21(2a))
  • Incident Response (Art. 21(2)(b))
  • Monitoring (Art. 21(2)(h))
  • Documentation for evidence

For ISO 27001

MDR as evidence for:

  • Control A.8.16 (Monitoring)
  • Control A.5.26 (Response to Information Security Incidents)

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation