Executive Summary
Buying MDR is not buying a tool — it is renting a 24/7 security operations center and deciding, in advance, how much authority you will hand a stranger to pull a machine off your network at 3 a.m.
Most organizations cannot staff a round-the-clock SOC. The talent does not exist in the volume the market needs, burnout churns the analysts you do hire, and an alert that fires at 2 a.m. on a Sunday is worthless if no one is watching. Managed Detection and Response answers that gap directly: it is detection, investigation, and active response delivered as a 24/7 service by someone else’s analysts, on top of telemetry from your endpoints, identity, cloud, and network.
The word that matters in MDR is service, not software. You are evaluating people, process, and a contract — mean time to respond on a real incident, who is allowed to isolate a host without calling you first, and what happens when the analyst on shift is wrong. The platform is necessary but secondary.
This guide evaluates 8 providers — CrowdStrike Falcon Complete, Sophos MDR, Arctic Wolf, Red Canary, Expel, Rapid7, SentinelOne, and eSentire — across three camps that rarely compete on the same terms: EDR/XDR vendors who manage their own stack, independent vendor-agnostic providers who watch whatever you already run, and the build-your-own-SOC option you are implicitly rejecting.
Why MDR Matters for Enterprise Strategy Now
The deciding question in MDR is not “will they detect it?” — nearly everyone detects competently — but “what will they actually do at 3 a.m., and how long until it is contained?” Selection turns on response authority and the operating model: whether the provider can isolate a host, kill a process, or disable an account on its own pre-approved authority, or whether every action waits in a queue for your on-call engineer to wake up and approve it. Detection without delegated response is just a more expensive pager.
The category is also consolidating in plain sight, and ownership matters to your three-year bet. Secureworks — whose Taegis platform was a flagship open MDR — was acquired by Sophos in February 2025 and now sits inside Sophos, the largest pure-play MDR provider. Red Canary was acquired by Zscaler in August 2025 and operates as a Zscaler business unit. Independent providers fold into platform vendors, EDR vendors push their own managed service, and the buyer’s real choice is increasingly about which ecosystem — and whose roadmap — they are tying their security operations to.
Sourcing & Operating-Model Decision
MDR is rarely a pure build-vs-buy question — if you are reading this, you have already concluded you cannot staff a 24/7 SOC alone. The real decision is which kind of MDR fits your tooling, your team, and your appetite for lock-in: a single-vendor managed stack, a vendor-agnostic provider watching what you already own, an MSSP-scale operator, or a hybrid where MDR augments an in-house team you keep. Frame the choice around who owns the tools and who holds response authority, not the demo.
| Your Situation | Recommended Path | Rationale |
|---|---|---|
| Already standardized on one EDR/XDR (CrowdStrike, SentinelOne, Microsoft) | Vendor-native MDR on that stack | Native MDR (Falcon Complete, SentinelOne Wayfinder) gives the tightest tool-to-analyst integration and the fastest authorized response on the platform you already run. |
| Heterogeneous, multi-vendor tooling you are not ready to rip out | Vendor-agnostic / Open-XDR MDR | Arctic Wolf, Expel, Red Canary, and eSentire watch your existing endpoint, identity, cloud, and network signals, avoiding a forced platform migration and preserving telemetry choice. |
| No security tools to speak of and a lean IT team | Provider-stack MDR (bundled telemetry) | A bundled provider-supplied stack removes the burden of sourcing, deploying, and tuning sensors yourself — the fastest route to 24/7 coverage for a greenfield team. |
| Mature in-house SOC needing nights, weekends, and surge | Co-managed / SOC augmentation | A co-managed model extends your analysts with follow-the-sun coverage and threat hunting while you retain primary ownership, rather than fully outsourcing the function. |
| Regulated or telco-scale estate with bespoke compliance and IR needs | MSSP-scale or specialist provider | Large-scale MSSPs and specialists offer custom log sources, retained incident-response muscle, and contractual depth that productized MDR tiers may not cover. |
Key Capabilities & Evaluation Criteria
Weight these domains against your operating model and risk tolerance. Because MDR is a service, the criteria skew toward people, process, and contract — response authority, analyst quality, and proven incident handling — far more than toward dashboard features that every provider demos equally well.
| Capability Domain | Weight | What to Evaluate |
|---|---|---|
| Response Authority & Active Containment | 25% | Pre-approved actions the provider can take unattended (host isolation, process kill, account/session disable), how scope is configured per asset class, what still requires your approval, and how fast confirmed threats are contained without a human in the loop |
| Detection Quality & Threat Hunting | 20% | Detection-engineering depth and MITRE ATT&CK coverage, proactive human-led hunting beyond alerts, false-positive filtering and alert validation before anything reaches you, and original threat intelligence feeding the content |
| SOC Operating Model & SLAs | 20% | Genuine 24/7 follow-the-sun staffing, contractual mean-time-to-respond (not just time-to-notify), named analysts vs. anonymous queue, escalation and on-call workflow, and a transparent view into what analysts actually did during an investigation |
| Telemetry Coverage & Tool Model | 15% | Bring-your-own-tools vs. provider-supplied stack, breadth across endpoint, identity, cloud, SaaS, email, network, and OT, number and quality of third-party integrations, and how much existing investment you can keep |
| Incident Response & Forensics | 10% | Whether full IR/DFIR is included or a paid add-on, breach warranty terms and what voids them, retainer hours, and whether the same team that detects also remediates and supports recovery |
| Ecosystem, Lock-in & Viability | 10% | Current ownership and roadmap stability after recent acquisitions, data portability and log retention if you leave, exit and offboarding terms, and exposure to a single vendor’s platform direction |
Vendor Landscape
The market splits into camps that rarely compete on identical terms. EDR/XDR vendors deliver managed services on their own stack, where the tightest integration and fastest authorized response live — but on their tooling. Independent, vendor-agnostic providers watch whatever you already run, trading some integration depth for freedom from lock-in. And recent consolidation has reshaped the field: Secureworks’ Taegis is now inside Sophos, and Red Canary now sits inside Zscaler. Most shortlists end up comparing across these camps, weighing tool ownership against response authority against whose roadmap you are joining.
Strengths: Best-in-class detection efficacy delivered as a fully managed service on the Falcon platform, with follow-the-sun analysts, deep automation, and authorized hands-on response executed directly through the agent; broad coverage across endpoint, identity, cloud, and third-party data, backed by CrowdStrike threat intelligence. Considerations: Best value and tightest response assume you standardize on Falcon; platform and module costs sit at the premium end; you are buying into a single vendor’s ecosystem and roadmap.
Strengths: The largest pure-play MDR by customer count, with strong bring-your-own-tools support across hundreds of third-party integrations and nine regional security operations centers; the February 2025 Secureworks acquisition folded the Taegis open MDR/XDR platform and a deep threat-research lineage into the portfolio, broadening both the SMB and enterprise ends. Considerations: Two MDR lineages (Sophos MDR and Taegis) are still converging post-acquisition, so confirm which platform and roadmap your contract lands on; depth on the most bespoke enterprise log sources varies by tier.
Strengths: Vendor-agnostic MDR on the Aurora platform with a named Concierge Security Team acting as an extension of your staff, regular security-posture reviews, and broad coverage across endpoint, network, cloud, and identity on the tooling you already own; the early-2025 Cylance acquisition added native endpoint capability for buyers who want it bundled. Considerations: The concierge model is relationship- and process-led rather than the fastest fully-autonomous responder; deepest value comes from leaning into its security-operations guidance, not treating it as a pure alarm service.
Strengths: One of the strongest detection-engineering shops in the market, with transparent investigation methodology, deep MITRE ATT&CK content, the open-source Atomic Red Team library, and a clean bring-your-own-stack model with notable identity and SaaS coverage where many MDRs stay endpoint-centric; multi-expert validation keeps false positives low. Considerations: Acquired by Zscaler in August 2025 and operating as a Zscaler business unit, so weigh the longer-term integration direction and ecosystem pull; historically focused on detection and guided response rather than full hands-on remediation of your environment.
Strengths: Transparency-first model whose Workbench gives customers real-time visibility into exactly what analysts are doing during an investigation, with broad coverage across endpoint, identity, cloud, SaaS, Kubernetes, email, and network on major vendor stacks; strong fit for buyers who want accountability beyond an opaque SLA. Considerations: Vendor-agnostic breadth means response depth depends on what the underlying tools allow; positioned for mid-market and enterprise rather than the smallest teams; not a single-vendor stack, so you still own the tooling decisions.
Strengths: Managed Threat Complete delivers MDR on the InsightIDR platform with unlimited incident response included, behavioral analytics and deception, and tight integration with InsightVM vulnerability management for a detection-plus-exposure story; a dedicated MDR-for-Microsoft offering (launched January 2026) targets Defender shops specifically. Considerations: Strongest value comes from adopting the broader Insight platform; buyers running a different SIEM/EDR get less of the integrated benefit; breadth of the platform can be more than a small team needs.
Strengths: Managed detection and response (recently rebranded from Vigilance to Wayfinder) layered on the Singularity platform’s autonomous response engine, with strong Linux and container coverage, agentic AI-assisted triage, and an included breach warranty; fast authorized containment executed through the native agent. Considerations: Tightest response and best economics assume standardization on Singularity; service branding and tiering have changed recently, so confirm exactly which managed tier and scope your contract covers; you are buying into a single vendor’s ecosystem.
Strengths: Multi-signal MDR on the Atlas Open XDR platform, ingesting endpoint, network, log, cloud, identity, asset, and vulnerability telemetry across hundreds of integrations, with elite human-led threat hunting and automated blocking; a long track record of hands-on containment for mid-market and upper-mid-market buyers. Considerations: Strongest fit is mid-market through upper-mid-market rather than the very largest telco-scale estates; as an independent, weigh long-term scale against the platform-backed giants; value depends on feeding it enough signal sources to work across.
Pricing Models & Cost Structure
MDR pricing is overwhelmingly subscription, but the unit of measure varies — per endpoint, per user, per ingested data volume, or per asset under monitoring — and that unit, more than the headline rate, determines what you pay as you grow. Watch for what sits outside the base tier: full incident response, additional log sources, extended retention, and the provider-supplied sensors themselves are common upcharges. Model cost against your real estate and the telemetry you intend to feed it.
| Vendor | Pricing Model | Relative Tier | Key Cost Drivers |
|---|---|---|---|
| CrowdStrike Falcon Complete | Per-endpoint, managed-service on Falcon | Premium | Endpoint count, Falcon modules in scope, identity/cloud coverage, support tier |
| Sophos MDR | Per-user or per-endpoint subscription; BYO-tools or Sophos stack | Moderate | User/endpoint count, third-party integrations enabled, response tier, Taegis vs. Sophos MDR platform |
| Arctic Wolf | Subscription by users / sensors under monitoring | Moderate | Number of users and sensors, log sources, concierge scope, add-on modules (e.g. endpoint) |
| Red Canary | Per-endpoint / per-identity on your stack | Moderate–Premium | Endpoint and identity counts, telemetry sources covered, integration breadth |
| Expel | Subscription by technologies / assets under monitoring | Moderate–Premium | Breadth of integrated stacks, cloud/SaaS scope, data volume, add-on coverage |
| Rapid7 | Per-asset on Insight platform; IR included | Moderate | Assets/users under management, Insight modules (IDR, VM), data ingestion and retention |
| SentinelOne | Per-endpoint managed tier on Singularity | Moderate–Premium | Endpoint count, Singularity tier, data retention, IR/DFIR add-ons |
| eSentire | Per-user or per-signal-source subscription | Moderate–Premium | Users, number and type of signal sources, response scope, IR retainer |
Onboarding & Operationalization
MDR onboarding is faster than deploying tooling yourself, but the value is gated by two things teams routinely under-invest in: connecting enough quality telemetry, and configuring response authority correctly. Sequence the rollout so the provider can see your critical assets and act on them before you declare go-live.
Define which assets and telemetry are in scope, agree pre-approved response actions per asset class (what the provider may isolate or disable unattended vs. what requires approval), name your on-call and escalation contacts, and confirm IR, warranty, and data-retention terms in the contract.
Integrate endpoint, identity, cloud, SaaS, email, and network telemetry; validate that high-value sources are flowing and parsed; baseline normal behavior; and tune detections and suppression so the provider is filtering noise rather than forwarding it to you.
Run controlled detection and containment exercises — trigger a benign suspicious technique, time the analyst contact and the authorized response, and rehearse the escalation path end to end — so the response loop is proven before a real incident, not during one.
Move into steady-state 24/7 coverage, establish recurring service reviews and threat-hunt readouts, expand coverage to remaining assets and log sources, and periodically re-test response authority and offboarding/data-portability assumptions as the estate and the provider’s roadmap evolve.
Selection Checklist & RFP Questions
Use this checklist during evaluation to ensure each shortlisted provider covers the things that actually decide how an incident plays out — most of which are about the service and the contract, not the platform.