Sapphire vs Truesec
Sapphire and Truesec are both Services firms that work with your existing tools. Sapphire targets SMB, Mid-market, and Enterprise organizations, while Truesec serves Mid-market and Enterprise. Sapphire includes 4 attack surfaces in base pricing (Endpoint, Cloud, SaaS, Network), compared to 5 for Truesec (Endpoint, Cloud, SaaS, Identity, Network).
Buyer brief
Sapphire and Truesec are both Services firms that work with your existing tools. Sapphire targets SMB, Mid-market, and Enterprise organizations, while Truesec serves Mid-market and Enterprise. Sapphire includes 4 attack surfaces in base pricing (Endpoint, Cloud, SaaS, Network), compared to 5 for Truesec (Endpoint, Cloud, SaaS, Identity, Network).
Truesec offers broader coverage (5 surfaces vs. 4). Sapphire may suit teams that need depth over breadth.
At a glance
| FIELD |  |  |
|---|---|---|
| Best fit | UK organisations that want MDR from a UK-owned provider with a UK-based CREST-accredited SOC | Nordic enterprises wanting the largest regional SOC with local language support |
| Price | Custom quote | Not published |
| Response authority | 1/6 actions · Configurable | 5/6 actions · Configurable |
| Stack | Works with existing stack | Works with existing stack |
| Data access | Dashboards | Dashboards |
| Warranty | None listed | None listed |
- Best fit
- UK organisations that want MDR from a UK-owned provider with a UK-based CREST-accredited SOC
- Price
- Custom quote
- Response authority
- 1/6 actions · Configurable
- Stack
- Works with existing stack
- Data access
- Dashboards
- Warranty
- None listed
- Best fit
- Nordic enterprises wanting the largest regional SOC with local language support
- Price
- Not published
- Response authority
- 5/6 actions · Configurable
- Stack
- Works with existing stack
- Data access
- Dashboards
- Warranty
- None listed
›› Detailed comparison
| FIELD | SapphireTECH-AGNOSTIC | TruesecTECH-AGNOSTIC |
|---|---|---|
| ›› Fit | ||
| Target size | SMB, Mid-market, Enterprise | Mid-market, Enterprise |
| Sentiment | Mixed | Mixed |
| ›› Your stack | ||
| Approach | Works with your tools | Works with your tools |
| EDR integrations | EDR toolsMicrosoft technologies | Microsoft DefenderCrowdStrikeSentinelOnePalo Alto Cortex |
| SIEM integrations | ExabeamSIEM tools | Microsoft SentinelCrowdStrike Falcon LogScaleSplunk |
| Coverage | EPEndpoint: CoveredCloudCloud: CoveredIDIdentity: LimitedSaaSSaaS: CoveredNetNetwork: CoveredOTOT/IoT: Optional add-on | EPEndpoint: CoveredCloudCloud: CoveredIDIdentity: CoveredSaaSSaaS: CoveredNetNetwork: CoveredOTOT/IoT: Optional add-on |
| ›› Response | ||
| Response type | Active Remediation | Active Remediation |
| Approval policy | Configurable | Configurable |
| Response actions | Custom playbooks | IsolateKill processContainQuarantineCustom playbooks |
| IR included | ✓ Included | Separate |
| ›› Cost | ||
| Price range | Not published | Not published |
| Minimum seats | None | None |
| Breach warranty | – | – |
| ›› More details | ||
| Requires own agent | No | No |
| Endpoints | ✓ Included | ✓ Included |
| Cloud workloads | ✓ Included | ✓ Included |
| Identity | ~ Limited | ✓ Included |
| SaaS apps | ✓ Included | ✓ Included |
| Network | ✓ Included | ✓ Included |
| OT/ICS | + Optional | + Optional |
| Threat hunting | ✓ Included | ✓ Included |
| Response SLA | Not disclosed | Not disclosed |
| 24/7 coverage | ✓ | ✓ |
| Pricing model | Custom quote. Sapphire does not publish MDR package pricing. | Fixed fee per endpoint. No log volume or retention surcharges. No public pricing for any tier. |
| Hidden cost warnings | Public pages do not publish response SLAs or exact response-authority rules.. MDR, MXDR and OT SOC scope can differ materially, so buyers should define monitored surfaces in the order form.. The page publishes vendor-reported comparative metrics without independent methodology.. IR hours are included as standard, but buyers should confirm number of hours, coverage triggers and overage rates. | No public pricing for any tier, requires sales engagement for any estimate. IR is a separate retainer on Core and Enterprise, only Black includes it. US customers may get a different experience since bulk of 350+ specialists are in Europe |
| Data portability | Partial | Partial |
| Contract terms | Custom | Annual, Multi-year |
| Channels | PortalEmailPhone | PortalEmailPhoneTeamsSlack |
| Data access | Dashboards | Dashboards |
| Dedicated analyst | – | ✓ |
| SOC regions | Europe | EuropeNorth America |
| Onboarding | Sapphire references onboarding and implementation that can be shorter than expected, but no standard public MDR onboarding timeline was found. | 72 hours for Core and Enterprise. Black tier not disclosed. |
| Industry focus | Public SectorDefenceFinancial ServicesProfessional ServicesIndustrialsManufacturingOperational TechnologyHealthcare | Financial ServicesGovernmentHealthcareEnergyCritical Infrastructure |
| MTTD | Not published | Not published |
| MTTR | Not published | Not published |
| Community view | Sapphire has limited MDR-specific community review volume. The public buyer case is strongest for UK ownership, UK-based SOC delivery, CREST SOC accreditation and IT/OT services depth. Buyers should validate response authority, price, metrics and the exact split between MDR, MXDR, OT SOC and incident-response work. | Effectively unrateable. No public reviews on G2, PeerSpot, or Gartner Peer Insights. Not in Forrester Wave or Gartner MQ for MDR. No Reddit mentions. Strong Nordic reputation based on vendor claims and partner references (EY, Microsoft MISA), but impossible to validate through independent peer feedback. |
| Compliance | ISO 27001NISTHIPAADORACyber Essentials PlusCRESTGDPRPCI DSS | ISO 27001ISO 9001ISO 14001MISA (Microsoft Intelligent Security Association) |
| Certifications | CREST SOCCREST Penetration TestingCyber Essentials PlusISO 27001 | ISO 27001ISO 9001ISO 14001 |
| Founded | 1996 | 2005 |
| Data retention | Not published as a standard MDR retention period. | Included in fixed fee, no log volume or retention surcharges. Specific retention periods not disclosed. |
| API available | – | ✓ |
| Website | Visit → | Visit → |
›› FAQ
What is the main difference between Sapphire and Truesec?
Sapphire is a Services firm that is technology-agnostic (works with your existing tools). Truesec is a Services firm that is technology-agnostic (works with your existing tools). Sapphire covers 4 attack surfaces in base pricing vs. 5 for Truesec.
How do Sapphire and Truesec differ in response capabilities?
Sapphire supports 1 autonomous actions (custom playbooks) and approval is configurable. Truesec supports 5 autonomous actions (custom playbooks, endpoint isolation, file quarantine, network containment, process termination) and approval is configurable. Incident response is included with Sapphire and not included with Truesec.
How does Sapphire pricing compare to Truesec?
Sapphire pricing: Not published. Truesec pricing: Custom-quoted pricing. Watch for with Sapphire: Public pages do not publish response SLAs or exact response-authority rules.; MDR, MXDR and OT SOC scope can differ materially, so buyers should define monitored surfaces in the order form.. Watch for with Truesec: No public pricing for any tier, requires sales engagement for any estimate; IR is a separate retainer on Core and Enterprise, only Black includes it.
Should I choose Sapphire or Truesec?
Choose Sapphire if: uK organisations that want MDR from a UK-owned provider with a UK-based CREST-accredited SOC. Choose Truesec if: nordic enterprises wanting the largest regional SOC with local language support. Sapphire is not ideal for buyers that need public MDR pricing or contractual response SLAs before sales engagement. Truesec is not ideal for uS-based organizations wanting a fully staffed local SOC (bulk of specialists in Europe).
Daylight Security
AI-native MDR for buyers comparing active remediation across endpoint, cloud, identity, and SaaS. Daylight works with existing EDR/SIEM stacks and uses ChatOps-native collaboration, so it can be a useful third reference point in this comparison.