The 6 attack surfaces
MDR started as “we operate your EDR.” That era is over. Attackers know that identity (credential phishing through Entra ID or Okta) and cloud (misconfigured S3 buckets, exposed APIs) are softer targets than well-defended endpoints. If your MDR only watches endpoints, you're blind to where attacks actually start.
1. Endpoint
What it covers: Laptops, workstations, servers. Any device running an agent.
Market status: Universal. Every MDR provider covers endpoints. This is the baseline.
What to watch: Does the provider use their own agent (platform-native) or integrate with your existing EDR (BYOT)? Platform-native means vendor lock-in. BYOT means you keep your CrowdStrike, Defender, or SentinelOne.
2. Cloud workloads
What it covers: AWS, Azure, GCP. VMs, containers, serverless, cloud-native services.
Market status: Common but often a paid add-on. About half of providers include it in base pricing.
What to watch: “Cloud coverage” means different things. Some providers only monitor cloud VMs (treating them like endpoints). Others monitor cloud control plane (IAM changes, security group modifications, resource creation). The second is far more valuable.
3. Identity
What it covers: Active Directory, Entra ID (Azure AD), Okta. Authentication and authorization systems.
Market status: Growing fast. Identity is the #1 attack entry point. More providers are adding identity detection every quarter.
What to watch: Ask specifically: “What identity events do you detect?” Good answers include impossible travel, MFA bypass, privilege escalation, credential stuffing, and suspicious OAuth grants.
4. SaaS
What it covers: Microsoft 365, Google Workspace, Salesforce, Slack. The applications your users live in.
Market status: Emerging. Fewer than a third of providers include SaaS monitoring.
What to watch: SaaS monitoring often means watching Microsoft 365 audit logs. Ask which SaaS applications are actually supported and what detection rules exist for each.
5. Network
What it covers: Network traffic analysis, lateral movement detection, DNS monitoring.
Market status: Mixed. Network detection requires either a physical/virtual sensor or integration with network tools (Corelight, Zeek, firewall logs).
What to watch: Network detection is less critical for cloud-native organizations but essential for on-premises environments. If you have a physical data center, you want network coverage.
6. OT/IoT
What it covers: Industrial control systems (SCADA, PLCs), IoT devices, medical devices.
Market status: Niche. Only a handful of MDR providers offer OT/IoT monitoring. Most require separate OT security tools (Claroty, Nozomi, Dragos) with MDR as an overlay.
What to watch: OT environments have unique requirements: no active scanning, no agent deployment, protocol-specific detection. General MDR providers rarely have the expertise.
What coverage do you actually need?
- Minimum: Endpoints. If you only have budget for one surface, this is it.
- Recommended: Endpoints + cloud + identity. This covers the three most common attack vectors.
- Comprehensive: All six surfaces. Expensive, and few providers can deliver all six well.
The right answer depends on where your critical assets live and where attackers are most likely to enter. If your company runs primarily on Microsoft 365 and Azure, identity and SaaS coverage matters more than OT/IoT.
FAQ
What attack surfaces does MDR cover?
Six: endpoint, cloud, identity, SaaS, network, and OT/IoT. Most providers include only endpoints in base pricing.
Do I need more than endpoint MDR?
If you use cloud infrastructure, Microsoft 365, or identity providers like Okta, yes. Endpoint-only MDR misses where modern attacks actually start.
What is identity detection and response?
ITDR monitors authentication systems for suspicious activity: impossible travel, privilege escalation, MFA bypass, credential stuffing. Identity is the #1 attack entry point.