The 6 attack surfaces
Most MDR contracts started as “we operate your EDR.” That scope made sense five years ago. Today, attackers routinely enter through credential phishing (Entra ID, Okta), misconfigured cloud resources (S3 buckets, exposed APIs), and compromised SaaS accounts. If your MDR only watches endpoints, it misses the entry points that matter most.
1. Endpoint
Laptops, workstations, servers. Any device running an agent. Every MDR provider covers this, so the real question is whether they use their own agent (platform-native, meaning vendor lock-in) or integrate with your existing EDR like CrowdStrike, Defender, or SentinelOne.
2. Cloud workloads
AWS, Azure, GCP. VMs, containers, serverless. About half of providers include cloud in base pricing, the rest charge extra.
Be specific when you ask about cloud coverage. Some providers just monitor cloud VMs the same way they monitor laptops. Others watch the cloud control plane: IAM changes, security group modifications, resource creation. The control plane matters more.
3. Identity
Active Directory, Entra ID (Azure AD), Okta. This is the fastest-growing coverage area because identity is the most common attack entry point. When evaluating, ask: “What identity events do you detect?” Good answers include impossible travel, MFA bypass, privilege escalation, credential stuffing, and suspicious OAuth grants.
Identity is the common thread across every other surface. Cloud access, SaaS accounts, VPN connections, and endpoint logins all flow through your identity provider. This makes identity monitoring disproportionately valuable: one compromised credential can cascade across every other surface you're paying to protect.
4. SaaS
Microsoft 365, Google Workspace, Salesforce, Slack. Fewer than a third of providers include SaaS monitoring, and for most of them “SaaS coverage” just means watching Microsoft 365 audit logs. Ask which applications are supported and how many detection rules exist for each.
5. Network
Traffic analysis, lateral movement detection, DNS monitoring. This requires either a physical/virtual sensor or integration with tools like Corelight, Zeek, or firewall logs. Less important for cloud-native organizations, but if you have a physical data center, you want it.
6. OT/IoT
Industrial control systems (SCADA, PLCs), IoT devices, medical devices. Only a handful of MDR providers offer this natively. Most require separate OT tools (Claroty, Nozomi, Dragos) with MDR layered on top. OT environments need protocol-specific detection, no active scanning, and no agent deployment, so general MDR providers rarely have the right expertise.
What coverage do you need?
- At a minimum, cover endpoints. If budget only allows one surface, start here.
- Endpoints + cloud + identity covers the three most common attack vectors and is a reasonable baseline for most organizations.
- All six surfaces is the broadest option, but few providers deliver all six equally well. Verify depth per surface, not just a checkmark.
The right answer depends on where your critical assets live and where attackers are most likely to enter. If your company runs primarily on Microsoft 365 and Azure, identity and SaaS coverage matters more than OT/IoT.
FAQ
What attack surfaces does MDR cover?
Six: endpoint, cloud, identity, SaaS, network, and OT/IoT. Most providers include only endpoints in base pricing.
Do I need more than endpoint MDR?
If you use cloud infrastructure, Microsoft 365, or identity providers like Okta, yes. Endpoint-only MDR won't catch attacks that enter through those channels.
What is identity detection and response?
ITDR monitors authentication systems for suspicious activity: impossible travel, privilege escalation, MFA bypass, credential stuffing. Identity is the #1 attack entry point.