You deploy an agent or connect your existing security tools. The MDR provider's SOC (Security Operations Center) monitors your environment 24/7, detects threats using their detection rules and threat intelligence, investigates alerts to separate real attacks from noise, and responds, often by isolating endpoints, killing processes, or disabling compromised accounts. Unlike an MSSP, which alerts you and waits for your team to act, an MDR provider handles the investigation and response directly.
What MDR monitors (attack surfaces)
MDR originally meant “we operate your EDR.” The scope has expanded. Modern attacks increasingly enter through identity, cloud, and SaaS, so most providers now monitor well beyond endpoints.
| Surface | What it means | Market status |
|---|---|---|
| Endpoint | Laptops, workstations, servers | Universal |
| Cloud | AWS, Azure, GCP workloads | Common |
| Identity | Active Directory, Entra ID, Okta | Growing fast |
| SaaS | Microsoft 365, Google Workspace | Emerging |
| Network | Network traffic, lateral movement | Mixed |
| OT/IoT | Industrial systems, IoT devices | Niche |
Endpoint-only MDR won't catch attacks entering through identity (credential phishing), cloud (misconfigured resources), or SaaS (compromised Microsoft 365 accounts).
The service taxonomy
| Term | Type | What it is | Who operates it |
|---|---|---|---|
| EDR | Product | Detects threats on endpoints | You (or your MDR) |
| XDR | Product | Detects across endpoint + cloud + identity | You (or your MDR) |
| MSSP | Service | Monitors your tools, sends alerts | They watch, you respond |
| MDR | Service | Detects, investigates, and responds | They detect and act |
| SOCaaS | Service | Full outsourced security operations | They handle everything |
What MDR does not include
- Prevention: firewalls, patching, hardening are your responsibility
- Vulnerability management: scanning and remediation is separate
- Incident response (often): many MDR contracts exclude major breach response, which is sold as a separate retainer
- A complete security program: MDR is one layer of defense, not the whole strategy
What MDR costs
Most MDR is priced per-endpoint: $8–35/endpoint/month. Per-user pricing ranges from $2–200+/user/month depending on what surfaces are covered. About 46% of providers are custom-quote only.
Watch for hidden costs: onboarding ($5K–25K), integration fees, data ingestion overages, and IR retainers billed separately.
FAQ
What does MDR stand for?
Managed Detection and Response. A security service where a provider detects threats across your environment, investigates them, and takes response actions on your behalf.
How is MDR different from antivirus?
Antivirus blocks known threats automatically. MDR provides human analysts who detect, investigate, and respond to sophisticated attacks that automated tools miss, including zero-day exploits, lateral movement, and living-off-the-land techniques.
What does MDR cost?
Typically $8–35 per endpoint per month, or $2–200+ per user per month depending on coverage scope. Cloud, identity, and SaaS coverage often add cost.
Does MDR replace my security team?
No. MDR augments your team by handling detection and initial response 24/7. You still need people for security strategy, vulnerability management, compliance, and broader IT security operations.