At a glance
- Delivery model
- Tech-agnostic (works with your tools)
- Response authority
- Active remediation
- MTTA SLA
- Not disclosed
- Coverage
- 24×7 · 2 SOC regions
- Surfaces
- Endpoint · Cloud · SaaS · Identity
- IR retainer
- Separate
- Customers (public)
- Not published
- SOC analysts
- Not published. LinkedIn shows around 100 employees in total, split roughly 53 in the UK and 35 in the Philippines, with the remainder elsewhere. Glassdoor reviews mention limited L2 analyst headcount, suggesting a lean senior team relative to customer base.
- Onboarding
- Not published. Automated onboarding deploys detections and playbooks quickly; specifics not disclosed.
Best for
Ideal for
- UK organisations committed to the Microsoft security stack (M365/Azure) wanting MDR that operates inside their own tenant with no third-party data storage
- Regulated UK industries needing NCSC-assured Cyber Incident Response on standby and CREST-accredited SOC credentials for compliance purposes
- Mid-market organisations that want a tiered entry point (from £4/user/month) with a clear upgrade path as security maturity grows
- Teams whose primary security workflow is Microsoft Teams, who want alert approvals and incident communications handled natively in that channel
- Public sector bodies needing a Crown Commercial Service-listed supplier with UK government accreditation requirements
Not ideal for
- Organisations running CrowdStrike, SentinelOne, or any non-Microsoft primary EDR. CyberOne is Microsoft-only with no credible third-party EDR coverage path.
- Buyers who need independently validated detection metrics, published MTTD/MTTR, or peer reviews before committing. None of these exist.
- Enterprises expecting incident response to be included in their MDR subscription. IR is a separate purchase on a retainer or call-off basis.
- Organisations needing OT/ICS, network detection (NDR), or multi-cloud coverage beyond Azure and M365. These are significant gaps.
- Large enterprises needing a provider with an established global brand and analyst headcount transparency. With 51-200 total employees, CyberOne is a boutique specialist.
Coverage
Endpoint
Included
Cloud
Included
Identity
Included
SaaS
Included
Network
Limited
OT / IoT
Not offered
Compatible tools
EDR
SIEM
Cloud
Additional capabilities
Incident response
- Monitoring
- 24/7 · Follow-the-sun coverage across 2 SOC regions: UK (London HQ) and the Philippines (National Capital Region and Calabarzon). LinkedIn employee distribution suggests the Philippines team carries overnight UK coverage. Specific shift handoff process is not published
- First response
- Configurable — auto-act per your playbook, or escalate for approval · Custom playbooks supported
- Containment
- Endpoint isolation · Process kill · Network containment · Account disable · File quarantine
- Notification
- Teams · Phone · Email
- Response SLA
- Not disclosed · CyberOne references 'guaranteed SLAs' in marketing materials and the datasheet, but specific response time commitments (MTTD, MTTR) are not published.
- IR included
- No — separate retainer
Detection quality
- MTTD (detect)
- Not published
- MTTR (respond)
- Not published
- False positives
- CyberOne AI enriches and prioritises alerts before analyst review. MITRE ATT&CK-aligned ruleset of 1,000+ tuned detections is deployed at onboarding. Ongoing SOC tuning is included across all tiers.
Threat hunting
- Included
- Extra cost
- Approach
- proactive
- Frequency
- Available in MDR Core Premium tier only; not included in MDR Auto or MDR Core
Pricing
Per-user per month, tiered across 3 plans: MDR Auto, MDR Core, MDR Core Premium. Starting price published as 'from £4 per user per month.'. Annual contracts.
- Indicative price
- From £4 per user/month (entry tier). Upper-tier pricing not published. Contact required for MDR Core and MDR Core Premium quotes.
What costs extra
- -NCSC-Backed Cyber Incident Response (retainer or call-off SoW, not in MDR subscription)
- -Dark Web Monitoring and takedown service (add-on)
- -Penetration Testing and Red/Purple Teaming (add-on)
- -Cyber Incident Tabletop Exercising (add-on)
- -Proactive threat hunting (Premium tier only)
- -Deception and honeypots (Premium tier only)
- -Bespoke evidence packs for audits and boards (Premium tier only)
- -Data Security as a Service module (separate Assure 365 add-on)
- -Identity as a Service module (separate Assure 365 add-on)
Cost caveats
- -Requires existing Microsoft licensing (at minimum Microsoft 365 Business Premium or equivalent Defender licenses). These costs are separate and are not included in CyberOne's fee.
- -Microsoft Sentinel runs in the customer's tenant, meaning Azure consumption costs for data ingestion are billed by Microsoft separately and can rise meaningfully during high-volume incidents.
- -Incident Response is a separate purchase. The MDR service handles detection and containment; full IR (forensics, eradication, recovery) requires a separate NCSC-accredited IR retainer.
- -Network coverage is limited. CyberOne is Microsoft-stack focused; organizations needing network or OT/ICS coverage will find significant gaps.
- -Threat hunting is Premium tier only. MDR Auto and MDR Core buyers do not receive proactive hunting.
Proof of value may be available through sales.
Pricing compiled from public sources. Verify directly with the provider.
The team
- Analysts
- Direct employees · Not published. LinkedIn shows around 100 employees in total, split roughly 53 in the UK and 35 in the Philippines, with the remainder elsewhere. Glassdoor reviews mention limited L2 analyst headcount, suggesting a lean senior team relative to customer base.
- Certifications
- CREST SOCCREST Cyber Security Incident ResponseNCSC Cyber Incident Response (Standard Level)
- Channels
- Teams · Email · Portal · Phone
- Data access
- Full Query Access
- Portal
- CyberOne's customer portal provides live incidents, board-ready reports, evidence packages, and roadmap in one place. All tiers include monthly reports and service reviews. MDR Core Premium adds bespoke evidence packs for audit and board packs. Data remains in the customer's own Microsoft tenant with full query access via Sentinel.
- Account manager
- Dedicated
Reputation
No independent reviews found on G2, PeerSpot, or Gartner Peer Insights. Glassdoor employee reviews (30 reviews, 3.7/5) note a supportive culture but flag limited senior analyst headcount and management maturity. Client testimonials on the CyberOne website are positive but unverifiable. Zero Reddit presence. The company is a credible, CREST and NCSC-accredited Microsoft specialist, but lacks the third-party peer review validation that enterprise buyers typically require.
Common complaints
- — Zero independent reviews on G2, PeerSpot, Gartner Peer Insights, or Reddit. Buyers cannot find peer validation before purchasing.
- — Glassdoor employee reviews mention 'limited L2 employees' and management process immaturity, which may reflect a lean SOC for the customer base size.
- — No published MTTD or MTTR metrics, despite marketing language about 'guaranteed SLAs.' Buyers cannot benchmark detection or response speed against peers.
- — Incident response sits outside the MXDR subscription as a separate retainer or call-off SoW.
- — Rebranded from Comtact to CyberOne in June 2024, meaning the brand has limited market recognition under its current name.
Reddit (r/sysadmin, r/msp)
No discussion found on r/msp, r/cybersecurity, or r/sysadmin. Zero community presence under either the CyberOne or Comtact names.
Questions to ask
8 questions to ask CyberOne▾
- 1.
What are the specific SLA commitments for MTTD and MTTR at each tier? The marketing references 'guaranteed SLAs' but no figures are published.
- 2.
What Microsoft licensing is the minimum prerequisite for each tier, and what is the all-in cost including Microsoft license fees, Azure Sentinel consumption costs, and CyberOne's fee?
- 3.
At MDR Auto, which specific response actions are pre-approved by default? Who controls the pre-approval list and how are changes made?
- 4.
How many SOC analysts are dedicated to MXDR monitoring, and what is the analyst-to-customer ratio? Glassdoor reviews mention limited senior (L2) analyst headcount.
- 5.
Incident Response is listed as a separate add-on. What is included in the MDR containment actions versus what requires activation of the NCSC IR retainer?
- 6.
Can you provide references from customers in our industry who have been on the service for at least 12 months? No independent reviews exist on G2 or Gartner Peer Insights.
- 7.
Is 'Nyx Compromised Credential Monitoring' a CyberOne-owned capability or a rebranded third-party product? What is the underlying data source?
- 8.
What happens to our Sentinel analytics rules, playbooks, and investigation history if we leave CyberOne? Which content transfers and which does not?
Evidence
Sources reviewed
Public-data caveats
- -No public contractual response-time SLA is recorded for this profile.
- -No public fixed price is recorded; compare only after a scoped quote.
- -No public breach warranty is recorded.
- -Response authority may depend on pre-approval and contract scope.
- -MDR analyst headcount or analyst-to-customer ratio is not public.