NCC Group MDR
Works with your toolsIntegrates with your existing security tools via APIs. You keep your current EDR, SIEM, and cloud tools.NCC Group Managed XDR
UK cybersecurity consultancy delivering MXDR through two offerings: one built on Microsoft Sentinel, the other on Splunk. Detection capability comes from Fox-IT, acquired in 2015, which ran Europe's first SOC starting in 2001 and has deep Dutch government cryptography heritage. MDR is one service line alongside pen testing and incident response, so MXDR customers get an embedded IR team.
Best For
Ideal for
- European enterprise and government organizations running Microsoft Sentinel or Splunk as their SIEM
- Buyers wanting MDR from a provider with deep incident response and consulting capability in one firm
- UK and Benelux organizations wanting a locally operated SOC with Dutch government security heritage
Not ideal for
- Organizations running a SIEM other than Microsoft Sentinel or Splunk (only two supported)
- Buyers wanting transparent pricing, broad community reviews, or a breach warranty
- SMBs or organizations wanting a dedicated, MDR-first provider rather than a consultancy's managed service
Coverage
Endpoint
Cloud
Identity
SaaS
Network
OT / IoT
Compatible Tools
EDR
SIEM
Cloud
Additional Capabilities
Incident Response
No formal response SLA published.
Detection Quality
Threat Hunting
Pricing
Not published. Custom quotes. Evidence of large-scale enterprise pricing: EUR 25M+ contract for Netherlands university consortium.. Annual or multi-year contracts.
Pricing compiled from public sources. Verify directly with the provider.
The Team
Reputation
Strong analyst recognition: Forrester Wave MDR Europe Q3 2025 Strong Performer, IDC MarketScape European MDR 2024 Leader. Virtually no practitioner reviews on G2 (not MDR-specific), PeerSpot (0 reviews, ranked 43rd in MDR), or Reddit. Analyst praise for threat hunting and consultative approach, but buyers cannot reference peer experiences.
What customers praise
- Forrester Strong Performer and IDC Leader in European MDR, validating technical capability
- Fox-IT heritage: Europe's first SOC (2001), Dutch government cryptography work, deep threat hunting
- Embedded IR team within MXDR, with access to NCC Group's broader consulting practice
Common complaints
- Zero MDR-specific reviews on PeerSpot, no MDR reviews on G2, no Reddit discussions
- Only two SIEM platforms supported (Sentinel and Splunk), limiting flexibility for other SIEM users
- MDR is one of many NCC Group service lines, raising questions about how much executive focus it receives
Reddit (r/sysadmin, r/msp)
No discussions found about NCC Group or Fox-IT MDR service in r/msp, r/cybersecurity, or r/sysadmin.
What to Ask NCC Group (6 questions)▼
- 1.
We run [EDR other than Microsoft Defender or CrowdStrike]. Is it supported, or are those the only two EDR integrations available?
- 2.
What is the formal SLA for response to critical alerts? The 25-minute average MTTR is a performance metric, not a contractual commitment.
- 3.
How does the embedded IR team work in practice? At what point does an MXDR incident escalate to a full NCC Group IR engagement, and what does that cost?
- 4.
What specific detection content is portable if we leave? Will custom Sentinel or Splunk rules built during the engagement remain ours?
- 5.
How much of NCC Group's executive and engineering investment goes to MXDR versus the pen testing and consulting business lines?
- 6.
Can you provide MDR-specific customer references? PeerSpot shows zero reviews and no Reddit discussions exist.
Browse Related
Information compiled from public sources. Verify details directly with the provider before making decisions.