Buyer fit
Good fit when
- ✓European enterprise and government organizations running Microsoft Sentinel or Splunk as their SIEM
- ✓Buyers wanting MDR from a provider with deep incident response and consulting capability in one firm
- ✓UK and Benelux organizations wanting a locally operated SOC with Dutch government security heritage
Watch out when
- ×Organizations running a SIEM other than Microsoft Sentinel or Splunk (only two supported)
- ×Buyers wanting transparent pricing, broad community reviews, or a breach warranty
- ×SMBs or organizations wanting a dedicated, MDR-first provider rather than a consultancy's managed service
Coverage
4 of 6 attack surfaces in the base price — the rest are separately priced.
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –Full incident response engagement (beyond 2 hours included post-breach advisory)
- –Penetration testing and red teaming (separate NCC Group service)
- –Threat intelligence subscriptions (monthly Threat Pulse reports)
- –ScoutSuite cloud auditing
Cost caveats
- –MXDR for Microsoft and MXDR for Splunk are separate offerings. Customers using both Sentinel and Splunk may face separate engagements.
- –Only Microsoft Defender and CrowdStrike EDR integrations are confirmed. Other EDR platforms may not be supported.
- –Post-breach advisory limited to 2 hours included. Full IR engagement is a separate NCC Group consulting purchase.
- –SIEM licensing (Microsoft Sentinel or Splunk) is the customer's cost, not included in MXDR pricing
Verify pricing directly with the provider.
Team and access
Reputation
Strong analyst recognition: Forrester Wave MDR Europe Q3 2025 Strong Performer, IDC MarketScape European MDR 2024 Leader. Virtually no practitioner reviews on G2 (not MDR-specific), PeerSpot (0 reviews, ranked 43rd in MDR), or Reddit. Analyst praise for threat hunting and consultative approach, but buyers cannot reference peer experiences.
What customers praise
- ✓Forrester Strong Performer and IDC Leader in European MDR, validating technical capability
- ✓Fox-IT heritage: Europe's first SOC (2001), Dutch government cryptography work, deep threat hunting
- ✓Embedded IR team within MXDR, with access to NCC Group's broader consulting practice
Common complaints
- ×Zero MDR-specific reviews on PeerSpot, no MDR reviews on G2, no Reddit discussions
- ×Only two SIEM platforms supported (Sentinel and Splunk), limiting flexibility for other SIEM users
- ×MDR is one of many NCC Group service lines, raising questions about how much executive focus it receives
No discussions found about NCC Group or Fox-IT MDR service in r/msp, r/cybersecurity, or r/sysadmin.
Questions to ask
- 1.
We run [EDR other than Microsoft Defender or CrowdStrike]. Is it supported, or are those the only two EDR integrations available?
- 2.
What is the formal SLA for response to critical alerts? The 25-minute average MTTR is a performance metric, not a contractual commitment.
- 3.
How does the embedded IR team work in practice? At what point does an MXDR incident escalate to a full NCC Group IR engagement, and what does that cost?
- 4.
What specific detection content is portable if we leave? Will custom Sentinel or Splunk rules built during the engagement remain ours?
- 5.
How much of NCC Group's executive and engineering investment goes to MXDR versus the pen testing and consulting business lines?
- 6.
Can you provide MDR-specific customer references? PeerSpot shows zero reviews and no Reddit discussions exist.
Evidence
Sources reviewed
Public-data caveats
- –No public contractual response-time SLA is recorded for this profile.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
- –MDR analyst headcount or analyst-to-customer ratio is not public.
Also consider
Independent research. Verify details directly with the provider before making decisions.
