

NTT Security Holdings
Vendor-agnostic MDR from NTT Group, built on the sixth-generation SamurAI platform. SOC analysts in Gothenburg (primary) plus North America and APAC provide follow-the-sun coverage. Detection is powered by threat intelligence from NTT's Global Threat Intelligence Center, which monitors 40% of global IP prefixes. Active response is limited to endpoint isolation via the customer's own EDR. Everything else (process kills, account lockouts, full remediation) comes as recommendations, not direct action. OT/ICS monitoring available through Claroty and Nozomi integrations. Incident response is a separate retainer, not included in base MDR.
Buyer fit
Good fit when
- ✓Global enterprises needing follow-the-sun SOC coverage across NA, Europe, and APAC
- ✓Manufacturing and industrial organizations needing OT/ICS monitoring alongside IT MDR
- ✓Companies with a multi-vendor security stack who want vendor-agnostic telemetry ingestion
- ✓Organizations already in the NTT ecosystem or comfortable with traditional MSSP relationships
Watch out when
- ×SMBs wanting transparent pricing and self-service onboarding
- ×Buyers who need hands-on remediation beyond endpoint isolation (NTT recommends but does not execute)
- ×Teams that want published detection benchmarks or MITRE-validated metrics
- ×Organizations needing Slack/Teams-based SOC collaboration
- ×Budget-conscious buyers (consistently cited as expensive in reviews)
Coverage
EDR
SIEM
Cloud
Additional capabilities
Incident response
Pricing
What costs extra
- –Incident Response retainer (separate, not included in base MDR)
- –SamurAI Endpoint Agent (optional add-on)
- –Network Traffic Analyzer with PCAP (optional add-on)
- –Dynamic Blocklist Service (optional add-on)
- –OT/ICS monitoring scope
Cost caveats
- –Incident response is NOT included in base MDR. Requires a separate retainer with separate pricing.
- –SamurAI Endpoint Agent and Network Traffic Analyzer are add-ons, not included in base service. Clarify which components are in your quote.
- –Gartner reviewers consistently cite NTT as expensive relative to competitors.
- –Alert severity over-classification reported by customers, leading to unnecessary after-hours calls for already-blocked threats.
- –New log source integrations can take significant development time according to customer reviews.
- –Analysis quality and portal flexibility vary by SOC region per Gartner feedback.
Pricing compiled from public sources. Verify directly with the provider.
Team and access
Certifications
Reputation
Gartner Peer Insights 4.4/5 (21 reviews). NTT DATA (parent group) ranked second by revenue in Gartner Market Share Analysis for Managed Security Services Worldwide 2022. Reviewers praise responsiveness, team continuity, and global reach. Recurring complaints: expensive pricing, alert severity over-classification, and inconsistent analysis quality across SOC regions. Very limited Reddit/community discussion.
What customers praise
- ✓Responsive and easy to work with per Gartner reviewers
- ✓Flexible contracting that adapts to evolving business needs
- ✓Global delivery with fast incident reporting across regions
- ✓Strong technical team continuity and stability
Common complaints
- ×Expensive pricing relative to competitors (recurring Gartner theme)
- ×Alert severity over-classification, after-hours calls for already-blocked threats
- ×Analysis quality and portal flexibility vary by SOC region
- ×New log source integrations take significant development time
- ×No published MTTD/MTTR and no MITRE evaluation participation
Very limited Reddit discussion. NTT Security is more commonly discussed in enterprise MSSP procurement contexts than practitioner forums. Much less community visibility than Arctic Wolf, Huntress, or Red Canary.
Questions to ask
- 1.
Which components are included in our MDR quote vs. add-on? Specifically: Endpoint Agent, Network Traffic Analyzer, Dynamic Blocklist, and OT/ICS monitoring.
- 2.
Beyond endpoint isolation, what remediation actions do your SOC analysts actually perform? Can they kill processes, disable accounts, or quarantine files, or is that all recommendation-based?
- 3.
Which SOC location will handle our account? Gartner reviewers report analysis quality varies by region.
- 4.
What is the IR retainer cost and response time SLA? How does handoff from MDR to IR work during an active breach?
- 5.
What are your actual MTTD and MTTR metrics? Have you participated in MITRE managed services evaluations?
- 6.
Reviewers cite alert severity over-classification. How do you tune thresholds to reduce after-hours calls for already-blocked threats?
- 7.
What is the realistic timeline to integrate a new log source? Reviews suggest this can take significant development time.
- 8.
How do we export our incident data if we decide to transition away from SamurAI?
Evidence
Sources reviewed
Public-data caveats
- –SLA caveat: 30-minute SLA is for incident report generation on high/critical severity, not for response action. Low/medium incidents target 120 minutes (best effort). SOC calls the customer directly for critical incidents. 99.9% portal uptime target.
- –No public fixed price is recorded; compare only after a scoped quote.
- –No public breach warranty is recorded.
- –Response authority may depend on pre-approval and contract scope.
- –MDR analyst headcount or analyst-to-customer ratio is not public.
Also consider
Information compiled from public sources. Verify details directly with the provider before making decisions.