›› At a glance
- Delivery model
- Tech-agnostic (works with your tools)
- Response authority
- Active remediation
- MTTA SLA
- Not disclosed
- Coverage
- 24×7 · 1 SOC region
- Surfaces
- Endpoint · Cloud · SaaS · Network
- IR retainer
- ✓ Bundled
- Customers (public)
- Not published for MDR
- SOC analysts
- Not published
- Onboarding
- Sapphire references onboarding and implementation that can be shorter than expected, but no standard public MDR onboarding timeline was found.
›› Best for
›› IDEAL FOR
- UK organisations that want MDR from a UK-owned provider with a UK-based CREST-accredited SOC
- Teams that need MDR plus OT SOC, incident response, digital forensics or compliance support
- Mid-market and enterprise buyers that want SIEM, EDR, threat intelligence and analyst-led case management
›› NOT IDEAL FOR
- Buyers that need public MDR pricing or contractual response SLAs before sales engagement
- Teams that require a named EDR action list such as endpoint isolation and account disable on the public page
- Organizations that want a pure-play MDR provider without broader consulting and managed-services scope
›› Coverage
Endpoint
Included
Cloud
Included
Identity
Limited
SaaS
Included
Network
Included
OT / IoT
Add-on
›› COMPATIBLE TOOLS
EDR
SIEM
Cloud
›› ADDITIONAL CAPABILITIES
›› Incident response
- Monitoring
- 24/7 · Sapphire describes a 24x7x365 UK-based SOC with expert analysts. Public materials do not publish analyst count, shift model or SOC staffing ratios
- First response
- Alert only — provider notifies your team with recommended actions · Custom playbooks supported
- Containment
- None documented
- Notification
- Phone · Email
- Response SLA
- Not disclosed · Sapphire publishes 24/7/365 UK-based SOC monitoring, case management, rapid containment language and incident-response hours as standard.
- IR included
- Yes — in contract
›› DETECTION QUALITY
- MTTD (detect)
- Not published
- MTTR (respond)
- Not published
- False positives
- Sapphire says Exabeam, behavioural analytics, threat intelligence enrichment and AI or machine learning help reduce false positives. Treat any published comparative figures as vendor-reported until validated during evaluation.
›› THREAT HUNTING
- Included
- Yes — in base service
- Approach
- proactive
- Frequency
- Vendor-stated proactive and 24/7 threat hunting. Exact hunt cadence not published.
›› Pricing
Custom quote. Sapphire does not publish MDR package pricing.. Custom contracts.
- Indicative price
- Not published
What costs extra
- -Exact MDR pricing requires a Sapphire quote
- -Managed SIEM, MDR and MXDR package scope should be separated during quote review
- -OT SOC, digital forensics, incident response, vulnerability management and third-party risk services may have separate scope
- -Exabeam, Microsoft, EDR and SIEM licensing can affect total cost
Cost caveats
- -Public pages do not publish response SLAs or exact response-authority rules.
- -MDR, MXDR and OT SOC scope can differ materially, so buyers should define monitored surfaces in the order form.
- -The page publishes vendor-reported comparative metrics without independent methodology.
- -IR hours are included as standard, but buyers should confirm number of hours, coverage triggers and overage rates.
Proof of value may be available through sales.
Pricing compiled from public sources. Verify directly with the provider.
›› The team
- Analysts
- Direct employees · Not published
- Certifications
- CREST SOCCREST Penetration TestingCyber Essentials PlusISO 27001
- Channels
- Portal · Email · Phone
- Data access
- Dashboard Access
- Portal
- Sapphire describes action-focused reporting, case management and visibility across the environment. Public pages do not show raw query access or full portal workflow.
- Account manager
- Shared / pooled
›› Reputation
Sapphire has limited MDR-specific community review volume. The public buyer case is strongest for UK ownership, UK-based SOC delivery, CREST SOC accreditation and IT/OT services depth. Buyers should validate response authority, price, metrics and the exact split between MDR, MXDR, OT SOC and incident-response work.
›› WHAT CUSTOMERS PRAISE
- — 100% UK-owned and UK-based SOC positioning
- — CREST SOC accreditation supports regulated-buyer diligence
- — IT and OT security services can support mixed environments
›› COMMON COMPLAINTS
- — No public MDR pricing
- — No public contractual MDR response SLA
- — Limited independent MDR-specific review volume
›› REDDIT (R/SYSADMIN, R/MSP)
No meaningful Reddit signal found for Sapphire MDR specifically.
›› Questions to ask
›› 8 questions to ask Sapphire▾
- 1.
Are we buying Managed SIEM, MDR, MXDR or OT SOC coverage?
- 2.
Which EDR, SIEM, cloud, SaaS, network and OT sources are included in our quote?
- 3.
Which response actions can Sapphire take directly, and which require our approval?
- 4.
How many incident-response hours are included as standard, and what triggers overage?
- 5.
What contractual SLA applies to high-severity triage, escalation and containment?
- 6.
Which vendor-reported metrics apply to our service tier, and what methodology supports them?
- 7.
What case data, reports, tuning content and threat-intelligence context can we export if we leave?
- 8.
Which CREST SOC scope, UK SOC location and analyst certifications apply to our contract?
›› Evidence
›› SOURCES REVIEWED
›› PUBLIC-DATA CAVEATS
- -No public contractual response-time SLA is recorded for this profile.
- -No public fixed price is recorded; compare only after a scoped quote.
- -No public breach warranty is recorded.
- -Response workflows are described, but exact standard containment actions are not public.
- -MDR analyst headcount or analyst-to-customer ratio is not public.