Guide · 8 min · For Owners

What MDR actually is

Managed detection and response is three things sold as one service:

The third item is the one that earns the "R." Plenty of services do detection and call it MDR. If the contract says the provider will notify you when something happens, you've bought monitoring. If it says they will contain it within a defined number of minutes, you've bought MDR.

Equally important is what MDR is not: it doesn't patch your systems, run your backups, enforce MFA, or train your staff. It's the watching-and-acting layer that sits on top of those basics — and it assumes they exist. An MDR analyst can contain a ransomware outbreak in minutes; they can't conjure the tested backup you'll restore from afterward.

MDR vs. antivirus vs. EDR vs. SIEM vs. SOC

The acronyms describe different layers, and vendors blur them constantly. Plainly:

You'll also meet XDR ("extended" detection and response), which mostly means EDR that ingests extra telemetry sources. Useful, but more vendor packaging than new idea — the questions at the end of this guide matter far more than which letter precedes the DR.

The honest summary: antivirus and EDR are things you install, SIEM is a thing you feed, a SOC is people you staff or hire, and MDR is the contract that delivers tool-plus-people-plus-action as a single line item.

What "response" actually means

When an MDR provider says "we respond," pin down the verbs. Real response looks like this, in roughly this order, in minutes:

  1. Isolate the host. The infected machine is cut off from the network remotely — it can still talk to the security tooling, but not to your file server or the attacker. This single action is what stops one compromised laptop from becoming a company-wide ransomware event.
  2. Kill the process and quarantine the file. Whatever's executing gets stopped and locked away for analysis.
  3. Revoke sessions and disable accounts. If credentials were taken, signed-in sessions get terminated and the account is frozen before it's used from somewhere else.
  4. Tell you what happened. A human-readable account of what was seen, what was done, and what (if anything) needs your decision next — not a raw alert export.

Speed is the entire value. Attackers move from first foothold to widespread access in hours; a containment that happens in minutes interrupts the chain, while an email you read the next morning documents it. That's why the response-time commitment belongs in the contract, expressed in minutes — not in the brochure.

What MDR costs

The pricing model is nearly universal: per endpoint, per month — every workstation and server with an agent on it counts. What varies is what's inside the number.

When comparing quotes, count carefully: servers count as endpoints (and often cost more per agent), and so does the forgotten desktop in the warehouse. A quote that looks cheap because it covered fifteen of your twenty-two machines isn't cheap — it's seven unwatched doors.

Two contract lines deserve more scrutiny than the price: what actions the provider may take without calling you first (response authority, in writing), and the committed time to containment. Cheap quotes go soft on exactly those two.

When a small business actually needs it

Start from the uncomfortable premise: every business running EDR needs someone watching it, and "someone" means around the clock, because attackers prefer your nights, weekends, and holidays precisely because nobody's looking. EDR that fires alerts into an unwatched inbox is a smoke detector chirping in an empty building — it will faithfully record the fire.

So the real question isn't whether the watching happens, it's who does it:

A few external forces are deciding this for many owners anyway. Cyber insurance questionnaires increasingly ask not just "do you have EDR?" but "is it monitored 24/7, and by whom?" — our cyber insurance guide covers why misstating that answer is worse than answering no. Compliance frameworks that require incident response capability point the same direction.

The honest "you might not need it" case is narrow but real: if your environment is a handful of cloud-only laptops with aggressive MFA, no servers, and nothing an attacker can pivot through, basic managed EDR with business-hours eyes is a defensible interim step. But that describes fewer businesses than think it does, and it stops being true the day you add a server, a second location, or a compliance obligation.

What to ask an MDR provider

  1. Who is watching, and when? "24/7 SOC" should mean named humans on shifts, not an auto-forwarding rule. Ask where the analysts are and how many.
  2. What can you do without calling me first? The response-authority list — isolate, kill, disable — agreed in writing before the incident, not negotiated during one.
  3. What's the committed time to containment? In minutes, in the contract. "Best effort" is not a number.
  4. What telemetry do you actually watch? Endpoints only, or also Microsoft 365 sign-ins, identity, firewall? Mailbox takeover is the most common small-business incident; an MDR that can't see logins is blind to it.
  5. What happens after containment? Is investigation and cleanup included, or does the meter start? Surprise hourly forensics is a classic quote-padding move.
  6. What do I get monthly? A report a human can read — what fired, what was real, what was done — not a dashboard login and good wishes.
  7. What happens if we leave? Agent removal, data handover, and no hostage-taking.

A provider who answers these crisply is selling you a service. One who answers with acronyms is selling you software with a markup. If you want to sanity-check a quote you've already received — including the answer "that's fine, keep it" — that's a 20-minute conversation we're happy to have.

Frequently asked questions

What does MDR stand for and what does it include?
Managed detection and response. It bundles three things as one service: detection software on your computers (EDR), a 24/7 team of human analysts watching what that software reports (a SOC), and pre-agreed authority for that team to respond — isolating an infected machine, killing a malicious process, disabling a compromised account — without waiting for you to answer the phone.
What's the difference between MDR and EDR?
EDR is the tool; MDR is the tool plus the people plus the response. EDR software records and flags suspicious behavior on endpoints, but somebody still has to read those alerts and act on them at 2 a.m. MDR is the service contract that puts trained analysts on that job around the clock. Unwatched EDR catches attacks that nobody stops.
How much does MDR cost?
Almost always per endpoint per month. Standalone MDR commonly runs in the range of roughly $5 to $30 per endpoint monthly depending on what's monitored and how much response is included, on top of the EDR licensing itself. Many managed IT providers fold it into a flat per-device rate instead — our Managed Endpoint plan includes EDR with 24/7 SOC monitoring at $79 per device per month rather than selling detection as an add-on.
Does a small business really need MDR?
If you run EDR — and you should — someone has to watch it, and that's effectively what MDR is. Attacks don't keep business hours, and an alert that sits unread overnight is an attack that succeeded. Unless you genuinely staff your own 24/7 security team, which almost no small business does, the watching has to be bought. Cyber insurers increasingly assume as much on their questionnaires.

Related reading