What is managed detection and response (MDR) software?

Managed detection and response (MDR) services allow organizations to deal with cybersecurity threats quickly and efficiently. Unlike other forms of cybersecurity, MDR solutions are not fully automated and include both a cloud-based software and a team of humans to investigate and repair hacks and malware damage.

Find your new MDR software

Comparing the top MDR service providers

MDR solutions come with many different features and tools to help you mitigate and prevent cyber threats. The chart below provides a comparison of valuable features supplied by the top managed detection and response providers.
Secureworks Taegis XDR no yes yes Medium and Large
Rapid7 yes no yes Small, Medium and Large
CrowdStrike Falcon yes yes yes Medium and Large
SentinelOne no yes yes Small and Medium
Cybereason XDR Platform no yes yes Small and Medium
Product Automated Threat Intelligence Uses Artificial Intelligence (AI) Endpoint Protection Business Size
Each managed detection and response service uses different tactics and different software. Listed below are descriptions of five very popular MDR services providers. While many of the services they offer are similar, each comes with some unique features.

Secureworks Taegis Managed XDR (Extended Detection and Response)

A cloud-based SaaS solution, the Secureworks Taegis Managed XDR platform comes with over 20 years of experience in security operations and threat prevention. Their platform detects and responds to attacks across endpoint, network, and cloud environments, and it is easy to deploy and provides immediate security monitoring across multiple environments. The Secureworks analysts are very knowledgeable and proactive when it comes to threat hunting. Secureworks Taegis Managed XDR provides their customers with 24/7 security monitoring and investigations. Their services include access to security analysts, threat detection and investigations, and threat response actions.


Rapid7’s MDR solutions and services use a range of techniques, including proactive threat hunting, threat intelligence, network traffic analysis, deception technologies, and more. Their platform helps to strengthen a company’s security posture, stay ahead of emerging threats, and prevent or counter them. Rapid7 also offers a variety of customizable dashboards which can be modified to fit changing needs. Rapid7 combines security expertise with technology to identify and respond to threats quickly. It provides proactive threat hunting, hands-on 24/7 monitoring, and effective response support. Tailored security guidance is used to stop cyberattacks and improve security.

CrowdStrike Falcon

This MDR service provides a platform that can work with supported versions of MacOS, PCs, and other devices. CrowdStrike Falcon‘s innovations have developed endpoint security that unifies next-generation antivirus software, a 24/7 threat-hunting service, and endpoint detection and response (EDR). CrowdStrike Falcon offers threat intelligence, which includes cyber criminal profiles and alerts providing information about the adversary. Using a sophisticated AI and machine learning system, it learns from attacks and improves the organization’s defenses. It also comes with customizable dashboards, allowing customers to design specialized views of their security data.


SentinelOne delivers automated endpoint protection that detects, prevents, and responds to cyberattacks. It is designed to be “very” user-friendly and uses AI to deal with threats in real time, eliminating them automatically. It provides security for businesses in the cloud and on-premises, while supporting full visibility across networks and endpoints. SentinelOne also offers a dashboard that can be customized using over 50 widgets that they offer. The AI is called ActiveEDR, which allows an organization to track incidents back to their source. It tracks and contextualizes everything on a device and identifies hostile activity in real time and automatically responds. ActiveEDR provides easy threat hunting by supporting full searches using a single IOC (indicators of compromise).

Cybereason XDR Platform

Cybereason XDR can detect the more subtle indications of network compromise. It does this by using enhanced connections between indicators of behavior (IOBs) and indicators of compromise. The AI-driven Cybereason XDR Platform integrates with leading firewall and NDR vendors to consolidate alerts, correlate network context with user and asset activity, and enable automated or guided response actions from the XDR console. This platform also supplies predictive ransomware protection as part of the package, and automatically blocks cyberattacks. It breaks down data silos, where cyber criminals rely on to remain hidden from security, which makes for more efficient threat detection and responses. Their AI can also learn to anticipate a cyberattacker’s next move and proactively block them.


How does MDR work?

Since security software alone can’t adjust to constantly changing attacks and few organizations have IT staff with the specialized threat-hunting experience needed to deal with the constantly evolving threats made by cyber criminals, MDR solutions will typically include human investigators as part of the package. The automated features monitor the system and provide alerts, while the human investigators analyze the attacks. When an MDR solution’s automated features detect malware, the system deploys a sandbox, or some other containment process, to contain the attack. This step is followed by communication with the human investigator. In addition, the MDR service provider typically has its own technology stack deployed on the customer’s premises. These technology stacks cover such areas as network services, cloud services, and endpoint services to protect the organization’s data and assets. These threat mitigation and containment techniques help to protect an organization’s data. However, different situations require different tools. While there are a variety of MDR services, each with their own tools and MDR protocols, they do share some common characteristics:
  • Network security defends a variety of processes, such as internet access, IP addressing, web content filtering, and primary domain email service. Some of the security tools used are VPN termination, firewalls, and intrusion prevention systems.
  • Cloud security protects software, platforms, and infrastructure, which are supported by third-party providers and accessed through the internet and can be vulnerable to cyberattacks.
  • Endpoint security deals with protecting desktops, mobile phones, laptops, tablets, and servers, which can each be considered an endpoint. It takes advantage of integrated and automated tools to reduce the time and energy needed for “securing” and managing endpoint devices.

How do I choose the right MDR service?

Price is a significant concern. There are a broad range of prices for MDR solutions, and finding MDR service providers in the affordable price range is an important first step. As with other products and services, you don’t alway get what you pay for, especially if it seems too good to be true, so be sure to check out all reviews to gauge the sense of a provider’s pros and cons.

Expectations and Concerns

Ideally, an MDR customer will never experience a cyberattack. A more realistic expectation would be for the managed detection and response services provider to detect the attack, contain it, and eliminate it. Finding the source is a possibility, but hackers are really good at covering their tracks. It is reasonable to expect an MDR solution to offer a dedicated team of experts, along with software that delivers cloud monitoring, vulnerability scanning, and continuous network and endpoint monitoring. Those researching MDRs should also make sure anti-malware solutions are regularly updated and the MDR services providers can support security for the entire system. Other concerns to ask about include:
  • Can anomalous user behavior be identified? And how?
  • Is the service proactive?
  • Can attacker tools be identified? And how?
  • Will detailed investigation reports be available?
  • Is threat intelligence used?
  • Does the service share threat intelligence?
  • Can the service detect threats on multiple platforms?
  • Does the service include endpoint protection?
  • Is there support in implementing their recommendations?
  • How is the provider contacted in an emergency?
When selecting an MDR service provider, the specific needs of the organization should be considered. Is the organization retail-oriented with a customer base that needs their personal data protected, or is the organization a service provider that wants to avoid paying a ransom to keep the business up and running? These concerns should be emphasized and discussed when communicating with MDR service providers.


How much experience the staff of a managed detection and response service provider actually has, can be very difficult to determine. This is another situation where reviews can be quite useful, but asking them directly for cases or threats they have resolved is also an option and could provide some useful insights. This would also help to assure that the experts know what they’re doing.

Communication and Transparency

Speaking with more tech-savvy individuals can be intimidating. But as a customer, you deserve to understand what you’re paying for, so don’t be afraid or embarrassed to ask for further clarification or someone who can speak plainly on the services they are providing. It’s recommended to take this step before making any initial payments or decisions; however, communication and transparency on processes are key to ensuring cybersecurity threats are properly prevented and mitigated.

Is my business too small to be attacked?

It is common for small and medium-sized business managers to assume they are just too small to be targeted by hackers. The unfortunate reality, however, is that smaller businesses, because of their limited protections, become prime targets for opportunistic, lower-level cyber criminals. Some cyber criminals who purchase a few tactics for hacking networks or systems, will work from some sort of list, simply move from website to website with little understanding for how large or small an organization is until they find an opening. These methodologies put small businesses with limited protections at risk.

How do I mitigate cyber threat?

Cybersecurity threat mitigation describes the procedures and policies that are established by companies to help avoid data breaches and security issues. Threat mitigation policies should also restrict the amount of damage caused when security attacks take place. Cyber threats typically come from outside attackers who are motivated by making profit through criminal activity, some form of vengeance, or remarkably immature mischief.

Using firewalls

Sadly, traditional firewalls are no longer adequate. Next-generation firewalls (NGFWs), however, are, at present, able to deal with the more recently developed forms of cyberattacks. An NGFW has become a necessary first step in securing an organization’s perimeter.

Threat prevention

This is about trying to avoid being hacked in the first place, or at least making it difficult. Best practices and policies are developed and used to protect an organization’s data and applications. One of the easiest ways to incorporate threat prevention is to implement practices that will prevent password theft for employee or company accounts. Passwords can be obtained through several means like eavesdropping, phishing, malware, brute force, and simple human laziness. So, having a policy in place for password creation can improve threat prevention at a company-wide scale.

Threat containment

There are many ways for a cyber criminal to access a network. Threat containment is focused on stopping an attacker from moving through the system and accessing more sensitive levels of data within the network. Sophisticated attacks can attempt to pose as normal activity with the goal of staying in the system long enough to find access to valuable data or to lock down the system and demand a ransom. If the breach imitates authorized activity, the attacker can continue working without setting off an alert. MDR solutions use several tools and services to contain threats such as these by disconnecting an affected system or device and isolating it from the network to prevent file corruption, all while keeping the business systems online and avoiding costly downtime. The MDR team will then take other threat containment actions, which might include tracking and following the attack pattern and identifying stolen passwords and usernames to block further access. Managed detection and response services use logs to record breaches. This allows them to identify malware sources from their records, and block them to limit damages. Additional steps in the threat containment process may close down specific ports and servers, relocate website home pages, and change passwords.

Threat identification

The process of threat identification is primarily a process of researching cyberattacks that are trending and preparing for an attack before it happens. If the organization has a security person, or team, they should be responsible for staying up-to-date on new malware and cyber threats. With an MDR solution, the human investigators the provider includes constantly receive updates and education on the evolution of cyber threats, so you can be assured that the team handling your cybersecurity is aware of all of the latest trends.

What are the major features of MDR software?

Detecting cyber threats before they cause damage should be a high priority. Fortunately, there are several kinds of security automation which can help to monitor for potential threats, while maintaining productivity. Antivirus software is one of the most important defenses to invest in. Other important threat detection features supported by MDR services are user behavior analytics, penetration testing, and automated monitoring systems.

User behavior analytics

Normal behavior is recorded and used as a template to compare with current behavior. By analyzing a user’s behavior, normal behavior becomes a standard, and unusual behavior is recognized as outside of the standard. Recognizable behavior includes the times of day they log in and out, the types of data accessed, and the user’s physical location. Any unusual behavior would stand out, making it easy for security analysts to recognize irregularities.

Penetration testing

By imagining what a cyber criminal would do, security experts proactively scan computer systems and networks for vulnerabilities, such as authentication errors, unpatched software, and more.

Automated monitoring systems

Using an integrated threat detection system, which combines both automated services and human expertise, companies can enhance their cybersecurity. Managed detection and response platforms can help businesses by monitoring web traffic, tracking the performance and activity of devices, and communicating irregularities when detected. Organizations that don’t have security experts or realize their security team is being overwhelmed should strongly consider contracting with a managed detection and response service. 24/7 monitoring with experts waiting in the background can certainly add to a sense of security. Additionally, experts that can investigate and possibly find the source of cyberattacks can be provided by an MDR solution. Cyber criminals employ modern attack and infection techniques that can spread across a variety of systems. Detecting the attacks and countering their spread requires continuous communication and monitoring from the systems which might be targeted. This can be supplied by a good managed detection and response service. Cybersecurity is difficult. Most organizations don’t have the infrastructure and expertise needed to protect themselves. Using a managed detection and response service can increase security, and reduce the chances of a damaging attack.