Services
AIManaged ServicesConsultingOutsourcing
Differentiators
Compliance & SovereigntyEmail InfrastructureObservability & AIFree Tools & Assessments
Language
EnglishDeutsch — soonFrançais — soonEspañol — soon
Book a review
Field notes · Security

MDR in 2026: why 24/7 detection costs what it costs, and when to buy it instead of building it.

A security tool that nobody watches at 3am is a smoke detector in an empty house. Round-the-clock detection and response is the capability that turns telemetry into protection, and the reason most organisations buy it rather than build it is arithmetic: the staffing geometry of a 24/7 SOC is brutal and the analysts are scarce. Here is what MDR actually is, what an in-house operation really costs, and a calculator to run the build-versus-buy maths for yourself.

Published 11 June 2026 · Argus Root security practice · ~27 min read

Talk to our security practice Run the build-vs-buy maths →

Managed Detection and Response is a service that puts a provider's 24/7 security operations team behind your detection tooling, to find threats, investigate them, and respond, increasingly by containing the threat directly rather than only telling you about it. It exists because the alternative, a staffed in-house security operations centre running around the clock, is one of the most expensive and hardest-to-staff capabilities in IT: covering every hour of every day with escalation redundancy takes on the order of nine to fourteen people once shift mathematics, holidays and turnover are accounted for, and the analysts to fill those seats are in chronic global shortage. MDR resolves that by spreading scarce expertise across many clients, so an organisation gets the outcome of a SOC, a shrinking mean time to detect and respond, proactive threat hunting, expert response, without building one. The distinctions that matter in 2026 are sharp: MDR is a service, not a tool like EDR or XDR; it does more than an alert-forwarding MSSP, because genuine MDR contains threats rather than only flagging them; and it sits directly under the compliance regimes, because every DORA and NIS2 reporting clock starts at a detection that only continuous monitoring produces. This note covers what MDR is and is not, the staffing geometry that drives the cost, the build-versus-buy decision with a calculator to run your own numbers, and why for European organisations the jurisdiction of the SOC watching your telemetry is now part of the question.

What MDR is, against the acronyms it gets confused with.

The detection-and-response market is a thicket of three-letter labels, and most of the confusion dissolves once you separate the tools from the service that operates them.

Start with the tools. Endpoint Detection and Response, EDR, is software that watches endpoints, laptops, servers, workstations, records what happens on them, and can take action there, isolating a device or killing a process. Extended Detection and Response, XDR, widens that lens to pull telemetry from endpoints, network, cloud workloads and identity systems into one correlated view, so an attack that touches several of those at once is seen as one story rather than scattered fragments. A SIEM, the subject of its own field note, aggregates and analyses logs across the environment. All three are technologies you can purchase, and all three share the same catch: once bought, someone has to deploy, tune, and above all watch them, because a detection that fires into an empty room at 3am protects nothing.

MDR is the watching. It is a service in which a provider operates EDR or XDR, and often a SIEM, on your behalf, with their security operations centre behind it around the clock, so the alerts those tools generate are triaged, investigated and acted on by people whose job is exactly that. When the underlying technology is XDR, the managed version is sometimes called MXDR, managed extended detection and response, which combines XDR's breadth of telemetry with the human expertise and round-the-clock operation of MDR. The relationship is a stack, not a set of alternatives: EDR and XDR are the senses, the SIEM is the memory, and MDR is the team that uses them. Buying the tools without the team is the most common and most expensive mistake in the category, a fully instrumented environment that nobody is home to defend.

MDR, MSSP, SOCaaS: the distinction is who presses the button.

Three service models compete for the same budget with nearly identical marketing, and the real difference between them is what happens in the moments after something fires.

A traditional Managed Security Service Provider monitors your environment and alerts you: it tells you something is wrong and hands the problem back to your team to investigate and fix. That was valuable when the alternative was no monitoring at all, and it leaves the hardest part, the response, with the people least equipped to do it at speed. MDR closes that gap by investigating and responding, and in 2026 the defining capability is active containment, the so-called 'Big R' of response: an MDR provider can isolate a compromised host or disable an account directly on your infrastructure, not merely recommend that you do. The practical test cuts through the marketing: when a threat fires at three in the morning, an MSSP sends a ticket, while an MDR provider contains the threat first and sends the ticket after.

SOC-as-a-Service sits adjacent, and the line is about where the action happens and how broad the coverage is. SOCaaS teams more often advise while your staff performs the containment, and the model tends to scale with the breadth of log ingestion, the length of retention, and the depth of compliance reporting, which makes it more comprehensive and usually more costly. MDR is frequently the lower-cost entry point, focused tightly on detecting and responding to threats, while SOCaaS covers more ground at a higher price. None of the three is universally right: the choice turns on how much of your environment needs watching, how much compliance reporting you must produce, and crucially whether you need a provider who will press the containment button or one who will tell you to. Getting that last question answered honestly, before signing, prevents the common disappointment of buying alerting and expecting response.

at 3am, what does each one do?
Comparison of MSSP, SOCaaS, MDR and in-house SOC.
ModelWhen something firesBest for
MSSPAlerts you; you respondTeams with response capacity
SOCaaSAdvises; you contain; broad coverageHeavy compliance / log breadth
MDRContains directly, then ticketsMost mid-market needs
In-house SOCYour team, your wayLarge scale or mandated

The staffing geometry that makes 24/7 so expensive.

The single fact that explains why most organisations buy detection rather than build it is the arithmetic of covering every hour of the year with people.

Round-the-clock coverage is unforgiving because a seat that must be filled at every hour of every day cannot be filled by one person, or two, or three. Three eight-hour shifts cover a day, but people take holidays, fall sick, attend training and leave, so covering one seat continuously across the year takes roughly four to five full-time analysts once that slack is accounted for. One analyst alone on a night shift is also a single point of failure with nobody to escalate to, so a serious operation wants at least two people per shift, which doubles the floor to eight to ten analysts at the operations layer alone. On top of that sit the roles that make the operation function: a detection engineer or two to write and tune the rules, a security engineer to administer the tooling, and a SOC manager to run it. The result is a functioning 24/7 SOC at roughly nine to fourteen full-time staff before a single alert is investigated.

Translate that headcount into money and the picture sharpens. Skilled SOC analysts command high and rising salaries, with mid-level roles at six figures and senior responders well above, and the fully loaded cost of a seat, salary plus benefits, payroll tax, equipment and training, runs higher still, commonly modelled around the 165 to 180 thousand mark per analyst in a tier-one market in 2026. Multiply a loaded cost like that across nine to fourteen people, add the tooling, the training certifications that run thousands per course, and the overhead, and a minimum viable 24/7 in-house SOC lands commonly between roughly 1.5 and 2.9 million per year. The 24/7 requirement is the single biggest swing in that number: a business-hours-only operation needs perhaps three analysts rather than eight to ten, which is why dropping round-the-clock coverage roughly cuts the staffing cost to a fraction, and why the hardest, most expensive part of detection is precisely the nights and weekends that attackers prefer.

Run the build-versus-buy maths.

Enter your headcount and assumptions, and this estimates the annual cost of building a SOC against a managed-service equivalent, with the staffing geometry made explicit. The figures are illustrative 2026 ranges, not a quote; adjust the loaded cost and tooling to your market.

Build: in-house SOC
    Buy: managed (MDR)

      Build uses the shift geometry above: 24/7 needs ~8 operations analysts (4 shifts, 2 per shift) plus ~3 support roles; business-hours needs ~3 analysts plus ~1 support. The managed estimate uses an illustrative per-employee band; real MDR pricing varies widely by scope and provider. This is a model to frame the conversation, not a substitute for quotes, and it deliberately omits the cost of the breach an understaffed SOC misses.

      The cost the spreadsheet misses: you cannot hire the team.

      Even an organisation willing to pay for an in-house SOC runs into a constraint money does not solve, and it is the quiet reason buying so often beats building.

      The build-versus-buy calculation usually models salaries and tooling and stops there, which understates the build side, because the scarcest input is not money but people. The global shortage of cybersecurity professionals runs into the millions, mid-level SOC analyst roles routinely take many months to fill, and turnover in those roles is often measured around eighteen months, so a team you have budgeted for may sit half-staffed for a quarter or more and then lose its hard-won familiarity with your environment to churn just as it becomes effective. A SOC that is funded but under-strength provides worse coverage than the headcount implies, because the gaps fall, predictably, on the nights and weekends nobody wants to staff. The understaffed-but-paid-for SOC is a common and expensive failure mode, and it does not appear in the budget that justified building it.

      There is a second hidden cost on the build side that the headcount also conceals: the tooling tax. Integrating and maintaining the stack a modern SOC needs, the SIEM, the EDR and XDR, the threat intelligence feeds, the identity monitoring, the cloud telemetry, consumes a large share of analyst capacity, commonly cited around thirty to forty percent, before a single alert is investigated. So a team of ten is not ten people detecting threats; it is six or seven, with the rest absorbed by the plumbing. MDR providers spread both costs, the scarce analysts and the integration burden, across many clients, which is the structural reason a managed service can deliver senior-analyst response at a fraction of the per-client staffing cost, and why the talent gap, more than the salary line, is what tips most build-versus-buy decisions toward buy.

      MTTD, MTTR, and the exposure window.

      The whole value of detection and response compresses into two numbers, and understanding them is how you judge whether any operation, built or bought, is actually working.

      Mean Time To Detect is the interval from a threat entering your environment to your noticing it. Mean Time To Respond is the interval from that detection to containing the threat. The sum is the exposure window, the period an attacker operates inside your environment undisturbed, exfiltrating data, moving laterally, establishing persistence, and the entire purpose of detection and response is to compress that window toward zero. An unwatched tool measures dwell time in days or weeks, because nobody is acting on what it sees; a mature, staffed operation measures response in minutes, with some AI-augmented services quoting median times to resolution in the low double digits of minutes. The gap between those two states is the difference between an incident contained before it matters and a breach discovered after the damage is done.

      MTTD and MTTR are also the language of proof, which matters more in 2026 than it used to. A service that reports a documented, improving MTTD and MTTR gives you concrete evidence your security works, evidence that satisfies boards, insurers and, increasingly, regulators. This is where detection metrics meet compliance, because the post-incident reports, audit trails and timing data a good MDR produces are exactly what a regulated entity must show to demonstrate it can detect, classify and report an incident within the windows the law sets. A number you can show is worth more than a control you can only assert, and MTTD with MTTR is the number, which is why a serious evaluation of any detection operation starts by asking what its measured times are and how they are trending, not what tools it runs.

      Detection is the floor every compliance clock stands on.

      For regulated organisations, MDR stops being a security upgrade and becomes the operational precondition for meeting obligations that all begin at the same moment: detection.

      Every incident-reporting clock in the European regime starts when you become aware of an incident, which means it starts at detection. DORA, covered in its own field note, requires notifying a major incident within four hours of classifying it, with a hard ceiling of twenty-four hours from detection; NIS2 requires an early warning within twenty-four hours. Those clocks are unmeetable without detection that works, because you cannot classify within hours an incident your monitoring never surfaced, cannot describe its impact at the intermediate report without the telemetry to reconstruct what happened, and cannot prove to a supervisor that your controls function without the evidence continuous monitoring produces. The regulations are written as governance and reporting obligations, and underneath the language they are, every one of them, detection-and-response requirements.

      That reframes MDR for a regulated entity. It is not a discretionary security enhancement competing with other line items; it is the capability the compliance obligations silently assume, the floor the reporting clocks stand on. An organisation subject to DORA or NIS2 that lacks continuous detection is not merely less secure, it is structurally unable to comply, because it cannot start the clocks it is legally required to run. The MTTD and MTTR metrics, the investigation records, the post-incident reporting that MDR produces are the same artefacts the regulators ask for, which is why for many regulated buyers the detection question and the compliance question turn out to be one question with one answer. The same logic runs through the board-level accountability those regimes impose, the reason a virtual CISO engagement and an MDR service so often travel together: someone has to own the posture, and something has to produce the detection it is accountable for.

      The category is advancing fast in 2026, and three shifts in particular change what a good MDR service looks like and how you should evaluate one.

      The first shift is toward identity. As attackers increasingly work with stolen-but-valid credentials, hijacked sessions and abused tokens, the entry point is often the identity layer rather than the endpoint, and an intrusion using legitimate credentials may trip no endpoint alarm at all. Modern MDR answers this with Identity Threat Detection and Response, ITDR, monitoring the directory, single sign-on and authentication systems for the signs of a compromised identity, so that the layer attackers now favour is watched alongside endpoints and network. The second shift is the normalisation of proactive threat hunting: rather than waiting for alerts, good services run hypothesis-driven searches through logs and telemetry from an assume-breach posture, on the principle that the most dangerous intrusions are precisely the ones that did not fire an alarm. A service that only reacts is doing half the work; hunting is how the quiet, evaded threats get caught.

      The third shift is the AI-SOC, and it is changing MDR's economics rather than replacing its people. AI-driven triage now filters the alert flood so analysts spend their hours on the small fraction of events that are genuinely high-risk, cutting false positives and pulling down both MTTD and MTTR, with some services automating initial triage and even containment under human oversight. This is enough of a change to the labour model, the escalation path and the pricing that buyers are advised to evaluate AI-native services as a separate category from legacy MDR rather than assuming they are the same product. The durable principle through all of it is human-in-the-loop for consequential decisions: automation absorbs the routine and the volume, while the calls that carry real risk, isolating a production server, rolling back data, disabling a key account, remain decisions a person approves. The direction is more automation under more, not less, accountable human control, which is the right direction, because the cost of an automated containment that gets it wrong is borne by your business, not the tool.

      Evaluating a provider: the questions past the brochure.

      Every MDR provider promises detection, response, expert analysts and reduced alert fatigue, in nearly identical words. The questions that separate them are specific, and they are about outcomes and authority rather than features.

      Start with response, because that is where the labels blur most. Ask precisely what the provider does when something fires: do they contain the threat directly on your infrastructure, the active 'Big R' that defines genuine MDR in 2026, or do they alert you and wait for your team to act? Ask for measured outcomes, not promises: what is their median MTTD and MTTR, validated how, and against what kind of incident, because a documented, independently checked response time is evidence and a marketing figure is not. Ask about coverage breadth honestly: do they correlate across endpoint, network, cloud and identity, or are they endpoint-centric with the other layers as blind spots, given that identity is where so many 2026 intrusions begin. And ask what threat hunting actually means in their service, whether analysts run hypothesis-driven searches proactively or the word is decoration on a purely reactive operation.

      Then the questions that the comparison sites tend to skip, which decide whether the service works in practice. What is the escalation path at 3am, and who, by role, is reachable, because a provider whose night coverage is junior analysts escalating slowly to senior staff has a real gap precisely when incidents are most dangerous. How does the service integrate with your existing tools, and does its model lock you into a single ecosystem or accommodate the stack you already run, since integration that consumes weeks is integration you are paying for. What does onboarding require of you, especially the containment-authority decisions about which systems may be isolated automatically and which need a call first. And, for a European organisation, where do the SOC, the analysts and the telemetry processing physically and legally sit, because that answer determines whether your security data stays under a jurisdiction you can name. A provider that answers these crisply is selling an operation; one that retreats to feature lists and threat-actor statistics is selling a brochure, and the difference shows up at the first real incident, not in the sales cycle.

      The response lifecycle, and why the playbook matters more than the alert.

      Detection gets the attention, but the value of a detection-and-response operation is realised in the minutes after an alert, in a sequence that is the same whether the SOC is built or bought.

      A mature operation runs a defined lifecycle from alert to resolution, and each stage is where time is either saved or lost. It begins with triage and prioritisation: telemetry from endpoints, cloud and network arrives as a flood, and automation plus expert analysis filter out the false positives and enrich and rank what remains, so that effort lands on the small fraction of events that are genuinely high-risk rather than on noise. From there the real intrusions move to investigation, where analysts establish scope, what is affected, how the attacker got in, what they have touched, because containing the wrong thing or only part of the thing leaves the attacker a path back. Then containment, the action that stops the spread, isolating a host, disabling an account, blocking a connection, followed by remediation and recovery to a clean state, and finally the lessons-learned step that feeds back into detection rules so the same intrusion is caught faster next time.

      What makes that lifecycle fast is not heroics but the playbook, the pre-agreed sequence of actions for a given class of incident, and this is where the quality of an operation, and of the onboarding behind it, shows. A playbook that says exactly what happens when ransomware behaviour is detected on a production server, which automated actions trigger immediately, which require a human approval and from whom, what gets rolled back and from which immutable backup, turns a 3am incident from improvisation into execution. The services with the fastest measured response times achieve them through automated playbooks handling the routine actions with human-in-the-loop approval for the consequential ones, not through analysts thinking from scratch under pressure. This is also why post-incident reporting is part of the lifecycle rather than an afterthought: the report, with its timeline, its impact assessment and its MTTD and MTTR, is both the lessons-learned input that improves the next response and the compliance artefact a regulator will ask to see. An operation that detects well but has no rehearsed playbook for what comes next has built the alarm and skipped the response, which is the half that actually limits the damage.

      The cost the calculator leaves out.

      Every build-versus-buy model, including the one above, compares the running cost of detection. The number that dwarfs both is the one neither side puts on the spreadsheet: the breach the operation fails to catch.

      The honest framing of the build-versus-buy decision is not which detection operation is cheaper to run, but which one actually catches the intrusion before it becomes a breach, because the gap between a contained incident and a full breach is measured in figures that make the entire SOC budget look like a rounding error. A breach that runs undetected for weeks, because the in-house SOC was understaffed on the night it began, can cost orders of magnitude more than the annual difference between building and buying, in incident response, regulatory penalties, breach notification, lost business and reputational damage. For a board, the clearest financial proxy for the risk of an understaffed operation is exactly that gap between the cost of a breach caught early and one caught late, and it is the number that should anchor the decision, not the line-item comparison of staffing models.

      This reframes what the calculator above is really telling you. The running-cost comparison matters, and for most organisations under significant scale it points clearly toward buying or hybridising rather than building. But the decisive variable is which option produces detection that genuinely works at 3am on a public holiday, because that is when the difference between an alert acted on and an alert missed is realised, and it is the missed alert, not the staffing model, that carries the catastrophic cost. An MDR service that reliably contains the incident is cheaper than a cheaper in-house SOC that misses it, by the full size of the breach avoided, which is why the cost-conscious decision and the security-conscious decision usually converge on the same answer. The right question to carry out of the calculator is not only which column is smaller, but which option you would trust to be awake and effective at the exact moment an attacker is counting on nobody being there.

      What MDR does not do.

      MDR is powerful and oversold in equal measure, and using it well means being honest about the boundaries of what a detection-and-response service can and cannot cover.

      MDR detects and responds; it does not prevent or recover, and treating it as a whole security programme is the mistake its marketing invites. It does not fix the vulnerabilities that let attackers in, which is the work of vulnerability management, patching and hardening; a well-run MDR will tell you an unpatched system was exploited, but keeping it patched was never its job. It does not, by itself, get you back to a clean state after a destructive incident, which is the domain of backup and disaster recovery. And it is only as good as the telemetry it receives, so any system not feeding the service, a forgotten cloud account, an unmonitored network segment, an appliance with no log forwarding, is a blind spot the best analysts in the world cannot see into. MDR is a layer in a posture that must also prevent and recover, not a substitute for the rest of it.

      There is also a governance precondition that organisations skip at their peril: response authority has to be agreed in advance. A provider that can contain a threat at three in the morning needs the prior, documented permission to isolate a server or disable an account, because those actions have business consequences, and the time to decide who may take them, and on which systems, is during onboarding, not during the incident. An MDR engagement that has not settled its containment authority is an MDR engagement that will hesitate at the moment speed matters most, or act without cover and damage trust. Setting those boundaries, which systems may be isolated automatically, which require a call first, who is on the escalation path at 3am, is unglamorous onboarding work, and it is the difference between a service that contains threats decisively and one that watches them spread while waiting for permission it was never granted.

      From the side that builds and runs detection.

      Most MDR writing is buyer-facing comparison. This is the view from the operations side, where the detection is something you build on real infrastructure and run with real people, and where for a European operator the jurisdiction of the SOC is part of the design.

      Good detection rests on a stack you can see into, and the open-source foundation many serious operations use, a Wazuh-based platform of the kind covered in our SIEM field note, gives an operator full visibility into the rules, the telemetry and the response without a black-box vendor in the middle. On a self-hosted or hybrid model the same discipline this note describes applies directly: the shift geometry is real headcount you schedule, the MTTD and MTTR are numbers you measure in your own logs, the containment playbooks are actions you have agreed and can execute, and the threat hunting is hypothesis work your analysts run against telemetry you control. The hybrid pattern, an in-house team owning oversight and the deepest institutional knowledge while a managed layer carries the round-the-clock load, is the mature shape most organisations converge on, and it is one an operator who builds the underlying platform can deliver rather than only broker.

      For European organisations there is a dimension the global MDR comparisons tend to omit, and it is decisive for regulated and public-sector buyers: where the SOC sits and which law governs it. Security telemetry is sensitive operational and often personal data, so an MDR service is also a data-processing arrangement, and the same sovereignty question that applies to any cloud applies to the SOC watching your environment, who can be compelled to hand over the telemetry, and under whose jurisdiction the analysts and the data sit. An MDR operation run wholly under EU jurisdiction keeps that telemetry beyond foreign compelled-access reach; one routed through or operated from another jurisdiction does not, whatever its detection quality. That is the lens we bring, because we are a European operator that builds and runs detection under EU jurisdiction rather than reselling a platform from elsewhere, so the sovereignty of your telemetry is a property of how we are built, not an add-on. Where it helps to have round-the-clock detection and response, built on infrastructure you can see into, run by people under EU jurisdiction, and tied to the board accountability the regulations now demand, that is the work our managed security practice exists to do, with the strategic ownership running through a virtual CISO engagement and the prevention side through vulnerability management.

      Questions teams are asking in 2026.

      What is Managed Detection and Response (MDR)?
      MDR is a service that combines security tooling with a provider's 24/7 security operations team to detect, investigate and respond to threats across your environment. It builds on endpoint and extended detection technology and adds the human layer, analysts who triage alerts, hunt for hidden threats, and either guide or perform the response. The point is that you get the outcome of a staffed security operations centre, continuous monitoring and expert response, without hiring and running the centre yourself. MDR is the service; the SOC is the capability it delivers.
      What is the difference between MDR and EDR or XDR?
      EDR and XDR are technologies; MDR is a service that uses them. Endpoint Detection and Response is tooling that watches endpoints and can respond on them. Extended Detection and Response widens that to correlate telemetry across endpoints, network, cloud and identity. Both are products you can buy and then have to operate, tune and watch. MDR is the operation: a provider runs EDR or XDR on your behalf with their analysts behind it around the clock. Buying XDR without anyone watching it at 3am is buying a smoke detector and leaving the house empty; MDR is the fire brigade attached to it.
      What is the difference between MDR and an MSSP?
      Depth of response. A traditional Managed Security Service Provider monitors and alerts, telling you something is wrong and leaving your team to act. MDR investigates and responds, increasingly performing containment directly on your infrastructure rather than only advising. In 2026 that active containment capability, sometimes called the 'Big R' in detection and response, is much of what distinguishes genuine MDR from alert-forwarding services that wear the label. The practical test is what happens at 3am when something fires: an MSSP sends you a ticket, an MDR provider contains the threat and then sends you the ticket.
      What is the difference between MDR and SOC-as-a-Service?
      Mostly where the response action happens. MDR providers typically execute containment directly on your infrastructure; SOC-as-a-Service teams more often advise while your staff performs the remediation. SOCaaS also tends to scale with log ingestion breadth, retention and compliance reporting, which makes it broader and usually costlier, while MDR is often the lower-cost entry point focused on detection and response. Both replace the need to build an in-house operation; the choice is about how much ground you need covered and who you want pressing the containment button.
      Why is a 24/7 in-house SOC so expensive?
      Because the staffing geometry is unforgiving. Covering 24 hours a day, 365 days a year, in three eight-hour shifts, while accounting for holidays, sick leave and turnover, takes roughly four to five full-time analysts per seat. If you want at least two people per shift for escalation redundancy, that is eight to ten analysts at the operations layer alone, before you add a detection engineer, a security engineer to run the tools, and a SOC manager. That puts a functioning round-the-clock operation at roughly nine to fourteen full-time staff, which is why minimum viable 24/7 in-house SOC costs commonly land between about 1.5 and 2.9 million per year once fully loaded staffing, tooling and overhead are counted.
      What are MTTD and MTTR?
      Mean Time To Detect is how long it takes from a threat entering your environment to your noticing it; Mean Time To Respond is how long from detection to containing it. Together they define your exposure window, the period an attacker operates undisturbed, and shrinking both is the entire purpose of detection and response. They are also the metrics MDR services report to prove value and satisfy compliance, because a documented, improving MTTD and MTTR is concrete evidence your security works. Mature services quote median response times in minutes; an unwatched tool measures dwell time in days or weeks.
      Does MDR replace my security team?
      Usually it complements rather than replaces it. The most common mature pattern is hybrid: an in-house team handles oversight, specialised systems and the deep institutional knowledge of your environment, while MDR carries the broad 24/7 monitoring and response workload that is hardest and most expensive to staff internally, especially nights and weekends. For an organisation with no security staff, MDR provides the operation from scratch; for one with a small team, it extends that team's reach to round-the-clock without the headcount. It removes the staffing burden, not the need to own your security posture.
      What is the cybersecurity talent gap, and how does it affect this decision?
      The global shortage of cybersecurity professionals is estimated in the millions, with mid-level SOC analyst roles taking many months to fill and turnover often measured around the eighteen-month mark. That scarcity is the hidden cost of building in-house: even with the budget, the roles are slow to fill and prone to churn, so a team you fund may sit half-staffed for months and lose hard-won institutional knowledge regularly. MDR providers absorb that problem by spreading scarce analysts across many clients, which is much of why buying coverage is faster and often cheaper than building it.
      What is threat hunting, and does MDR include it?
      Threat hunting is the proactive search for threats that evaded detection, rather than waiting for an alert to fire. Analysts form hypotheses about how an attacker might be operating, then search logs and telemetry, increasingly aided by analytics, for the traces, working from an assume-breach mindset that something may already be inside. Good MDR includes it as a differentiator from passive monitoring, because the most dangerous threats are the ones that did not trip an alarm. A service that only reacts to alerts is doing half the job; hunting is how the quiet intrusions get found.
      What is ITDR and why is it part of modern MDR?
      Identity Threat Detection and Response extends detection to your authentication systems, directory and single sign-on, watching for signs of compromised identities. It matters because identity-based attacks, credential theft and session or token hijacking, have risen sharply, and an attacker using stolen-but-valid credentials may trip no endpoint alarm at all. Modern MDR increasingly incorporates ITDR so that the identity layer, often the actual entry point in 2026 intrusions, is monitored alongside endpoints and network, closing a blind spot that endpoint-centric detection alone leaves open.
      How does MDR relate to DORA and NIS2 compliance?
      Directly, because every reporting clock in those regimes starts at detection. DORA requires notifying a major incident within four hours of classification; NIS2 requires an early warning within twenty-four hours. You cannot classify within hours what your monitoring never surfaced, nor describe an incident's impact without the telemetry to reconstruct it. MDR provides the continuous detection, the investigation, and the MTTD/MTTR evidence and post-incident reporting those regimes assume, which is why for regulated entities MDR is less a security upgrade than the operational floor the compliance obligations are built on.
      What are the limitations of MDR?
      MDR is not a complete security programme. It detects and responds; it does not by itself fix the weaknesses that let attackers in, so it complements rather than replaces vulnerability management, patching, hardening, identity hygiene and backup. It also depends on the telemetry it receives, so gaps in coverage, systems not feeding the service, become blind spots. And response authority has to be agreed in advance, since a provider that can contain a threat at 3am needs the prior permission to isolate a server or an account. MDR is a powerful layer, and it works only as part of a posture that also prevents and recovers, not just detects.
      How is AI changing MDR?
      It is reshaping the labour model. AI-driven triage filters the flood of alerts so analysts spend their time on the small fraction that are real, cutting false positives and reducing both MTTD and MTTR, with some services automating initial triage and containment entirely under human oversight. This is changing MDR's economics and escalation paths enough that buyers are advised to evaluate AI-native services separately from legacy ones. The constant is human-in-the-loop for consequential actions: automation handles the routine and the volume, while isolating a server or rolling back data stays a decision a person approves.
      When does building an in-house SOC make sense over MDR?
      At scale, with specific drivers. The per-employee cost of an in-house SOC only approaches managed-service rates at large headcounts, often only past a couple of thousand employees, where fixed costs spread thinly enough to compete. Below that, building is rarely cost-justified on economics alone. The cases that justify in-house earlier are non-economic: a regulatory mandate for an internal SOC, a data-sovereignty requirement that telemetry never leave your control, a very high alert volume that warrants a dedicated team, or an existing security staff to build on. For most organisations under that scale, MDR or a hybrid model is both cheaper and faster.
      Can MDR keep my security telemetry under EU jurisdiction?
      It can, if the provider is structured for it, and for many European organisations that is now a requirement rather than a preference. Security telemetry contains sensitive operational and often personal data, so where it is processed and which jurisdiction governs the SOC that sees it is a sovereignty question, the same one that applies to any cloud service. An MDR provider whose SOC, analysts and data-processing all sit under EU jurisdiction keeps that telemetry beyond foreign compelled-access reach, which a SOC operated from or routed through another jurisdiction does not. For regulated and public-sector buyers, EU-jurisdiction MDR is increasingly the only acceptable model.
      Should a small or mid-sized organisation use MDR?
      Often yes, because it is precisely the organisation that cannot justify building a SOC but still faces the same threats as a large one. A mid-market company cannot fund nine to fourteen security staff for round-the-clock coverage, yet attackers do not skip it for being smaller, so MDR delivers enterprise-grade detection and response at a fraction of the staffing cost. The honest qualifier is that MDR is a layer, not a whole programme, so a smaller organisation still needs the prevention and recovery basics around it. Within that, MDR is frequently the security investment with the highest return a mid-sized organisation can make.
      Managed security

      Detection that someone is actually watching, under a jurisdiction you can name.

      We run round-the-clock detection and response on a platform you can see into, with the shift geometry staffed, the MTTD and MTTR measured, the containment authority agreed in advance, and the whole operation under EU jurisdiction so your telemetry stays beyond foreign reach. The compliance clocks start at detection; we make sure detection is there to start them.

      Talk to our security practice More field notes →
      The tool is the smoke detector, MDR is the fire brigade Build at scale, buy below it, hybrid in between Detection before paperwork, under EU jurisdiction