Service · MDR · Intel-driven

Managed Detection & Response in minutes, not weeks.

Intel-driven MDR with European SOC 24·7·365. The TTPs of 287 tools and actors targeting European markets become detections before they reach you. Median containment <30 min from confirmed alert.

<30 minMedian containment
24·7·365European SOC
287Adversaries profiled
Compliance
ISO/IEC 27001
NIS2 ready
DORA aligned
GDPR · ENISA
European SOC
24·7·365
L2 / L3 in Europe
Decision authority
EU data residency
Activation · 3 weeks from NDA to defensive presence

How we activate the MDR defense outpost.

No endless projects, no six-month discovery. Five verified steps reduced to the minimum viable for your stack · 3 weeks from NDA to full defensive presence. Security monitoring is already active from Week 1 during onboarding · the first real alert is contained in <30 min, with detection mapped to MITRE ATT&CK against the TTPs of 287 profiled tools and actors. By Week 3: Fortgale Console provisioning, L2/L3 analyst federation on your platforms, European SOC operational H24. From that moment on, monthly threat briefings, quarterly tabletop exercises, and runbooks kept alive against your posture. Protection is not a go-live event · it's a property that grows from day 1 of integration.

  1. Day 0
    01
    Discovery

    First meeting · NDA · stack & probable adversaries mapping

  2. Weeks 1-2
    02
    Onboarding

    Telemetry connectors · monitoring already active

    Monitoring live
  3. Week 3
    03
    Provisioning

    Fortgale Console tenant · CISO/IT access

  4. Week 3
    04
    Federation

    Fortgale analysts on customer platforms

  5. Week 3
    05
    Full protection

    SOC 24·7 · <30 min containment · European defense outpost

The problem · why intel-driven MDR is required

Signatures aren't enough, and never were.

Across European high-tier incidents in Q1 2026, valid accounts (T1078) and phishing (T1566) drive most initial access, before any malware-based detection fires. Source: ENISA Threat Landscape · MITRE ATT&CK telemetry.

01 ·

Valid accounts

T1078, credentials stolen via helpdesk vishing, MFA bypass through push-bombing. No malware, no signature: just one extra operator with the right credentials.

02 ·

Zero-day

T1190, exploits of file transfer, VPN, identity broker. Actors like Cl0p acquire 0-days on criminal markets and use them in targeted campaigns before CVEs are issued.

03 ·

Multi-domain

Endpoint, identity, cloud, network, lateral movement shifts the target before a single-telemetry SIEM can correlate. You need multi-domain AI correlation, not silo alerts.

How it works · service architecture

Four building blocks, one single cycle.

From the first alert to containment, all under a single point of contact. No vendor handovers, no translation, no grey zone.

01 ·

Multi-domain ingestion

EDR · NDR · IDR · CDR, telemetry from endpoint, network, identity and cloud, normalised into a single data fabric. Vendor-agnostic: we adapt to the stack you already have.

02 ·

Tier-zero AI-native

Multi-domain AI correlation against the TTPs of 287 tools and actors profiled by our Cyber Threat Intelligence. >90% noise reduction. Only what merits the human analyst leaves tier-zero.

03 ·

Our L2/L3 analysts

European SOC, analysts with decision authority. Triage, investigation, attribution to the threat actor. Embedded in your regulatory environment, time zone, language and compliance context included.

04 ·

Response & containment

Median containment <30 min from confirmed alert. Assisted remote response: process kill, credential reset, network segmentation on demand. For major incidents, escalation to the Incident Response team.

Proof · service metrics

Four numbers that anchor the MDR.

Metrics measured on real customer telemetry in Q1 2026. Updated quarterly.

<30 min
Median containment
from confirmed alert
>90 %
Noise reduced
by tier-zero AI
14
MITRE ATT&CK
tactics covered
287
Adversaries profiled
and blocked
For whom · two angles

Same MDR, two angles.

The CISO decides on risk. The IT lead decides on the runbook. Fortgale MDR produces evidence for both.

For the CISO

A named runbook per actor, ready before the alert.

Ransomware is not a question of "if" but of "when". Each month the CISO receives the profile of the 3 most probable adversaries against their sector, with the Fortgale runbook already mapped to each one.

  • Monthly threat briefingActors, observed TTPs, campaigns active in your sector.
  • Runbook per actorLiving playbooks mapped on MITRE, updated against the adversary.
  • Board-ready reportingRisk · impact · decision. No technology slides.
Request the threat briefing →
For the IT lead

Zero translator handover. European analysts, immediate decision.

When the alert is real, decision time is containment time. Our L2/L3 analysts know your stack, share your time zone and regulatory context, and have decision authority.

  • Median containment <30 minFrom confirmed alert to remediation in production.
  • Assisted remote responseProcess kill, credential reset, network segmentation on demand.
  • Integration with existing stackVendor-agnostic · we adapt to the stack you already run in production.
See a real runbook →
Research · the foundation of MDR runbooks

Our MDR runbooks come from first-hand research.

When an MDR alert is confirmed, the runbook we execute has already been tested against the real adversary. We profile actors, analyse samples, track TTPs: this research becomes operational action in production, not shelfware.

Featured10 Jun 2026

Kali365: when the session becomes the new credential

ABSTRACT The FBI recently issued an advisory on Kali365, a Phishing-as-a-Service platform that abuses legitimate Microsoft OAuth flows to bypass multi-factor authentication. Kali…

Read article →
Defence15 Apr 2026

Phishing Kits Bypass MFA and Hijack companies's accounts in minutes

Intelligence · Phishing Kit · Q1 2026 April 24, 2026Fortgale CTI14 min readRPT-26-0424 Observation of the quarter The 2026 phishing ecosystem has outpaced traditional defenses. M…

Read article →
Featured8 Apr 2026

Investment-Targeted Phishing: How Phishing Kit Fuels Espionage in Funding Rounds

In the high-stakes world of venture capital and corporate funding, where millions hang in the balance and sensitive financial data flows freely, a new breed of cyber threat is em…

Read article →
Defence13 Mar 2026

Operation Storming Tide: A massive multi-stage intrusion campaign

In February 2026, the Fortgale Incident Response team investigated a multi-stage intrusion attributed to Mora_001, a Russian-origin threat actor exploiting Fortinet vulnerabiliti…

Read article →
Featured4 Sep 2024

Behind the Wheel: Unveiling the Supercar Phishing Kit Targeting Microsoft 365

UPDATES: 27.11.2024: As mentioned by TrustWave, "Supercar Phishing Kit" has an high level of overlapping with the most recent update of "Rockstar 2FA Phishing-as-a-Service" 26.09…

Read article →
Featured18 Dec 2023

Espionage activities targeting European businesses

In the evolving landscape of cybersecurity threats, Fortgale is tracking PhishSurf Nebula, an advanced Cyber Espionage group active since 2021 and primarily targeting entities wi…

Read article →
FAQ · frequently asked

What to know about an MDR service.

What is an MDR (Managed Detection & Response) service?

MDR is a managed service that combines multi-domain telemetry (endpoint, identity, cloud, network), MITRE ATT&CK-mapped detection and analysts who investigate and contain incidents. Fortgale runs it with a European SOC 24·7·365: median containment <30 min from confirmed alert. A cyber attack is not something, it is someone: MDR exists to know it, anticipate it and stop it.

What is the difference between MDR and a SOC?

The SOC is the structure that monitors; MDR is the service that, on top of the SOC, adds intel-driven detection and above all response: analysts have authority to decide and contain, not just to notify. In the Fortgale model the managed SOC and MDR are the same European outpost, with no handover between providers.

Difference between MDR and EDR?

EDR is a detection technology on the endpoint. MDR is the service that operates that technology (and more: identity, cloud, network too), correlates it with Cyber Threat Intelligence and adds the analysts who decide. EDR generates alerts, MDR manages them and closes the incident.

Is Fortgale MDR NIS2-ready?

Yes. The service is NIS2-ready: continuous monitoring, documented detection, IOC collection for the national CSIRT notification within 24 hours and the technical documentation for follow-up filings, aligned with ISO/IEC 27001, DORA and GDPR Art. 32.

How long does it take to activate the service?

Three weeks from NDA to full protection, with security monitoring already active from Week 1 during onboarding. Five steps: Discovery, Onboarding, Provisioning, Federation, Full protection. No go-live event: protection grows from day 1 of integration.

Does it work with the security stack I already have?

Yes, the service is vendor-agnostic: it integrates on the platform you already use, or selects an optimal one with you. Fortgale runs MDR on Microsoft Defender, CrowdStrike Falcon, SentinelOne and 7 other leading platforms, all under a single console.

22Countries covered
3Continents
287Tools and actors profiled
<30 minMedian containment
24·7·365European SOC
Real case · containment

In Operation Storming Tide the Fortgale team detected and contained a multi-stage intrusion (actor Mora_001) at a European logistics organisation: data exfiltration and ransomware prevented.

Read the analysis →
Real case · MDR

An AiTM attack against senior executives during an investment round was intercepted before compromise. No access was gained.

Read the case →
By the Fortgale Cyber Threat Intelligence team

Over 100 published analyses. Attributions corroborated by third parties such as Mandiant (Google), Amazon, SentinelOne and Huntress. European SOC, 24·7·365.

Customers in 22 countries on 3 continents →

What is MDR →  ·  Why MDR is more than a SOC →  ·  MDR vs EDR vs XDR →

Speak with the defense outpost

One meeting. One NDA. A real runbook on your stack.

We bring the Report on your sector with the most probable adversaries and a real MDR runbook mapped to your technology stack.

Response time: < 1 business day.