MDR on Elastic Security: open SIEM/XDR with custom ESQL detection.
The Fortgale European SOC 24·7·365 on the Kibana console. Custom ESQL/EQL detection rules on European TTPs, <30 min median containment, response via Elastic Defend and integrations.
European SOC 24·7·365L2/L3 analysts · direct interaction
Fortgale
◇
Multi-domain AI tier-zeroNoise reduced >90% by day 30
Fortgale
⚡
Native Elastic responseHost isolation in seconds
Live
◈
Proprietary intelligence34,000+ IoCs per week · European actors
Fortgale
MDR live, Elastic + Fortgale SOC active
Compliance
ISO/IEC 27001
NIS2 ready
DORA aligned
GDPR · ENISA
Technology partnership
Elastic Security
MITRE ATT&CK aligned
OpenCTI
Why Fortgale + Elastic
The open SIEM/XDR platform, governed with proprietary CTI.
Elastic Security is the most flexible open SIEM/XDR on the market: data-first model, native multi-petabyte search, no EPS limits. Fortgale operates it with European analysts who develop custom ESQL detection rules on European TTPs.
01 ·
Elastic SIEM/XDR · open data
SIEM + XDR + Endpoint + Cloud Security in single platform. ESQL, EQL, KQL for any detection. Resource-based pricing, no EPS limits. Open ML detection jobs. Fortgale delivers detection and response on the platform modules Elastic Security SIEM · Elastic Defend (EDR) · Elastic Security for Cloud (CSPM/CWP).
02 ·
European SOC 24·7·365
L2/L3 analysts develop custom ESQL/EQL rules tuned on European TTPs. Triage <15 min on Elastic alerts. Threat hunting on the open data lake using proprietary CTI.
03 ·
Native response + IR
Containment via Elastic Defend (host isolation, process kill) + integrations (firewall, AD, EDR third-party). Direct escalation to Fortgale IR. Full NIS2 national CSIRT notification support.
How it works · architecture
Four blocks, one MDR cycle on Elastic.
From Elastic Agent ingestion to Defend response, all governed by Fortgale with European analysts and proprietary CTI on European markets.
01 ·
01 · Ingestion
Elastic Agent + Fleet active
Elastic Cloud or on-prem cluster with Elastic Agent + Fleet on endpoints, cloud, third-party integrations. Open data lake, no ingestion limits.
02 ·
02 · Tier-zero
Custom ESQL detection + ML
Pre-built rules + custom ESQL/EQL rules tuned by Fortgale on European actor TTPs. ML jobs for behavioural anomalies. False positives reduced by over 90%.
03 ·
03 · Analysts
Our L2/L3 on Kibana
European SOC specialised on Elastic. Triage on alerts, hunting via Elastic Search/ESQL, attribution to actor. Decisions in your business language.
04 ·
04 · Response
Defend + cross-tool
Containment via Elastic Defend (host isolation, process kill) + cross-tool playbooks. Direct escalation to Fortgale IR for critical incidents.
Proof · service metrics
Four numbers that hold MDR on Elastic up.
Metrics measured on real customer telemetry, Q1 2026, updated quarterly.
<30 min
Median containment from confirmed Elastic alert
>90 %
Noise reduced by ESQL + ML detection
Open
Data lake ownership no ingestion limits
12 days
Full onboarding Elastic Security + Fleet
The problems MDR must solve
Five reasons Elastic alone is not enough.
The platform produces telemetry. What is missing is the people who read it around the clock, prioritise it and turn it into decisions.
01 ·
Alert fatigue
Tier-zero AI filters, analysts decide: noise reduced >90% by day 30. Every alert that reaches you is already a qualified case.
02 ·
Elastic expertise
L2/L3 analysts who operate the Elastic console every day: detection tuning, MITRE-mapped runbooks, native response on your platform.
03 ·
Operational experience
European SOC, headquartered in Milan since 2017, 24·7·365: median TTD <15 minutes, median TTC <30 minutes.
Proprietary CTI on 287 tracked adversary groups and attack tools: advisories, IOCs and actor profiles feed directly into detection on your platform.
Threat intelligence · attacks detected on Elastic Security
Post-exploit & lateral movement contained on Elastic by the European SOC.
Selection of post-exploitation tools and C2 malware detected on Fortgale customers with Elastic Security. Elastic scalability + Lucene query language handles 90+ days of telemetry full-text searchable in seconds.
Vector Distributed via malvertising and phishing attachments · credential harvesting from browsers + FTP + crypto wallets · exfiltration via Telegram bot API
Detection · Elastic Behavior analytics ML jobs on anomalous exfiltration + Fortgale IOC feed pushed into Elastic Fleet · 34,000+ indicators.
Worm · Loader
Raspberry Robin
Vector USB infection · LNK file abuse · privilege escalation via cmd.exe spawning · pivot to secondary payloads (SocGholish, Bumblebee)
Detection · Elastic Elastic SIEM USB-borne detection rules + cross-domain correlation with DNS anomaly and proxy logs.
What the service includes
MDR on Elastic, in detail.
Every component designed to leverage Elastic Security flexibility with European SOC governance and proprietary CTI.
01
Managed Elastic Security
Elastic Cloud or on-prem licensing (or existing instance). Cluster, Fleet, integrations, detection rules managed by Fortgale. Continuous tuning.
02
Custom ESQL/EQL detection
Custom ESQL/EQL rules MITRE ATT&CK-mapped, tuned on European actor TTPs. ML jobs for behavioural anomalies. New rules deployed monthly.
03
Proprietary CTI in Elastic
34,000+ IoCs per week from Fortgale OpenCTI auto-imported into Elastic Threat Intelligence. Indicator match rules for native detection.
04
Elastic Defend response
Containment via Elastic Defend: host isolation, process kill, ransomware behavior protection. Cross-tool playbooks for AD lockout, firewall block, third-party EDR.
Monthly hunting on the Elastic data lake using proprietary CTI + Sigma rules. Focus on silent lateral movement, persistence, data staging not covered by automatic detections.
For whom · two angles
Same MDR on Elastic, two angles.
The CISO decides on risk. The IT lead decides on the runbook. Fortgale MDR produces evidence for both.
For the CISO
A named runbook per actor, on the Elastic stack.
Each month the CISO receives the profile of the 3 most likely actors against their sector, with the Fortgale MDR runbook already mapped to the Elastic Security telemetry.
Monthly threat briefingActors, observed TTPs, campaigns in progress on your sector.
Elastic runbookLive MITRE-mapped playbooks, executable on the Elastic Security console.
Board-ready reportingRisk · impact · decision. No slideware technology.
Everything to know before talking to our analysts.
What is the MDR service on Elastic Security?
Combines Elastic Security (SIEM + XDR + Endpoint) with the Fortgale European SOC 24·7·365. L2/L3 analysts monitor the Kibana console, develop custom ESQL/EQL detection rules, apply MITRE-mapped runbooks and trigger response via Elastic Defend and integrations.
What advantages does Elastic offer over traditional SIEMs?
Elastic has a data-first model: no ingestion limits (resource-based pricing, not EPS), native multi-petabyte search, ability to develop detection rules in ESQL/EQL/KQL on any schema. Ideal for those who want flexibility and ownership of the security data lake.
Do I need to already have Elastic?
No. Fortgale handles the full cycle: Elastic Cloud or on-prem licensing, cluster deployment, Fleet integrations, detection rules development, tuning. Available both on existing instance or as part of the service.
Is the service NIS2-compliant?
Yes. We support NIS2 transposition requirements: continuous monitoring, IoC collection for national CSIRT notification within 24 hours, technical documentation for 72-hour notifications. Elastic's configurable retention supports NIS2 log retention requirements.
Does Elastic also cover endpoint and cloud?
Yes. Elastic Security includes: SIEM (log correlation), XDR (cross-domain analytics), Endpoint Security (Elastic Defend agent), Cloud Security Posture, Container Workload Protection. The Fortgale MDR service covers all these domains.
Talk to the outpost
One meeting. One NDA. One real runbook on Elastic.
We bring you the Report on your sector with the most likely actors and a concrete MDR runbook on your Elastic Security console.
Outlook Bookings · Fortgale
Book a meeting
Loading calendar…
Response · 1 business day
Speak with our analysts.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
Document · Fortgale
PDF preview
Loading PDF…
Request · Fortgale Threat Intelligence Report
Request the Report
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
See a real attack
IR · 24·7·365
Are you under attack?
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.
We use essential cookies required for site functionality and, with your consent, analytics and marketing cookies to measure traffic and personalise content. You can accept all cookies, reject them, or customise your preferences. For more details see the Cookie Policy and Privacy Policy.
Cookie preferences · Fortgale
Manage your preferences
Choose which cookies to allow. Essential cookies are required for the site to work and cannot be disabled. For the others, consent is always free, specific and revocable at any time.
EssentialAlways on
Required for the site to function (session, security, cookie preferences). The legal basis is the controller's legitimate interest (Art. 6(1)(f) GDPR). Without these cookies the site does not work correctly.
AnalyticsWe measure what works
Aggregated statistical cookies to understand how users browse the site (page views, session duration, traffic source). EU-friendly or anonymised providers. Legal basis: consent (Art. 6(1)(a) GDPR).
MarketingPersonalisation and remarketing
Third-party cookies (LinkedIn Insight Tag, possible campaign pixels) to measure ad campaign effectiveness and show relevant content. Legal basis: consent (Art. 6(1)(a) GDPR). Disabled by default.
You can change these choices at any time from the Cookie Policy page or by clicking the Cookie preferences link in the footer.