Resources · Guide · MDR · 1 min read

What is MDR (Managed Detection and Response)

In short

MDR (Managed Detection and Response) is a managed service that combines detection technology (EDR/XDR, SIEM), threat intelligence and human analysts who investigate and respond to incidents 24·7. Unlike a plain EDR, MDR does not just raise alerts: it verifies them, contains the attack and closes the incident, with people who have the mandate to decide.

From prevention to response: why MDR exists

For years security focused on prevention: firewall, antivirus, then EDR. But attackers get in anyway, and the difference between a managed incident and a crisis is not whether someone raises the alarm, it is who responds when it goes off. MDR was born to fill that gap: not another tool that produces alerts, but a service that verifies, investigates and contains them.

What an MDR includes

A complete MDR service combines four components:

  • Multi-domain telemetry: endpoint, identity, cloud, network, applications, not just the endpoint.
  • MITRE ATT&CK-mapped detection: rules and analytics updated on real campaigns.
  • Threat intelligence: the context on who attacks and how, applied in real time.
  • Analysts with the mandate to decide: the factor that turns an alert into a closed incident.

Technology detects, but human decision contains. That is the core of MDR done right: AI removes the noise, analysts decide.

EDR, MDR, XDR: not synonyms

EDR is the endpoint technology. XDR extends correlation across domains (identity, cloud, network). MDR is the managed service that operates EDR or XDR and adds the people. For the detailed comparison see MDR vs EDR vs XDR.

How to recognise a good MDR

Not all “MDR” offers are equal. Quality signals: response included (not just notification), senior analysts with decision authority, proprietary intelligence (not just resold feeds), 24·7·365 coverage in the customer’s time zone, and a vendor-agnostic approach that does not force you to replace what you have.

Comparison

EDR vs MDR vs in-house SOC

DimensionEDR (tech only)MDR (managed service)In-house SOC
What it doesDetects on the endpoint, raises alertsDetects on endpoint, identity, cloud, network and respondsMonitors with own team
Who operates itYour teamProvider analysts 24·7Internal staff, 24·7 shifts
ResponseManual, on youIncluded, managed containmentInternal
CostLicenceSubscription, ~30% of an in-house SOCOver EUR 1M/year
Time to startImmediateWeeksMonths/years
Field-observed proof · MDR in action

In Operation Storming Tide the Fortgale team detected and contained a multi-stage intrusion (actor Mora_001): data exfiltration and ransomware prevented by containment. That is the difference between an alert and a closed incident.

Read the analysis →
FAQ

Frequently asked.

What is the difference between MDR and EDR?

EDR is a technology for detection and response on the endpoint. MDR is the service that operates that technology (and more: identity, cloud, network), correlates it with threat intelligence and adds analysts who decide. EDR raises alerts; MDR handles them and closes the incident.

Are MDR and SOC the same thing?

No. The SOC is the structure that monitors; MDR is the service that, on top of the SOC, adds intel-driven detection and, above all, response. In the Fortgale model managed SOC and MDR are the same European outpost, with no handover between vendors.

Do I need an EDR already to start an MDR?

No. A good MDR is vendor-agnostic: it integrates on the platform you already use, or provides one. Fortgale operates MDR on Microsoft Defender, CrowdStrike Falcon, SentinelOne and other leading platforms, from a single console.

How much does MDR cost versus an in-house SOC?

An in-house 24·7 SOC exceeds one million euros a year in analysts, licences and infrastructure. A managed MDR costs a fraction of that, with a predictable subscription and activation in weeks instead of years.

Who is MDR for?

Organisations that cannot or do not want to build an in-house 24·7 SOC but need continuous detection and response: structured SMBs, mid-market and large enterprises, NIS2 entities that must demonstrate monitoring and notification capability.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale MDR service.

Related resources: MDR vs EDR vs XDR · What is a SOC

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.