What is MDR (Managed Detection and Response)
MDR (Managed Detection and Response) is a managed service that combines detection technology (EDR/XDR, SIEM), threat intelligence and human analysts who investigate and respond to incidents 24·7. Unlike a plain EDR, MDR does not just raise alerts: it verifies them, contains the attack and closes the incident, with people who have the mandate to decide.
From prevention to response: why MDR exists
For years security focused on prevention: firewall, antivirus, then EDR. But attackers get in anyway, and the difference between a managed incident and a crisis is not whether someone raises the alarm, it is who responds when it goes off. MDR was born to fill that gap: not another tool that produces alerts, but a service that verifies, investigates and contains them.
What an MDR includes
A complete MDR service combines four components:
- Multi-domain telemetry: endpoint, identity, cloud, network, applications, not just the endpoint.
- MITRE ATT&CK-mapped detection: rules and analytics updated on real campaigns.
- Threat intelligence: the context on who attacks and how, applied in real time.
- Analysts with the mandate to decide: the factor that turns an alert into a closed incident.
Technology detects, but human decision contains. That is the core of MDR done right: AI removes the noise, analysts decide.
EDR, MDR, XDR: not synonyms
EDR is the endpoint technology. XDR extends correlation across domains (identity, cloud, network). MDR is the managed service that operates EDR or XDR and adds the people. For the detailed comparison see MDR vs EDR vs XDR.
How to recognise a good MDR
Not all “MDR” offers are equal. Quality signals: response included (not just notification), senior analysts with decision authority, proprietary intelligence (not just resold feeds), 24·7·365 coverage in the customer’s time zone, and a vendor-agnostic approach that does not force you to replace what you have.
EDR vs MDR vs in-house SOC
| Dimension | EDR (tech only) | MDR (managed service) | In-house SOC |
|---|---|---|---|
| What it does | Detects on the endpoint, raises alerts | Detects on endpoint, identity, cloud, network and responds | Monitors with own team |
| Who operates it | Your team | Provider analysts 24·7 | Internal staff, 24·7 shifts |
| Response | Manual, on you | Included, managed containment | Internal |
| Cost | Licence | Subscription, ~30% of an in-house SOC | Over EUR 1M/year |
| Time to start | Immediate | Weeks | Months/years |
In Operation Storming Tide the Fortgale team detected and contained a multi-stage intrusion (actor Mora_001): data exfiltration and ransomware prevented by containment. That is the difference between an alert and a closed incident.
Read the analysis →Frequently asked.
What is the difference between MDR and EDR?
EDR is a technology for detection and response on the endpoint. MDR is the service that operates that technology (and more: identity, cloud, network), correlates it with threat intelligence and adds analysts who decide. EDR raises alerts; MDR handles them and closes the incident.
Are MDR and SOC the same thing?
No. The SOC is the structure that monitors; MDR is the service that, on top of the SOC, adds intel-driven detection and, above all, response. In the Fortgale model managed SOC and MDR are the same European outpost, with no handover between vendors.
Do I need an EDR already to start an MDR?
No. A good MDR is vendor-agnostic: it integrates on the platform you already use, or provides one. Fortgale operates MDR on Microsoft Defender, CrowdStrike Falcon, SentinelOne and other leading platforms, from a single console.
How much does MDR cost versus an in-house SOC?
An in-house 24·7 SOC exceeds one million euros a year in analysts, licences and infrastructure. A managed MDR costs a fraction of that, with a predictable subscription and activation in weeks instead of years.
Who is MDR for?
Organisations that cannot or do not want to build an in-house 24·7 SOC but need continuous detection and response: structured SMBs, mid-market and large enterprises, NIS2 entities that must demonstrate monitoring and notification capability.
From theory to a real operation.
What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale MDR service.
Related resources: MDR vs EDR vs XDR · What is a SOC
A technical conversation, not a funnel.
Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.