What is managed detection and response (MDR) technology, who needs it, and how can the channel support it? Find answers to those questions and more in this guide to selling MDR
In the first of a regular series of features providing tips for selling trending technologies, we take a look at managed detection and response (MDR). The technology is an area that is regularly highlighted as one that delivers growth for the channel. But just what are customers expecting, what are their needs, and how can you support them? These are just a few of the questions that need answering to establish a solid pitch.
What is MDR technology?
It’s important for the channel to have a firm grip on what a technology means, both in the minds of vendors and of customers. It’s not always clear-cut, but MDR does appear to have a definition that is broadly accepted across the industry.
Peter Jones, cyber security specialist for the ITGL part of Conscia, provides a handy response: “MDR provides the ability to identify anomalies throughout the customer estate that may indicate some form of compromise. Covering all threat vectors, including endpoints, identity, collaboration and networks, an MDR solution can detect threats early in the attack chain and provide an appropriate response to protect the organisation effectively.”
Chris Gilmour, chief technology officer (CTO) at Axians UK, has seen demand for MDR increase due to the security features it provides.
“MDR continues to pick up steam because it gives businesses real-time threat detection and response without needing a full-blown SOC [security operations centre]. Most MDR solutions combine EDR [endpoint detection and response] tooling with behavioural analytics, threat intelligence and human-led investigation, which is critical for catching things like fileless malware or lateral movement that traditional tools might miss,” he says.
“EDR is a toolset, typically installed at the endpoint, to log events, detect activity and support forensic analysis. While powerful, EDR still relies on skilled professionals to manage and interpret alerts,” says Steven Wood, director of solution consulting (EMEA) at OpenText Cybersecurity.
“MDR, in contrast, is a managed service. It wraps EDR and other telemetry – email, DNS [domain name system], identity, cloud – into a broader offer that includes threat hunting, triage, escalation and, often, guided or active remediation. MDR is best thought of as “SOC-as-a-service” – turning raw data into meaningful, actionable outcomes.”
Who needs MDR?
The answer to that question is “everyone”, so it becomes more about how different customer types are looking for support around managed detection and response. Wood splits the customer base broadly into two: those with internal resources, and those without internal resources.
Those with internal resources – the mid-market upwards – are probably already using tools including EDR, Microsoft Defender, and security information and event management (SIEM), but they are still going to be stretched and will benefit from a monitoring service that can provide round-the-clock coverage.
MDR services are essential for organisations that lack the necessary in-house cyber security expertise, don’t operate an internal SOC, or don’t engage in proactive threat hunting
Toby Bussa, Huntress
Those without any internal expertise have to rely on a managed service provider (MSP). Wood highlights legal, financial services, healthcare, retail, manufacturing and education as some of the verticals that require the channel’s help with MDR.
“As an MSP, this is your opportunity to tailor delivery – integrating MDR into mature environments, or offering it as a turnkey solution for those that fully outsource,” he says.
Toby Bussa, director of product marketing at Huntress, also has a clear idea of the type of customer that would ideally benefit from MDR, which fits the description of those that regularly turn to the channel to cover their IT needs.
“MDR services are essential for organisations that lack the necessary in-house cyber security expertise, don’t operate an internal SOC, or don’t engage in proactive threat hunting. For these businesses, MDR provides access to expert professionals and 24/7 SOC monitoring, enabling timely detection and response to potential security incidents,” he says.
“This need extends to MSPs that prioritise delivering IT services over building and managing their own cyber security teams or SOC. By partnering with an MDR provider, MSPs can rely on specialised support for threat monitoring, detection and response activities, allowing them to focus on their core offerings while ensuring robust cyber security for their clients.”
How should you deliver MDR?
MDR is delivered as a remote service, which makes it an ideal proposition for managed service providers.
“The key is to position MDR as more than just monitoring. It’s about offering a fully managed service that includes threat hunting, triage and guided response. Make sure the provider has strong integration capabilities, with SIEMs, cloud workloads and identity systems, because coverage gaps are where threats hide,” advises Axians UK’s Gilmour.
Irina Artioli, cyber protection evangelist and researcher at the Acronis Threat Research Unit, agrees that delivering MDR as part of a wider range of services is the wisest approach.
“MDR works best when integrated into the broader services MSPs already provide. Organisations can deliver MDR through the same platform partners use for backup, endpoint detection and response, and patch management, reducing tool sprawl and complexity,” says Artioli.
“Those types of offers focus on rapid deployment, seamless integration with existing infrastructure, and tangible outcomes like reduced dwell time and faster incident response. White-label or co-managed models can help partners differentiate and build recurring revenue,” she adds.
“We are also seeing organisations give partners the training and certifications they need to confidently deliver MDR services. This includes technical deep dives, as well as business-focused content like objection handling, pricing strategies and sales positioning,” says Artioli.
The other challenge is not to overload the customer with alerts and add to the burden, but to demonstrate that MDR can be delivered with the intention of making life easier as well as more secure.
Robert Derby, senior security product manager at NetScout, says MDR must be delivered as a complete investigative workflow, not just a collection of alerts.
“That means bridging the gap between ‘detection’ and ‘response’ with context-rich analysis. While SIEMs are great at log aggregation and EDRs provide visibility into endpoints, neither gives full insight into what’s happening across the network,” he says.
“NDR fills that role, especially when it stores historical metadata and packets independently of real-time detections, enabling retrospective analysis and the ability to investigate threats that surface days, weeks, or even months later,” he adds. “Delivery should include the ability to pivot seamlessly from alert to packet evidence, reducing time to understanding and time to action.”
How can you support MDR?
The key is to ensure there is awareness of the MDR service that is being delivered. There should be continuous threat reporting, regular threat reviews and customer education.
With threats only getting more sophisticated, MDR’s going to remain a strong bet for the channel throughout this year and well beyond
Chris Gilmour, Axians UK
“Partners should empower clients with clear incident timelines, root cause analyses and actionable insights, while maintaining direct access to Tier 2/3 analysts for rapid escalation,” says Artioli. “To further enable success, organisations usually offer both technical and sales learning paths, covering real-world use cases, demos and practical selling strategies. These organisations also support partners with security awareness training for their end customers and help build custom protection plans through professional services.”
Gilmour also stresses the need for feedback to customers. “One piece of advice: don’t just sell MDR as a set-and-forget solution. Regular reviews, tuning detection rules and working with the customer to understand their risk profile really helps lock in long-term value,” he says. “With threats only getting more sophisticated, MDR’s going to remain a strong bet for the channel throughout this year and well beyond.”
Channel partners are also advised to consider carefully the suppliers they work with. Greg Jones, senior vice-president of MSP enablement (EMEA and North America) at Kaseya, stresses the need to check the levels of support that are behind the technology and to partner “with the right vendors who offer security operations centre (SOC) expertise, automation and layered protection”.
What are the prospects for MDR technology for the rest of this year and beyond?
Not surprisingly, the impact of artificial intelligence (AI) is going to drive increased interest in managed detection and response, and the ever-present need for data protection means MDR will remain an area that should continue to command channel attention.
“The market for MDR is growing fast, especially in the MSP space. Demand is driven by the need for AI-powered solutions that are easier to manage and more effective at stopping modern threats,” says Artioli.
“MDR is no longer seen as something only large enterprises can afford. It’s becoming a core service for MSPs looking to differentiate, grow recurring revenue and offer real business outcomes to their clients. With evolving threats and rising compliance pressure, this is one area where channel partners are leaning in hard,” she adds.
The market for MDR is growing fast, especially in the MSP space. Demand is driven by the need for AI-powered solutions that are easier to manage and more effective at stopping modern threats
Irina Artioli, Acronis Threat Research Unit
Linda Kerr, director of marketing MDR at WatchGuard Technologies, encourages the channel to continue focusing on the needs of their customers, particularly small and medium-sized enterprises (SMEs).
“The opportunity is growing fast. As threats evolve and compliance pressures increase, more SMBs are looking for managed security services they can trust. MDR positions partners to deliver enterprise-grade protection, without building an SOC, so they can expand into high-value accounts, boost recurring revenue and stand out in a crowded market,” she says.
“Looking ahead, we plan to expand our MDR capabilities, including broader third-party integrations and deeper automation, making the service even easier to sell and scale,” adds Kerr.
There is a sense that the MDR service the channel offers now will not be the one that they provide in the future and there is a need to accept product evolution.
“MDR services are continually evolving to incorporate additional cyber security capabilities that address emerging threats and vulnerabilities,” says Huntress’s Bussa.
“Identity-based attacks, in particular, are a significant concern today, and tools like identity threat detection and response (ITDR) are being utilised to monitor and respond to these threats. At the same time, MDR services are improving cyber hygiene for businesses through security posture management, including measures such as attack surface management and exposure management,” he adds.
NetScout’s Derby has also charted a change in MDR, with the need to understand the technology in the framework of compliance regulations also sparking some adaptations to the channel’s approach.
“MDR is evolving beyond basic alert triage into a service that delivers meaningful outcomes by helping organisations not only detect threats, but fully investigate, understand and respond to them with confidence,” he says. “The MDR services that prioritise investigation and context will lead the market going forward.”