7/9/2020 Gartner Reprint

Licensed for Distribution

Market Guide for Managed Detection and Response

Services
Published 15 July 2019 - ID G00367208 - 24 min read

ARCHIVEDThis research is provided for historical perspective; portions may not reflect current
conditions.

By Analysts Toby Bussa, Kelly Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard

MDR services add 24/7 threat monitoring, detection and response capabilities to security
operations capabilities via an outcome-oriented approach. Security and risk management
leaders should use this research to determine if MDR services are a good fit for their goals, use
cases and requirements.

Overview
Key Findings
■ The containment and disruption of threats is becoming a popular response offering and
differentiator among managed detection and response (MDR) providers.

■ Pure-play MDR providers are expanding into complementary areas to fill other gaps in customer
security operations capabilities, like vulnerability management and cloud security.

■ Managed endpoint detection and response (EDR) is becoming primarily associated with MDR
services. While it is one of the most visible offerings within the market, it is just one style of MDR
services, not the only style.

■ Cloud service coverage (SaaS and IaaS) is generally immature with a majority of MDR providers.

Recommendations
Security and risk management leaders responsible for security operations should:

■ Use MDR services to add 24/7 threat detection and incident investigation and response
capabilities, when they don’t exist or are immature. Internal resources will still be needed for some
response activities, and incident response retainers will be necessary for additional support as
well.
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 1/16
7/9/2020 Gartner Reprint

■ Use MDR services offering a turnkey technology approach when there is little to no existing
investment related to security technologies for threat detection and forensics, and when the speed
to implement MDR services is important.

■ Embrace threat disruption and containment as an incident response feature of MDR service
providers when there are no 24/7 operations to respond to threats that require immediate
attention.

■ Leverage MDR providers that also offer services that will fill in other gaps in their foundational
security operations capabilities, like vulnerability management and log management.

Strategic Planning Assumptions

By 2024, 25% of organizations will be using MDR services, up from less than 5% today.

By 2024, 40% of midsize enterprises will use MDR as their only managed security service.

Market Definition
This document was revised on 30 July 2019. The document you are viewing is the corrected version.
For more information, see the  Corrections page on gartner.com.

The goal of MDR services is to rapidly identify and limit the impact of security incidents to customers.
These services are focused on remote 24/7 threat monitoring, detection and targeted response
activities. MDR providers may use a combination of host and network-layer technologies, as well as
advanced analytics, threat intelligence, forensic data, and human expertise for investigation, threat
hunting and response to detected threats.

Market Description
The market for MDR services is organizations seeking to establish and improve early, effective threat
detection and response through 24/7 continuous-monitoring coverage. Many MDR providers’
services leverage technologies at the host and network layers that generate and collect security event
and contextual data that support both the detection of threats and incident investigation (such as
forensic data). Additionally, providers focus on analytics for detection, use of threat intelligence and
on incident response activities, all of which can be expensive, difficult to obtain and hard to sustain
for many midsize enterprises (MSEs), as well as larger enterprises. For MDR providers focused on
large enterprises, the approach is less defined in the current market. Some MDR providers focus on
buyers with existing security operations or an established security operations center (SOC) that need
to fill specific gaps in their capabilities. Other providers aim to compete more directly with MSSPs by
selectively leveraging customers’ existing security technologies to deliver a threat detection and
response service (see Figure 1).
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.
Figure 1. MDR Services

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 2/16
7/9/2020 Gartner Reprint

MDR services are characterized by the following attributes that are centered around technology,
detection abilities and response actions:

■ A focus on high-fidelity threat detection and validation, geared toward attacks that have bypassed
protective security controls like firewalls and endpoint protection.

■ The delivery of services using the provider’s curated technology stack, such as network traffic
analysis, endpoint activity monitoring and deception technologies, deployed on a customer’s
premises and managed by the provider. These technologies allow the MDR providers to monitor
“south of the perimeter” as opposed to focusing on monitoring at internet ingress/egress points.
Few MDR providers rely solely on logs generated by a customer’s exiting security tools to monitor
and detect threats. Where logs are collected, they may be used more as secondary data sources
for additional context, such as checking whether connections to a command and control server
were blocked by the firewalls for a secure web gateway (SWG).

■ An emphasis on a fast, scalable turnkey deployment of services. This is due to the use of a
provider’s curated technology stack, which may be faster to deploy compared to the traditional
MSS approach. The MSS approach requires the customer to provide its own technologies, identify
critical event sources and implement log forwarding to a central collection appliance. Some MDR
providers that support a curated set of technologies that a customer can bring may ease
integration (for example, through APIs).

■ A platform that leverages threat intelligence and custom analytics that are fed curated events from
the provider’s
We use technology
cookies to stack
deliver the best (and,experience
possible in someon cases, customer-owned
our website. To learn more, technologies
visit our Privacyas well).
Policy. By In
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 3/16
7/9/2020 Gartner Reprint

some cases, the platform may leverage more advanced user and entity behavior analytics (UEBA),
although this is still less common.

■ The 24/7 monitoring, analysis and customer alerting of validated security events with incident
triage performed by analysts all focused on incident investigation and response, in contrast to a
traditional SOC model where analysts and responsibilities are separated into tiers.

■ More direct communication between the customer and MDR provider’s analysts, and less
emphasis on using a portal or service tickets as the primary interface. For example, some
providers have integrations with real-time messaging platforms, like Slack, to converse with clients
in a free-form approach, but this should not replace auditable means of tracking incidents and
associated activities (for example, making changes to the customer’s environment).

■ The provider takes responsibility for determining what and how threats are detected. Customers
may have little opportunity to customize threat detection use cases specific to their environment.
For example, the MDR providers might be looking for specific tactics, techniques and procedures
(TTPs) that indicate a threat is active in a customer’s environment. However, if the customer wants
some use cases specific to its environment, that level of customization may not be supported.

■ The fast detection of threats without commensurate response actions can still lead to significant
impacts on organizations. Hence, MDR providers include the incident validation and remote
incident response activities in their services without the need for an incident-response-specific
retainer. Such activities may include malware analysis, identifying indicators of compromise
(IOCs), human-powered threat hunting, threat containment and specific guidance on remediation.
There is no consistency yet around the threshold when an incident being investigated by the MDR
provider becomes an event that requires the activation of an incident response retainer. Between
one and four hours is the most common response from MDR providers, but at this stage the
threshold tends to be left to SOC analysts’ discretion. The recovery of an environment to a known,
good state (reimage, rebuild, restore from backup and so on), in most cases, falls on the client to
manage (or coordinate via other means).

■ Use cases (such as vendor-agnostic security technology management and compliance monitoring
and reporting) are not a focus of MDR services and are rarely offered.

Market Direction
Growth and Evolution of the MDR Market
The MDR market continues to grow, and Gartner clients are gaining increasing awareness of the
market. Gartner observed a 35% growth in inquiry on the topic over the last 12 months and estimates
the market grew 20% year over year to approximately $600 million in 2018.
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 4/16
7/9/2020 Gartner Reprint

The marketing around MDR is increasingly confusing for buyers. The MDR label is being co-opted by
service providers that demonstrate few, if any, of the characteristics defining the MDR market and are
more aligned to the MSS market. In response to the competition in the market, some MDR providers
are focusing on specific verticals where they can offer more specific expertise and services. This
includes verticals such as critical infrastructure and manufacturing, which have OT security-specific
concerns, and the medical provider market, which faces data protection and IoT device security
concerns. MSSPs have tempered their response to the MDR market. Some new providers have
introduced offerings, while few have expanded their offerings in the last 12 months, with most
offerings still centered on managed EDR and threat-hunting services.

Threat detection capabilities are still heavily weighted toward the end of the cyber kill chain, with
most MDR providers starting at the installation or command and control stages (for example,
detecting when a binary executed or command and control activity is initiated). Few MDR providers
are moving up the kill chain to detect threats in the delivery or exploitation phases, such as by
monitoring email for delivery of binaries to end users.

As some MDR service providers mature their threat detection and response service offerings and
establish themselves as trusted partners, they are adding complementary services to address other
security operations gaps with their customers, such as vulnerability management. MDR providers are
not racing to compete with MSSPs here, but customers are pushing the MDR providers to help with
other essential security operations functions.

Response remains an essential capability and is increasingly a differentiator between many

providers. Many buyers gravitate to the MDR providers because the response capabilities are a
differentiator from many MSSPs. Well-performed incident response takes time and skill, which many
organizations just don’t have, especially when there are multiple threats being detected in a short
time frame. Deeper investigation, analysis and validation of threats, along with enhanced guidance on
how to contain and mitigate the threat, provide significant value to MDR customers. The sentiment
and concern we increasingly hear from Gartner clients, especially those that have less mature
detection and response capabilities, is that reducing the time to detect a threat is meaningless
without a corresponding reduction in the response time.

Over the last 12 months, there have been some acquisitions by technology vendors to bolster their
threat detection and response services, as well as acquisitions by MDR providers to build out their
portfolios of services, for example:

■ June 2018 — CounterTack acquires GoSecure

■ June 2018 — F-Secure acquires MWR InfoSecurity

■ October 2018 — eSentire acquires Versive

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.
■ December 2018 — Arctic Wolf Networks acquires RootSecure

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 5/16
7/9/2020 Gartner Reprint

■ January 2019 — Sophos acquires DarkBytes

■ February 2019 — Capgemini acquires Leidos Cybersecurity

■ June 2019 — Sophos acquires Rook Security

■ July 2019 — Orange Cyberdefense acquires SecureLink

Market Analysis
Buyer Personas — From Low Maturity to High Maturity
MDR services exist to support a variety of buyers, which generally align to three groups:

■ Organizations that have very minimal in-house detection and response capabilities, where an MDR
service forms the primary (sometimes only) security operations capability. These buyers usually
have few, if any, security-specific experts on their teams, usually with security operations
responsibilities federated across the IT teams. They also tend to focus security technology
investments in protection controls, like multifunction firewalls and endpoint protection platforms.
24/7 IT or security operations are usually not available to support response capabilities.

■ Organizations that have invested in detection technologies but are unable to build in-house people
or process capabilities to support the security operations mission. Such organizations prefer
engaging MDR providers that can support their technology of choice (such as EDR or NTA), or
product vendors in these areas that also offer an MDR service as an overlay to the technology. On
the MDR provider side, this style tends to be heavily curated in terms of the technologies and
vendors the MDR provider will support, as they are specifically cognizant of not wanting to
compete in the broad-based MSS market.

■ Organizations that have already made investments in people, process and technologies for threat
detection and response, or plan to make those investments, say, as part of building their own
internal SOC, and are looking to MDR providers for support. These buyers, depending on their
starting point, want to use MDR services to jump-start their SOC journey or fill in gaps in their
capabilities and offer them bandwidth to focus on other security activities (or, at a minimum, just
incident response). These buyers may leverage a managed EDR offering as they establish their
internal expertise around EDR or as a “second set of eyes” for their SOC analysts. Some
organizations may want to outsource their threat-hunting capability to an MDR provider.
Additionally, an organization of this profile also benefits from 24/7 coverage, which, even for bigger
organizations, is an expensive investment many are unwilling to invest in.

Different Styles of MDR to Address the Range of Buyers

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 6/16
7/9/2020 Gartner Reprint

MDR services are still a work in progress, as the market adapts to the demands from the buyer
personas described above. In addition to the level of response required by customers, the technology
approach to collect telemetry, both for real-time threat detection and incident investigation (such as
raw log and forensic data), will vary across different MDR service providers. There are four general
styles of “technology stacks” supported:

■ Full stack from the provider — Sometimes referred to as “full stack” MDR or pure-play MDR, this is
when the provider leverages two or more technologies to deliver MDR services. These
technologies are selected and provided by the provider (that is, the customer doesn’t get a choice
in the technologies used). The two most common components are a multifunction network
security monitoring (NSM) sensor or appliance and an EDR agent. Both of these technologies
provide capabilities oriented toward near-real-time threat detection as well as forensic data for
postincident detection investigations. Telemetry from these technologies feeds the MDR provider’s
delivery platform, where analytics are performed to identify threats, generate alerts and support
threat investigation by the provider’s “SOC analysts.” In addition to NSM and EDR technologies,
some providers may also use other technologies to detect threats, such as deception technologies,
and monitor other attack vectors, such as email and DNS (see “Improve Your Threat Detection
Function With Deception Technologies” and “Applying Deception Technologies and Techniques to
Improve Threat Detection and Response”).

■ Managed point solutions (EDR, NDR) — Managed EDR is often associated with MDR when it’s just
one style, a style that may have limited visibility of threats in a customer’s environment depending
on the assets and environments that need to be monitored (see “Market Guide for Endpoint
Detection and Response Solutions” and “Competitive Landscape: Endpoint Protection Platforms,
Worldwide, 2019”). For example, you can’t install an EDR agent on a multifunction printer/scanner
device or a programmable logic controller (PLC). While there are some dedicated managed EDR
providers, the MDR market is dominated by EDR vendors offering services to software buyers.
There are varying degrees to these services (for example, scheduled threat hunts performed by
SOC analysts to full 24/7 monitoring, incident triage and response). On the NTA vendor side, there
are a limited number offering MDR at this stage (see “Market Guide for Network Traffic Analysis”).
However, Gartner expects a trend similar to that of the EDR vendors to happen in this market, as
NTA buyers lean on the vendors to help them maximize the investments in these technologies.

■ Technologies for other environments and assets like cloud (IaaS/SaaS), OT and IoT — Some MDR
vendors have proprietary technologies and approaches to support assets and environments
beyond standard on-premises IT. These may be available as add-on or even stand-alone MDR
services, such as in the case of monitoring ICS and SCADA systems in OT environments, or IoT
devices in medical provider environments. Increasingly, MDR providers are starting to support
cloud environments as add-ons through their own technologies and partnerships with other
vendors (for example,
We use cookies cloud
to deliver the best access security broker
possible experience [CASB]To
on our website. and cloud
learn more,workload protection
visit our Privacy Policy. platform
By
[CWPP] solutions). However, coverage is nascent, and this is still a work in progress for many MDR
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 7/16
7/9/2020 Gartner Reprint

providers. Support for leading SaaS vendors is gaining traction, as is basic monitoring into IaaS,
but both are still a work in progress or future roadmap item for many MDR providers.

■ BYO technology stack — These providers are focused on threat detection and response and trying
not to compete directly with the broader MSS market, but they lean more toward MSS compared to
MDR providers offering a turnkey technology stack. The difference is the customer-owned
technologies that are supported tend to be highly curated by the provider and limited to
technologies that can be easily integrated and offer detection and response functionality (such as
EDR). A provider that does not support technologies with both real-time threat detection and
forensic data capture — or that offers their own technology options to fill in gaps in customer’s
technology stack — is really more MSS than MDR (see “Five Styles of Advanced Threat Defense”).

Response Is a Defining Element of MDR Services

Gartner clients interested in managed security services increasingly state that they want
comprehensive threat detection and response services. MDR services must include “lightweight,”
remote incident response services as part of the core services. MDR providers favor dedicated
response experts in their SOCs, and they differentiate themselves by having more incident response
skills than traditional security management skills. These experts:

■ Validate potential incidents

■ Assemble the appropriate context

■ Investigate as much as is feasible about the scope and severity given the information and tools
available

■ Provide actionable advice and context about the threat

■ Initiate actions to remotely disrupt and contain threats

These capabilities are very appealing to enterprises that are less mature and underinvested in
detection and response capabilities. These enterprises, especially those that don’t have any internal
24/7 operations (such as IT operations), indicate a greater acceptance of containment actions where
and when threats represent business-level impact. Larger enterprises that have 24/7 IT operations
and a security operations team to handle response activities currently tend to be less interested in
containment being done by the provider. However, they are interested in having the technical
capability to initiate the containment themselves, such as through a button in a portal that will initiate
containment through an EDR agent or taking actions on capable network security tools.

The disruption and containment of threats can take various forms, and MDR providers offer several
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
options. There
continuing is no
to use thiswinning approach,
site, or closing this box,although isolating
you consent a of
to our use host via an EDR tool and blocking traffic
cookies.
on a firewall is the most common method. Example methods include:
https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 8/16
7/9/2020 Gartner Reprint

■ Changing firewall rules via APIs, watch lists and rules updates

■ Isolating a process or a host from the network using an endpoint agent

■ Leveraging in-line security controls like NIPS and WAF to block specific network traffic at different
TCP/IP layers

■ Locking and suspending user accounts

■ Integrating with a customer’s network access control (NAC) tool

■ Blocking network activity via DNS enforcement and TCP resets

Expansion of Services Offered by MDR Providers

Over the last 12 months, more MDR service providers have expanded their offerings, focusing on
essential security operations capabilities, like vulnerability management and log management. This is
not yet universal, but MDR providers are being pushed by their customers, especially those with lower
maturity and that need support for these other essential security operations capabilities. We
anticipate seeing more vulnerability management and log management services added over the next
12 months, as MDR providers look to address customer demand and differentiate themselves in the
market. Risk management is a slightly different consideration. MDR providers oriented toward the
more mature customer may offer risk management activities through a consultative approach.
Meanwhile, a few MDR providers oriented toward less mature buyers are embedding risk
management features into their core MDR offerings as a means of providing some level of risk
measurement and benchmarking across customers. This is nascent right now, but we anticipate MDR
providers to expand these features and capabilities over the next few years.

Some providers are making use of proprietary security orchestration, automation and response
(SOAR) tools to offer managed processes (or plays) to their customers (for example, Red Canary with
Exec and Secureworks’ Orchestration Management Console). These plays are backed by the MDR
provider’s own detection tools as well as allow for deeper integrations into customer environments.
SOAR functionality can also give organizations a deeper level of comfort in terms of allowing
response actions as the triggers. The workflow and containment options taken are all described in an
easy-to-consume manner.

Vertical-Specific Focus
Many MDR providers are also focusing on specific verticals as a means of leveraging internal
expertise and differentiating their services. While most MDR providers will support any vertical,
buyers in verticals facing unique challenges may have more options to find and work with an MDR
provider that can bring specialized knowledge and understanding, of both the threats and the
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
customer environment.
continuing to use this site,Example
or closing verticals include:
this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 9/16
7/9/2020 Gartner Reprint

■ Financial services (banking, insurance, FinTech), where they have a high risk aversion to breaches
and failed systems. The ensuing loss of trust from their clients is a high priority to be addressed.
They might have some 24/7 capability, but not in advanced threat detection and
response/containment capabilities.

■ Organizations that have operational technology environments, like oil and gas, local governments
and agencies responsible for services (such as water delivery and wastewater treatment), and
high-tech manufacturing.

■ Healthcare providers that handle sensitive data, like electronic medical records (EMR), and that rely
on IoT networked medical technologies.

■ Retail, which relies on point-of-sale devices and handles payment card information (PCI) and
customer data (see “10 Best Practices for Using Customer Data to Grow Retail Loyalty”).

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

Market Introduction
A list of representative vendors is provided in Tables 1 and 2 below. This is not, nor is it intended to
be, a list of all the providers in the MDR services market. It is not, nor is it intended to be, a
competitive analysis of the providers.

Table 1: Representative MDR Providers

Vendor Service Name Headquarters

ADT ADT Cybersecurity Salt Lake City, Utah

Cybersecurity

Alert Logic ActiveWatch Houston, Texas

Anitian Managed Detection and Portland, Oregon

Response

Arctic Wolf Managed Detection and Sunnyvale, California

Networks Response

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 10/16
7/9/2020 Gartner Reprint

Vendor Service Name Headquarters

Blackpoint Cyber Managed Detection + Ellicott City, MD

Response

Booz Allen Managed Threat Services McLean, Virginia

Hamilton

Capgemini Managed Detection and Paris, France

Response

CI Security Managed Detection and Seattle, Washington

Response

Critical Start Managed Detection and Plano, Texas

Response

CSIS Managed Detection and Copenhagen, Denmark

Response

eSentire Managed Detection and Cambridge, Ontario

Response

Expel Expel Herndon, Virginia

EY EY Advisory: Cybersecurity London, U.K.

Ezenta Managed Detection and Herlev, Denmark

Response

GoSecure Managed Detection and Waltham, Massachusetts

Response

IntelliGO Managed Detection and Toronto, Ontario

Networks Response

Kudelski Security Breach Protection and Cheseaux-sur-Lausanne, Switzerland, and Phoenix,

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
Response Arizona
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 11/16
7/9/2020 Gartner Reprint

Vendor Service Name Headquarters

LMNTRIX Adaptive Threat Response Los Angeles, California

Masergy Unified Enterprise Security Plano, Texas

(UES)

Mnemonic Argus Managed Defence Oslo, Norway

NCC Group Managed Detection and Manchester, United Kingdom

Response

Paladion Managed Detection and Reston, Virginia

Response

Proficio Managed Detection and Carlsbad, California

Response

Rapid7 Managed Detection and Boston, Massachusetts

Response

Red Canary Managed Detection and Boulder, Colorado

Response

Secureworks Managed Detection and Atlanta, Georgia

Response

SecureLink SecureDetect and Malmö, Sweden, and Sliedrecht, Netherlands

SecureRespond

UnitedLex Managed Detection and Overland Park, Kansas

Response

Source: Gartner (July 2019)

Table 2: Representative Technology Vendors (EDR, NDR) With MDR Services

Vendor Service Name Headquarters

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 12/16
7/9/2020 Gartner Reprint

Vendor Service Name Headquarters

Binary Defense Managed Detection and Response (MDR) Stow, Ohio

Carbon Black CB ThreatSight Cambridge, Massachusetts

CrowdStrike Falcon Overwatch Sunnyvale, California

Digital Guardian Managed Security Program for Endpoint Detection Waltham, Massachusetts
and Response

F-Secure Countercept Managed Detection and Response Helsinki, Finland, and

London, U.K.

Fidelis Managed Detection and Response Bethesda, Maryland

Cybersecurity

FireEye Managed Defense Milpitas, California

IronNet Cyber Operations Center (CyOc) Fulton, Maryland

Cybersecurity

Kaspersky Labs Managed Detection and Response Moscow, Russia

Sophos (Rook Managed Detection and Response Abingdon, U.K.

Security)

Symantec Managed Endpoint Detection and Response; Mountain View, California

Managed Cloud Defense

Trend Micro Managed Detection and Response Tokyo, Japan

Source: Gartner (July 2019)

Market Recommendations
■ It is important to have clearly defined outcomes and goals that address defined use cases and a
solid
We useunderstanding
cookies to deliverof what
the the future
best possible steadyon
experience state looks like
our website. once
To learn engaged
more, visit ourwith an MDR
Privacy Policy.provider.
By
Like any outsourcing
continuing to use this site,initiative, without
or closing this these
box, you defined,
consent to our regardless of what service provider is used,
use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 13/16
7/9/2020 Gartner Reprint

the chance of success will be more difficult to achieve (see “Toolkit: Communicating Effective
Security Use Cases to Your MSSP” and “Foundational Elements to Get Right When Selecting a
Managed Security Service Provider”).

■ MDR services are not for every organization. What if the MDR provider’s technology stack is not
well-aligned to your environment? For example, if you had a high percentage of BYO or embedded
devices (operational technology), an MDR provider offering only managed EDR may not be a good
fit for your organization. You should not be required, at all, to change or modify your existing
operating environment to fit the MDR. It must be a good fit to your environment.

■ Organizations that have not yet invested, or are underinvested, in detection and response
technologies and internal capabilities should consider MDR services where there is an appropriate
technology stack provided. MSE buyers should look for providers with comprehensive technology
stacks that cover both endpoint and network, while larger enterprises should look for providers
that have flexible technology options (such as managed EDR or NTA).

■ Purchasing MDR services is not a replacement for having the foundations for incident response in
place. IR policies and procedures are still required, although some MDR vendors are positioned to
help their customers develop these if they don’t exist or require updating (see “Prepare for the
Inevitable With an Effective Security Incident Response Plan”).

■ Response capabilities are critical. Reducing the time needed to detect a threat is critical, but it is
diluted if there is no ability or coverage to respond to the threat. If your organization’s internal
response capabilities are nascent, immature or not available 24/7, focus on MDR providers that
offer the ability to disrupt or contain a threat to allow time to initiate mitigation and recovery
activities. MDR customers should ensure that the MDR provider understands the actions they may
take in the customer environment, under what conditions, appropriately document them and are
able to roll them back (for example, remove the isolation from a host). Organizations should add
an incident response retainer, either from the MDR provider or a third party, to deal with major
incidents, investigations and breaches.

■ Enterprises implementing an SOC should leverage MDR services to accelerate threat detection,
and in some cases focusing just on targeted and advanced threats, while their SOC is being
implemented and as it matures. This can mean an SOC is operating at a greater maturity level in
months, rather than years. If the relationship is successful with the MDR provider, don’t kick it out if
you think you should be able to run everything yourself. Retaining the MDR provider as a long-term
partner may be the best approach once the SOC is fully operational and self-sustaining.

■ Use proofs of concept (POCs) to your advantage to validate claims and fit for purpose with your
organization’s requirements. Most MDR providers lack the vetting and decades of competition that
MSSPs have faced.
We use cookies You
to deliver the must perform
best possible sufficient
experience due
on our diligence
website. on more,
To learn the MDR providers
visit our beforeBysigning
Privacy Policy.
acontinuing
contract.to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 14/16
7/9/2020 Gartner Reprint

■ If you have data residency and strong privacy or other compliance requirements, validate that the
MDR providers can comply with them. Focus on MDR providers within your geographic region or
those using a data collection architecture in which your data remains on-premises, with only
metadata or event data sent back to a central SOC.

■ MSSPs are slowly adding MDR-type offerings that supplement their existing services. There are
some MSSPs with credible offerings that include their own proprietary host and network
technologies, supported by their own threat intelligence and advanced analytics capabilities (see
“Magic Quadrant for Managed Security Services, Worldwide”). These offerings tend to be
purchased by larger enterprise buyers with specific MSS requirements that cannot be met by
stand-alone MDR providers (such as security technology management, managed SIEM,
vulnerability management and compliance reporting). These buyers also want more “advanced
threat detection,” along with traditional managed security services. Depending on its risk tolerance
and culture, an organization may choose to adopt an approach that uses MSS for certain
capabilities and augments the MSSP with MDR services. However, this approach is the exception,
rather than the norm.

Note 1
Representative Vendor Selection
Gartner included a range of providers in this report to ensure coverage from a geographic, vertical
and capabilities perspective. Gartner estimates that there are now over 100 providers visible in this
market claiming to offer MDR services. Listed here are those that are visible to Gartner clients based
on inquiries, have differentiators representative of the dynamic nature of the MDR market, and
represent future capabilities and offerings that may drive the direction of the market.

Note 2
Gartner’s Initial Market Coverage
This Market Guide provides Gartner’s initial coverage of the market and focuses on the market
definition, rationale for the market and market dynamics.

© 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization, which should not be construed as
statements of fact. While the information contained in this publication has been obtained from sources believed to
We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
continuing to use this site, or closing this box, you consent to our use of cookies.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such Your access and use of this publication are
https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 15/16
7/9/2020 Gartner Reprint
advice and its research should not be construed or used as such. Your access and use of this publication are

governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send Feedback

© 2018 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By
continuing to use this site, or closing this box, you consent to our use of cookies.

https://www.gartner.com/doc/reprints?id=1-1OA8E9GQ&ct=190716&st=sb 16/16