Managed Detection and Response (MDR): What It Is and Why It Matters

The Gap MDR Fills

Most UK SMEs cannot afford a full security operations centre (SOC) staffed with dedicated security analysts. The cost of hiring, training and retaining qualified security professionals — combined with the tools needed to run an effective security operation — is well beyond the budget of businesses with fewer than 500 employees.

At the same time, the threat landscape has matured to the point where passive defences alone are insufficient. Attackers who successfully establish a foothold in a network often go undetected for weeks or months before detonating ransomware or exfiltrating data. By the time the attack becomes visible, significant damage has already occurred.

MDR addresses this gap by providing the human expertise and technology of a security operations centre as a managed service — the SOC capability without the headcount cost.

How MDR Works

An MDR service typically consists of several integrated components:

Endpoint Detection and Response (EDR) Agents

Software agents are deployed on all endpoints (workstations, servers, cloud workloads) in the client environment. These agents collect detailed telemetry: process execution, file activity, network connections, registry changes, user behaviour. They can also execute automated response actions — isolating an endpoint from the network, killing a process, collecting forensic artefacts — under analyst direction or pre-defined playbooks.

SIEM (Security Information and Event Management)

Log data from endpoints, firewalls, email platforms, cloud identity services and network devices flows into a centralised SIEM. Correlation rules identify patterns of behaviour that indicate attack techniques — lateral movement, privilege escalation, data exfiltration. The SIEM enriches raw log data with threat intelligence, providing context that allows analysts to quickly assess severity.

Human Analyst Oversight

Technology surfaces alerts; human analysts make decisions. An MDR service includes trained security analysts who review alerts, investigate suspicious activity, determine whether detections represent genuine threats or false positives, and execute response actions. This human layer is what distinguishes MDR from unmanaged SIEM or basic managed antivirus — genuine expertise applied to your environment, not automated ticket generation.

Threat Hunting

Beyond reactive alert handling, effective MDR services include proactive threat hunting: analysts searching for indicators of compromise that automated detection may have missed, using knowledge of current threat actor tactics, techniques and procedures (TTPs). This is particularly valuable for detecting patient attackers who move slowly to avoid triggering automated detection rules.

What MDR Detects

MDR provides detection capability across the attack lifecycle:

• Initial access: Phishing payloads executing, exploitation of public-facing vulnerabilities, compromised credentials being used to authenticate
• Persistence: New scheduled tasks, registry run keys, malicious services being created
• Privilege escalation: Attempts to gain administrative access, exploitation of local privilege escalation vulnerabilities
• Lateral movement: Unusual remote connections between workstations, pass-the-hash/pass-the-ticket attacks, use of admin shares
• Data exfiltration: Unusual outbound data volumes, connections to unknown external destinations, large file staging events
• Ransomware indicators: Mass file encryption activity, shadow copy deletion, wallpaper modification — enabling containment before encryption is complete

MDR vs. Traditional Managed Security Services (MSSP)

The distinction between MDR and traditional MSSP is worth clarifying:

• Traditional MSSP: Typically provides monitoring and alerting — log correlation and alert tickets sent to the client's team for investigation and response. The MSS provider detects; the client responds.
• MDR: Includes the response element — the MDR provider's analysts investigate alerts and execute response actions (isolation, containment, remediation guidance) rather than passing alerts to the client. This is the critical difference for businesses without dedicated security staff to handle a constant stream of alerts.

Response Time and SLAs

The value of MDR depends heavily on the speed between detection and response. For ransomware, which can encrypt a network in under 30 minutes in well-documented incidents, a response SLA measured in hours is inadequate. AMVIA's MDR service operates with a 15-minute target for critical incident response — providing the rapid containment needed to limit the blast radius of an active attack.

What MDR Costs

MDR pricing in the UK market typically ranges from £8–£25 per user per month depending on the coverage scope, technology platform and response SLAs included. For a 25-user business, this represents approximately £2,400–£7,500 per year — a fraction of the cost of a single experienced security analyst's salary (typically £45,000–£75,000 per year in the UK for a competent SOC analyst).

AMVIA's MDR service is designed specifically for UK SMEs, with pricing and service levels appropriate for businesses from 10 to 500 users. Contact us for a tailored proposal.