Interconnekt
Security9 min read

The SMB buyer's guide to Managed Detection and Response

Every MDR vendor's site says the same things. Here's how to actually tell them apart: the difference between an alert and a response, who's watching at 2am, and the questions that separate real 24/7 detection from a dashboard you'll never open.

Abstract Signal cover illustration.
Joel Kino
Interconnekt
Share

Read five MDR vendor websites back to back and you'll struggle to tell them apart. Everyone has 24/7 monitoring, everyone has automated detection, everyone has expert analysts. The language is interchangeable because the category is genuinely useful and everyone is racing to claim it. The problem for a buyer is that the words that matter most - what happens in the minutes after something is detected, and who actually does it - are the ones the marketing skips. This is the guide we wish prospects had read before they call us.

The stakes aren't abstract. ASD's ACSC received over 84,700 cybercrime reports in 2024-25, about one every six minutes, and the average self-reported cost of cybercrime to a small business rose to $56,600 (ASD Annual Cyber Threat Report 2024-25). MDR is the layer that decides whether a detection at 2am becomes a contained non-event or one of those reports.

What MDR actually is, and what it isn't

MDR sits on top of detection tooling. The tooling - endpoint detection and response (EDR), which is the modern successor to antivirus - watches your devices and flags suspicious behaviour. MDR is the managed service wrapped around that tooling: a security operations team that monitors the alerts around the clock, decides which ones are real, and takes action when one is. The detection part is increasingly commoditised. The management part is the whole point.

It helps to place MDR against the things it's often confused with. EDR is the tool, not the service - buying EDR and leaving it for your IT person to watch is how most SMBs end up with an expensive dashboard nobody opens. An MSSP (managed security service provider) traditionally forwards you alerts and leaves the response to you, which is the gap MDR exists to close. A SIEM is a log-aggregation platform that needs a skilled team to run; if a provider's MDR requires you to stand up and tune a SIEM, that's a cost and a burden they've quietly handed back to you. The shorthand: EDR detects, MDR responds, and the response is the bit you're paying for.

LayerWhat it isWho acts when something fires
AntivirusSignature-based detection of known malwareNobody - it blocks known files and stops there
EDRBehaviour-based detection on endpoints; the modern successor to antivirusWhoever you've tasked with watching the dashboard
MSSP (traditional)Forwards you alerts from your toolsYou - they notify, you respond
MDRA managed service wrapped around EDR: a 24/7 team that triages and respondsThe provider's security operations team
Where MDR sits relative to the tools and services it's often confused with.

Why Microsoft Defender on its own isn't the answer

We get this question on nearly every cyber security call: isn't Defender enough? Defender is genuinely capable now. We use it as the base layer on every managed endpoint, and for a lot of SMBs it's a better tool than the third-party antivirus they're replacing. So the honest answer is that the gap Defender leaves isn't a tooling gap - it's an operational one. Defender will detect a credential-theft attempt at 2am and raise an alert. The questions Defender can't answer on its own are: who sees that alert at 2am, who decides in the next ten minutes whether it's real, and who isolates the machine before the attacker moves laterally. That triage-and-respond loop is what an MDR service adds on top of the tool you already own.

The questions that actually separate providers

Once you've established that a provider responds rather than just alerts, these are the questions that surface the real differences. Ask them directly and make the answers specific:

  • Do you measure time-to-contain or just time-to-alert? Time-to-alert is how fast they notice. Time-to-contain is how fast the threat is actually stopped. The second number is the one that limits your blast radius, and it's the one vague providers won't commit to.
  • Do your analysts have the authority to isolate a machine without waiting for me to approve it? At 2am, a provider that has to phone you for permission before acting has already lost the window. The strong providers operate on a pre-agreed response mandate.
  • Is the 24/7 coverage real humans or an after-hours autoresponder? "24/7" can mean a staffed security operations centre or an automated alert queue that a human looks at when business hours resume. Ask who is awake at 3am on a Sunday and what they're authorised to do.
  • Do I have to run or tune a SIEM to make this work? If the answer is yes, the operational burden you were trying to outsource has quietly come back to you. The SMB-fit providers absorb that complexity.
  • What do you explicitly not do? Honest providers will tell you where the service stops - deep forensic attribution, legal and regulatory notification, threat hunting on bespoke infrastructure. A provider who claims to do everything either doesn't understand the work or is overselling.
  • How do you price it, and does an incident cost extra? Per-endpoint and per-user pricing are predictable; per-incident or usage-based pricing can spike at exactly the moment you're already under stress. Read the response clause, not just the monthly rate.

What we run, and why

Our stack is Microsoft Defender as the base detection layer, with a managed MDR service from Huntress wrapped around it. We chose Huntress because it was built for the SMB reality rather than retrofitted from an enterprise product: 24/7 human analysts, no SIEM for you to run, and incidents remediated in hours rather than handed back to you as a ticket. That combination closes the operational gap we described above without asking an eight-person business to staff a security operations centre it can't afford.

We're also clear about where the service stops, because the providers who aren't are the ones who disappoint you mid-incident. Our managed MDR plus incident-response retainer covers detection, containment, and recovery against a documented playbook. Deep forensic attribution and regulatory or legal notification are specialist engagements we coordinate for you, not perform in-house. That boundary is deliberate, and we'd rather state it on a quiet day than discover it together on a bad one.

Where to start

If you don't yet know what your current detection-and-response posture actually is, that's the first thing to establish - a Security Assessment tells you where the real gaps are before you buy anything. If you know you need the managed layer, our Cyber Security service is the Defender-plus-Huntress wrap described above, and our Incident Response retainer is the playbook you call when prevention wasn't enough. MDR is one strategy inside a broader posture, so it's worth seeing how it sits alongside the frameworks: the way CIS Controls and the Essential Eight map together shows where detection-and-response fits in the bigger compliance picture.

The MDR market is crowded and the marketing is noisy, but the buying decision comes down to something simple: when a real detection fires at the worst possible time, does someone act on it, do they have the authority to act fast, and are they honest about where their job ends. Get clear answers to those three and the shortlist sorts itself out.

Keep reading

More from the blog

Abstract Signal cover illustration.Strategy9 min read

Microsoft Copilot Cowork is GA: what it costs, and how to stay in control

Copilot Cowork is now generally available, and it is billed in a way that catches people out: a fixed seat plus a metered usage charge that can dwarf it. Here is how the pricing works, what it can cost, and every lever to cap the spend.

18 June 2026Read more
Read Microsoft Copilot Cowork is GA: what it costs, and how to stay in control
Abstract Signal cover illustration.Compliance9 min read

Asked for CIS Controls and the Essential Eight? Here's how they actually map.

Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.

6 June 2026Read more
Read Asked for CIS Controls and the Essential Eight? Here's how they actually map.
Abstract Signal cover illustration.How-to6 min read

When to refresh your office network (and what good looks like now)

Slow Wi-Fi gets blamed on laptops, broadband, and bad luck long before anyone blames the network. Here's how to tell when the network is the problem, and what a network worth keeping looks like in 2026.

4 June 2026Read more
Read When to refresh your office network (and what good looks like now)
Abstract Signal cover illustration.How-to7 min read

Azure for SMBs: what we run, and what you probably don't need

Azure is sold like an infinite menu, which is exactly why SMB cloud bills get out of hand. Here's the sensible footprint most small businesses actually need - and the enterprise sprawl you can safely ignore.

3 June 2026Read more
Read Azure for SMBs: what we run, and what you probably don't need
Abstract Signal cover illustration.Compliance6 min read

ML1 is enough. Most SMBs still overshoot.

The Essential Eight has three maturity levels. Most SMBs reach for ML2 or ML3 because the number looks better. Here's why ML1, done honestly, beats ML2 done badly - and what the gap actually costs.

24 May 2026Read more
Read ML1 is enough. Most SMBs still overshoot.
Abstract Signal cover illustration.Opinion4 min read

Why we publish our prices (and most MSPs don't)

The argument for transparent pricing, the objections we get, and the customers it brings - unfiltered. A post we've been threatening to write for two years.

27 Mar 2026Read more
Read Why we publish our prices (and most MSPs don't)
Abstract Signal cover illustration.How-to11 min read

Copilot rollout playbook: from license to measured productivity

Microsoft 365 Copilot is the most expensive per-user add-on a business will add this year. Most rollouts fail on the prep, not the technology. Here's the sequence we use to make sure it actually pays for itself.

14 Mar 2026Read more
Read Copilot rollout playbook: from license to measured productivity
Stay in the loop

Get the next post in your inbox

If this was useful, the next one will be too. Summaries plus a monthly digest on managed IT, the Essential Eight, and Australian SMBs - unsubscribe anytime.

Monthly digest and post summaries. We use Resend (United States) to deliver email. See our Privacy Policy.