Interconnekt
Security9 min read

The SMB buyer's guide to Managed Detection and Response

Every MDR vendor's site says the same things. Here's how to actually tell them apart: the difference between an alert and a response, who's watching at 2am, and the questions that separate real 24/7 detection from a dashboard you'll never open.

TopicsCybersecurity
Joel Kino
Interconnekt
Share

Read five MDR vendor websites back to back and you'll struggle to tell them apart. Everyone has 24/7 monitoring, everyone has automated detection, everyone has expert analysts. The language is interchangeable because the category is genuinely useful and everyone is racing to claim it. The problem for a buyer is that the words that matter most - what happens in the minutes after something is detected, and who actually does it - are the ones the marketing skips. This is the guide we wish prospects had read before they call us.

What MDR actually is, and what it isn't

MDR sits on top of detection tooling. The tooling - endpoint detection and response (EDR), which is the modern successor to antivirus - watches your devices and flags suspicious behaviour. MDR is the managed service wrapped around that tooling: a security operations team that monitors the alerts around the clock, decides which ones are real, and takes action when one is. The detection part is increasingly commoditised. The management part is the whole point.

It helps to place MDR against the things it's often confused with. EDR is the tool, not the service - buying EDR and leaving it for your IT person to watch is how most SMBs end up with an expensive dashboard nobody opens. An MSSP (managed security service provider) traditionally forwards you alerts and leaves the response to you, which is the gap MDR exists to close. A SIEM is a log-aggregation platform that needs a skilled team to run; if a provider's MDR requires you to stand up and tune a SIEM, that's a cost and a burden they've quietly handed back to you. The shorthand: EDR detects, MDR responds, and the response is the bit you're paying for.

Why Microsoft Defender on its own isn't the answer

We get this question on nearly every cyber security call: isn't Defender enough? Defender is genuinely capable now. We use it as the base layer on every managed endpoint, and for a lot of SMBs it's a better tool than the third-party antivirus they're replacing. So the honest answer is that the gap Defender leaves isn't a tooling gap - it's an operational one. Defender will detect a credential-theft attempt at 2am and raise an alert. The questions Defender can't answer on its own are: who sees that alert at 2am, who decides in the next ten minutes whether it's real, and who isolates the machine before the attacker moves laterally. That triage-and-respond loop is what an MDR service adds on top of the tool you already own.

The questions that actually separate providers

Once you've established that a provider responds rather than just alerts, these are the questions that surface the real differences. Ask them directly and make the answers specific:

  • Do you measure time-to-contain or just time-to-alert? Time-to-alert is how fast they notice. Time-to-contain is how fast the threat is actually stopped. The second number is the one that limits your blast radius, and it's the one vague providers won't commit to.
  • Do your analysts have the authority to isolate a machine without waiting for me to approve it? At 2am, a provider that has to phone you for permission before acting has already lost the window. The strong providers operate on a pre-agreed response mandate.
  • Is the 24/7 coverage real humans or an after-hours autoresponder? "24/7" can mean a staffed security operations centre or an automated alert queue that a human looks at when business hours resume. Ask who is awake at 3am on a Sunday and what they're authorised to do.
  • Do I have to run or tune a SIEM to make this work? If the answer is yes, the operational burden you were trying to outsource has quietly come back to you. The SMB-fit providers absorb that complexity.
  • What do you explicitly not do? Honest providers will tell you where the service stops - deep forensic attribution, legal and regulatory notification, threat hunting on bespoke infrastructure. A provider who claims to do everything either doesn't understand the work or is overselling.
  • How do you price it, and does an incident cost extra? Per-endpoint and per-user pricing are predictable; per-incident or usage-based pricing can spike at exactly the moment you're already under stress. Read the response clause, not just the monthly rate.

What we run, and why

Our stack is Microsoft Defender as the base detection layer, with a managed MDR service from Huntress wrapped around it. We chose Huntress because it was built for the SMB reality rather than retrofitted from an enterprise product: 24/7 human analysts, no SIEM for you to run, and incidents remediated in hours rather than handed back to you as a ticket. That combination closes the operational gap we described above without asking an eight-person business to staff a security operations centre it can't afford.

We're also clear about where the service stops, because the providers who aren't are the ones who disappoint you mid-incident. Our managed MDR plus incident-response retainer covers detection, containment, and recovery against a documented playbook. Deep forensic attribution and regulatory or legal notification are specialist engagements we coordinate for you, not perform in-house. That boundary is deliberate, and we'd rather state it on a quiet day than discover it together on a bad one.

Where to start

If you don't yet know what your current detection-and-response posture actually is, that's the first thing to establish - a Security Assessment tells you where the real gaps are before you buy anything. If you know you need the managed layer, our Cyber Security service is the Defender-plus-Huntress wrap described above, and our Incident Response retainer is the playbook you call when prevention wasn't enough. MDR is one strategy inside a broader posture, so it's worth seeing how it sits alongside the frameworks: the way CIS Controls and the Essential Eight map together shows where detection-and-response fits in the bigger compliance picture.

The MDR market is crowded and the marketing is noisy, but the buying decision comes down to something simple: when a real detection fires at the worst possible time, does someone act on it, do they have the authority to act fast, and are they honest about where their job ends. Get clear answers to those three and the shortlist sorts itself out.

Keep reading

More from the blog

Strategy9 min

Microsoft Copilot Cowork is GA: what it costs, and how to stay in control

Copilot Cowork is now generally available, and it is billed in a way that catches people out: a fixed seat plus a metered usage charge that can dwarf it. Here is how the pricing works, what it can cost, and every lever to cap the spend.

Read post
Compliance9 min

Asked for CIS Controls and the Essential Eight? Here's how they actually map.

Auditors and insurers increasingly want both CIS Controls v8 and the Essential Eight. They overlap, but they aren't the same shape. Here's the control-by-control mapping we use - and the four CIS controls the Essential Eight quietly leaves you exposed on.

Read post
All posts
Ready when you are

Leave the MSP that doesn’t pick up.

Tell us what your current setup looks like. We’ll send back a quote, a transition plan, and a firm date you’d be onboarded - within 48 hours.

Response
Within 48 hours
Format
Written quote
Discovery call
Not required
Contracts
No lock-in terms

We’ll respond within 48 business hours. No spam, ever.