Market Guide for Managed Detection and Response
1 October 2025 - ID G00825701 - 30 min read
By Pete Shoard, Andrew Davies, and 1 more
MDR services provide customers with remotely delivered, human-led, turnkey, modern SOC functions, ultimately delivering cyberattack disruption and containment. Cybersecurity leaders should use this research to identify MDR services that meet their business-driven risk requirements.
Overview
Key Findings
- Misnamed technology-first offerings that fail to deliver human-driven managed detection and response (MDR) services are not aligned with buyers looking to identify and select an outcome-driven service.
- Turnkey, human-delivered, threat detection, investigation, and response (TDIR) capabilities are a core requirement for buyers of MDR services, who demand remotely delivered services deployed quickly and predictably.
- MDR buyers routinely ask providers to extend their requirements beyond the detection of and response to threats, to include the proactive identification and mitigation of threat exposures.
- As MDR customers mature their SOC operations internally and AI-driven solutions initiate measures for active containment or disruption of a threat or an exposure, the requirements for a typical MDR solution are evolving. Trust and transparency in delivery technologies and a pathway to self-service are becoming increasingly important to MDR buyers.
Recommendations
Cybersecurity leaders responsible for security operations should:
- Use MDR services to obtain 24/7, remotely delivered, human-driven security operations capabilities when there are no existing internal capabilities. MDR services should also be used when the organization needs to accelerate or augment existing security operations capabilities.
- Investigate whether the MDR provider’s service can align with your business-driven requirements by using RFPs and proofs of concept (POCs), and if necessary, by validating core, must-have requirements such as data residency requirements. Determine whether it can provide actionable findings that internal teams can successfully react to, rather than settling for recited technology outputs with no added analysis.
- Assess how the MDR provider’s containment approach and incident reporting can integrate with your organization. Also decide whether and what type of actions can be performed on your behalf to align with business requirements as well as compliance, legal policy, and government regulation.
- Attain the maximum benefit from MDR services by preparing response workflow processes and integrating existing ticket management systems. This will ensure an outcome-driven response for the business.
Strategic Planning Assumption
By 2028, 50% of findings from managed detection and response providers will be focused on, or include detail on, threat exposures, up from 20% today.
Market Definition
Gartner defines managed detection and response (MDR) services as those that provide customers with remotely delivered security operations center (SOC) functions. These functions allow organizations to perform rapid detection, analysis, investigation and response through threat disruption and containment. They offer a turnkey experience, using a predefined technology stack that commonly covers endpoints, networks, logs and cloud. Telemetry is analyzed within a provider’s platform using a range of techniques. The MDR provider’s analyst team then performs threat hunting and incident management to deliver recommended actions to their clients.
MDR offers outcome-driven security incident management that is predicated on the detection, analysis and investigation of potentially impactful security events and the delivery of active threat disruption and containment actions to respond to and mitigate the impact of cyber breaches.
Mandatory Features
The mandatory features for this market include:
- A remotely delivered, provider-hosted and provider-operated shared technology stack that enables and coordinates real-time threat detection, investigation and active mitigating response. This technology stack can be developed by the MDR provider, or an integrated set of commercial technologies that use modern techniques (like APIs) to exchange data and instructions. This capability can also be achieved through a combination of both approaches.
- 24/7 staffing that recognises customer-specific cyber-risk-based use cases, engages daily with individual customer data, and has skills and expertise in threat monitoring, detection and hunting, threat intelligence (TI) and remote response.
- The availability of immediate remote mitigative response, investigation and containment activities (such as quarantining hosts), beyond alerting and notification, delivered and coordinated by service providers’ staff and preapproved by end users.
Common Features
The common features for this market include:
- Telemetry coverage of identity and email/collaboration tools as well as Internet of Things (IoT) and operational technology (OT) device monitoring, cloud services, particularly SaaS and identity data from an array of common identity and access management (IAM) providers.
- Turnkey delivery, with predefined and pretuned processes and regularly evolving detection content. It includes a standard playbook of workflows, procedures and analytics, requires a minimum viable set of telemetry to deliver services, and offers integration with third-party detection and response technologies beyond provider-owned technologies.
- Additional contextual data sources providing details of security exposures such as vulnerabilities, attack surface visibility, and brand and reputational analysis, as well as security assessment and validation capabilities, such as breach and attack simulation (BAS), which analyze the efficacy of security controls and response processes, and provide clients with guidance on how to improve their defensive posture and remediate misconfigured security controls.
- Digital forensics and incident response (DFIR) retainer capabilities offering call-off remote or deployable staff to carry out deep dive incident and root cause analysis.
- Incident management capabilities that track, measure and suggest improvements and automation opportunities for the remediation actions involved in response workflows.
- Hypothesis-driven threat hunting, where clients are able to identify specific threat hunt targets to determine if a threat actor was to blame. The focus would be on users of interest or where privileged data is known to have entered public circulation. This capability is different from threat hunting, which is included as part of MDR and hunts for known threat techniques.
- Triaging, investigating and managing responses to all discovered threats, regardless of priority and the provision of “incident tickets” that include likely objectives of attacks, degrees of success, impact on the business and remedial actions that the client must take. There must be no limitations on volumes or time dedicated to the discovery and investigation process.
Market Description
MDR provides customers with remotely delivered, human-led security operations center (SOC) functions for the purposes of reporting, rapid detection, analysis, and investigation of threats and exposures. MDR also provides remote mitigative response to such threats (see Note 1).
MDR service providers deliver these capabilities using a range of cybersecurity technologies — these are commonly endpoint- and network-driven, but increasingly involve cloud services layers, SaaS, and custom applications. Service deliverables are context driven outputs that are investigated and validated by human operators. In addition, connectivity to adjacent capabilities provides contextual information (e.g., identity and user, threat exposure, and business criticality) to improve and validate threat detection. Providers develop threat-focused content and analytics, also known as detection engineering, and apply threat intelligence (TI), whether developed in-house, purchased from third parties, or a combination of both approaches. Providers also apply manual and automated disruption and containment activities — such as host isolation, account lockout, and network blocking (see Figure 1).
Proactive capabilities are becoming more prevalent in MDR services, with threat hunting increasingly used to augment real-time threat detection. It can find attackers employing tactics, techniques, and procedures (TTPs) that have avoided customers’ prevention and detection capabilities or validate the lack of threat evidence in an environment. Exposure assessments deliver intelligence about the current posture of the technologies used by the organization, digital asset compromise such as leaked credential monitoring and traditional vulnerability identification, providing detailed guidance on how to mitigate or remediate such issues.
Hypothesis-driven threat hunting remains a common customer-driven request as an add-on component to MDR services, delivering ad hoc engagements led by business requirements. This type of threat hunting should not be confused with everyday threat hunting that should be included as a standard part of an MDR service. Offensive testing and exercises have also gained popularity due to emerging compliance frameworks such as DORA and NIS2. Furthermore, there is significant board-level desire to support the need for cybersecurity capabilities to be more proactive and to better justify investment and associated risk reduction. Offensive exercises, like Incident response and hypothesis-driven threat hunts, are most commonly aligned as an add-on service, delivered as call-off consultancy.
MDR services are designed primarily to reduce the time between detecting and responding to threats and provide an assessment of current exposures to threats. MDR services deliver outcomes enabled by technology; therefore, the insight provided by the service staff is core to the value proposition. Alternative service models such as co-managed security monitoring provide greater access to the TDIR-capable technology, enabling customization and more hands-on engagement by the buyer, including the ability to self-respond through preconfigured playbooks (see Market Guide for Co-Managed Security Monitoring Services). MDR services should, in contrast, primarily be viewed as a way to gain efficiency in the identification and mitigation of common threats and exposures rather than an all-encompassing SOC capability.
Market Direction
MDR is an established services market, providing detection and response to enterprise customers (see Gartner’s DataHub: Forecast - Information Security — Q3 2025). End-user spending growth is forecast to outpace other managed security services at 9.6% globally, and emerging regions are expected to have far faster uptake, with Asia/Pacific at 19% CAGR.
Successful MDR service providers focus on high-fidelity threat detection, investigation, and mitigation response with meaningful and human-interpretable reporting aligned with business-focused risks. The provider takes responsibility for determining how threats are detected. Customers have little opportunity to customize threat detection use cases relative to their environment, but are encouraged to communicate risk-based requirements to ensure relevant use cases are implemented. Such requirements might include identifying critical business functions and the assets they depend on, or significant personnel or data, and the impact their disruption or compromise may cause.
Buyers should not expect distinct or specific customization that would be available in more consultancy- and/or professional services-led efforts as part of the core MDR service. This is because customization may be offered as an add-on or adjacent service capability, or is more appropriate for delivery via a co-managed security monitoring service. To achieve the required scale, a common delivery platform for all customers providing centralized reporting is essential. A common delivery platform ensures all customers receive a common set of threat intelligence and detection content, and therefore a comparable service experience. This provides both maturity to established SOC capabilities within organizations, or an immediate level of maturity to those with little existing capability.
Dealing with exposure to threats is seen as important, if not more important than reactive cybersecurity, by CISOs and other members of business leadership teams. This was demonstrated in the 2024 Gartner Security Operations Survey, which found that 73% of organizations consider a red team role a significant or highly significant contributor to security operations goals. This combination of senior leadership’s desire to be more proactive toward threat exposure and a recognition of the significance of offensive security roles in security operations is driving the development of exposure capability in MDR services.
Expansion into cloud services has increased the visibility gap for organizations that now regularly suffer attacks via the supply chain. The ability to monitor infrastructure-as-a-service (IaaS) and SaaS platforms, as well as popular online applications — especially apps like Google Workspace, Microsoft 365, Salesforce, SAP, and Workday — is now seen as a clear differentiator. The understanding of how threat actors operate in these environments and the wide variety of data types available to monitor is both complex and time-consuming to orchestrate, and is a perfect target for outsourcing. Threats and mitigations for such platforms tend to gravitate around identity-based cybersecurity capabilities as a common denominator to coordinate and correlate across such a diverse set of technologies.
Of course, AI and automation feature greatly in the arsenal of capabilities used by service providers. However, a growing set of technology solutions is being seen to utilize the MDR label and offer their capabilities as an alternative to a human-led managed service. This should not be seen as an evolution in the MDR market itself, but as a subtle shift in aspects of the delivery mechanism, coverage, and an opportunity for increased overall value delivered by providers in the space. Automation will infiltrate all aspects of service offerings, and arguably has done so for some years, but those services that operate dynamic detection engineering and threat intelligence teams will continue to outpace automation and identify and advise countermeasures that combat the latest and most innovative threat actors.
MDR services are available from a range of providers (well above 600 providers as of this research). These providers may be focused specifically on the MDR market opportunity and dedicated to providing only detection and response services. Additionally, these providers may offer detection and response as well as wider IT cybersecurity-specific services or cybersecurity technology offerings. MDR services are also available through managed security service providers (MSSPs), who offer MDR as part of a larger catalog of managed technology, cybersecurity services, or consultancy.
Many MDR providers also target verticals where they can offer industry-specific expertise and services and compatibility for niche technologies in the cyber-physical systems (CPS) space. This includes critical infrastructure, manufacturing, and healthcare, all of which have privacy, safety, and reliability risk concerns.
Having an MDR provider detect a threat is meaningless without your own preplanned, timely incident response processes to deal with the potential impacts of that threat.
Market Analysis
The key value proposition of MDR is the human interpretation of cybersecurity incidents and identified threat exposures, outlining their potential impact on an organization. MDR also provides guidance on remediation and, in many cases, will perform the initial mitigation steps: Provide guidance in a consumable format that would commonly be complex to understand and enact. By providing context-led investigation, analysis, and mitigation (taking action to disrupt or contain an attack or mitigate an exposure to a risk), the MDR provider can buy time for the customer to perform further investigation and ultimately remediate discovered issues utilizing their internal standardized response processes.
Providing a mitigative response to disrupt or contain threats is a core capability of MDR service providers. Due to the prevalence of endpoint detection and response (EDR) technology providers offering an MDR service wrapper for their technology, many of these mitigative response actions are centered around using EDR solutions. However, increasingly, demands for more granular, less impactful mitigations are being made. The increased prevalence of SaaS and cloud-centric businesses enhances response requirements that utilize identity-related mitigations (such as time-bounded account restrictions in authentication systems).
Buyers Struggle to Differentiate Between MDR Service Providers
A variety of MDR service approaches address a range of buyers. Buyer types include:
- Organizations that have TDIR capability investments but consider themselves unable to manage these technology investments effectively due to inadequate team size or skill sets.
- Organizations that have not invested in or developed TDIR capabilities and require support in both grassroots setup and long-term maintenance and oversight of a capability.
- Organizations that have a SOC and want to use services to create efficiency in their teams and expand the availability of existing resources to carry out more business-focused threat defense. This includes situations where requirements align with key business objectives and risks; for example, manufacturers focusing on the availability of OT environments.
- Organizations that have a long-term vision of owning TDIR capabilities internally but need to achieve a level of maturity quickly. Additionally, these organizations want to use services to provide interim coverage while they hire, skill up, and develop requirements for SOC operations.
Expectations from buyers of MDR are that providers must operate a single technology centrally in a multitenant fashion to achieve the scale and consistency demanded. In addition, MDR must achieve the benefits of the provider’s global visibility around detection content and relevance. There is no mandated technology type choice, nor a set of telemetry that is required to deliver an MDR service. However, engagements, a breadth of experience with endpoint-, network-, identity-, cloud-, SaaS-, and application-driven detection platforms and telemetry is preferable for most. Extensions into CPS systems are available; however, they are rarely called out by buyers separately from core IT security requirements. Organizations recognize that cyberthreats are cyberthreats, no matter the system they reside in.
Buyers continue to face challenges with service naming and marketing language that has often overpromised and underdelivered. Core service deliverables and outcomes should broadly be the same for all providers in this market. However, some providers describe and offer their services as MDR when they are not delivered as a buyer might expect or in alignment with how MDR is described in this guide. Challenges with market language are also further hindered by the promise of autonomous or AI-driven MDR services and an increasing confusion as to what differentiates a managed service from a technology delivered as a service.
End users regularly invest in their own cybersecurity technology stacks before they look to adopt MDR services. Most commonly, services are data-source neutral and do not mandate a particular investment in a specific brand of technology; however, there is a specific group of providers in the market that both manufacture cybersecurity technology and provide MDR services. These providers naturally prefer, and sometimes mandate, the use of their technology ecosystem, which is reflected in their pricing and in the diversity of coverage they are able to offer. Buyers who are unwilling or unable to replace the cybersecurity technology investments they have made require an MDR provider who can adapt to or integrate with their adopted cybersecurity technologies.
Where MDR providers are more flexible about using cybersecurity technologies already owned by buyers, it should be expected that they will still have a preferred set of technologies and vendors that are supported, and limitations often focus on how telemetry is utilized (investigational use cases versus detection use cases). Usually, willingness to take on alternative data sources will depend on the ease of integration (e.g., through APIs or compatibility with standards such as the open cybersecurity framework [OCSF]) and the utility of that technology (e.g., the ability to mimic existing preferred telemetry sources or support incident response activities).
There are also a number of circumstances under which cybersecurity investments are included as part of wider infrastructure and SaaS subscriptions. These are now commonplace as the primary supported technology, with some technology vendors specifically developing capabilities to enable tiered management of the platforms. These technology vendors give third-party providers access and control on top of existing internal access for cybersecurity teams.
To enable a minimum viable level of service capability, buyers must expect that providers will mandate a minimum set of telemetry required to enable the service and to deliver consistent, high-quality outputs. Support for the capability to remotely respond to threats and provide threat mitigation is almost exclusively dependent on API-level integrations with predetermined technology. Buyers who choose to engage in MDR services where this compatibility does not exist will have to accept a passive engagement that is more advisory in nature.
The Impact of AI on Services
The increasing traction of AI SOC capabilities has had an impact on the perception of and the potential delivery mechanisms for MDR services (see Gartner’s Hype Cycle for Security Operations, 2025). At present, such capabilities are in the early stages and are undertested regarding their accuracy and reliability. Service providers should be expected to utilize AI agents and automation for the purposes of increasing efficiency in their delivery, enabling them to do more for clients and spend less effort on mundane repetitive issues. At the same time, many technology vendors that offer TDIR-capable solutions such as SIEM, EDR, and NDR are attaching AI functionality to these products, reducing the overhead and burden of mundane tasks for end users (see Prepare for SIEM Evolution). The quandary for many organizations considering engaging an MDR provider is that there may be a technology comparatively capable of delivering outputs in line with their MDR service provider.
Offerings entering the marketspace in 2025 already include some solutions that position themselves as AI MDR; however, Gartner maintains that MDR is a human-led service that “engages daily with individual customer data, and has skills and expertise in threat monitoring.” While there is undoubtedly some functionality carried out by MDR providers manually today that can be automated, it is incomparable to position a technological solution against the dynamic innovation that is expected by consumers of a human-led service (see Predict 2025: There Will Never Be an Autonomous SOC). Such offerings are better compared directly against the technological capabilities of TDIR-capable solutions. Consumers should demand clarity regarding what is machine-operated versus the insights offered by cyberthreat analysts. The pace of change is likely to be great, and those providers in the MDR market that do not develop threat detection and exposure management capabilities fast enough may be overtaken by technological solutions.
The split between machine intelligence and human intelligence in services will mostly be in the interpretive layer, helping clients answer, “What does this threat specifically mean for my company’s risk posture?” and “How should we best react to preserve our current operations with minimal business impact?” AI and automation have not and will not serve to replace a good and effective MDR service. Instead, they will enhance their reach and efficiency to deliver impactful outcomes for clients.
Reduce Focus on Traditional IT
While endpoint and email threats are still prevalent and high in volume, the rapid rates of development in automated triage functions, the shift toward more modern infrastructure approaches, and the net improvement in detection and remediation of these issues at the source, make them a low-value target for cybersecurity service requirements. Service buyers need to be acutely aware of the difference between the value that a technology brings versus the value that a service offers. Service requirements should focus on the interpretation of business impact and actions that technology is incapable of, and those that are high-impact to the protection of the business mission.
Modern infrastructure includes the use of SaaS, IaaS, third-party subscriptions, social media, open-source tools, and a wide variety of internally developed applications, often using more modern tools like serverless computing. The traditional model of on-premises devices, boundary firewalls, and endpoint devices is becoming irrelevant to the core risks faced by businesses. Importantly, there are two focus areas for threat management in modern infrastructures: exposure and identity.
MDR buyers demand compatibility for the areas of their infrastructure that are most critical to their mission. This means greater visibility into not just active threats but exposure to potential threats (see Use Continuous Threat Exposure Management to Reduce Cyberattacks). With a lack of direct cybersecurity control on infrastructure provided by third-party services, reducing exposure to threats requires more granular configuration, access control, and reduction of data visibility, as these are sometimes the only mechanisms available. Furthermore, being able to take immediate and direct mitigative action to reduce exposure in those areas, and mitigative response to active threats, is essential for an effective MDR service. “Identity” is arguably the most important piece in the puzzle, and it is one of the few areas of commonality among a soup of different technologies, providers, applications, and subscriptions (see Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response).
Services Must Deliver Mitigative Response
Gartner clients look to MDR providers to be their first level of defense, to find and contextualise cybersecurity issues or be an extended part of their existing SOC (see The Security Operation Leader’s First 100 Days). Clients expect their providers to be able to perform investigation, containment, and exposure reduction on their behalf. Customers regularly allow MDR providers to perform remote disruption and containment activities to support internal incident response processes with larger numbers of preagreed actions and scenarios.
Organizations that depend on MDR services for the bulk of their security operations functions have reported that they are highly likely to reject MDR providers that cannot take mitigative response actions against threats and exposures on their behalf.
Buyers can be uncomfortable with providers directly performing actions on their behalf. Therefore, buyers want easy mechanisms to approve or initiate any exposure reduction, threat disruption, or containment actions themselves. Preagreed actions and scenario playbooks provide transparency for specific threats and often limit the actions of MDR providers to low-impact or easily reversible actions.
A full response or remediation of a threat event is not typically something performed by MDR providers. However, cybersecurity leaders must demand threat disruption and containment from their service providers. Remediation activities self-administered by the client should be a logical set of well-established, follow-on internal processes that are put into action once MDR providers have disrupted or contained threats. Remediation must be internal because it is difficult for an MDR provider to carry out full response activities and know categorically that it won’t impact legitimate business functions unnecessarily. As an additional service, some MDR providers that offer incident response retainers may also assist with the recovery phase (see Market Guide for Digital Forensics and Incident Response Retainer Services). However, this is most often a purely investigational and advisory capability, and it is not the same as the mitigative response included in MDR.
Security Operations Processes Cannot Be Fully Outsourced
MDR can be a compelling offering, but like all varieties of managed security, it is not an all-encompassing solution. Some of the most progressive MDR providers are business-risk-aligned. However, it is important to quantify whether the service they offer stems from your organization’s specific risk-focused requirements and delivers outcomes internal teams can act on. Focus on the details of the outcomes MDR providers offer, and identify the best way to integrate an MDR service provider’s outputs and coverage into your own internal incident response processes (see Note 2). Integrating and fine-tuning both MDR and internal cybersecurity processes is critical if you hope to improve overall outcomes. It is also important to allow internal resources to work with your providers. Offering details regarding new risks, business changes, and updates to infrastructure (new apps, networks, etc.) will improve outcomes and help maintain good working relationships with providers.
Diversification by Some MDR Market Providers
A divestiture of some service provider offerings toward directly competing with technology and an increase in “as-a-service” demands have driven a number of MDR providers to offer their service delivery technologies directly to more mature or maturing buyers as a subscription. This addition to portfolios is not a direct expansion of MDR capabilities. However, it does show willingness and openness from MDR vendors to let clients see “under the hood (of the car).” It will also support a natural maturity evolution for clients that want more control over and visibility into their cybersecurity events and issues. Buyers who do want more control over this and want to mature internal security operations are now investing in co-managed security monitoring services more frequently, in addition to an MDR service.
A number of providers have created branding for their SSDPs and encouraged end users to migrate away from service offerings. With many reaching a “peak” of scalability for their MDR businesses, they have proactively looked at other revenue streams. End users should be careful not to choose the do-it-yourself (DIY) option when they need MDR-level support. Overall, the availability of self-service capabilities should provide some diversity in content and functionality, broadening the pool of available talent to improve detections. Yet, no extensions into the exposure assessment space have been observed in these areas. As a more recently emerged capability for MDR providers, it is expected that some maturity in the platforms and integrations will be required before a formal self-service option appears on the open market.
MDR Market Merger and Acquisition Activity
During the past 12 months, there have been many acquisitions in this market. Examples include:
In 3Q24 and 4Q24:
- Cyderes acquired Ipseity Security
- Lumifi acquired Critical Insight and Netsurion
- Arcticwolf acquired Cylance
- Quorum Cyber acquired Difenda
In 1Q25 and 2Q25:
- Watchguard Technologies acquired ActZero
- Deepwatch acquired Dassana
- Integrity360 acquired Nclose
- Fortra acquired Lookout Cloud Security
- Sophos acquired Secureworks
- Bitdefender acquired Mesh Security
- Zscaler acquired Red Canary
- LevelBlue acquired Trustwave
Cybersecurity leaders need to be prepared for the fact that providers will continue to be acquired in a rapidly growing market.
Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.
Vendor Selection
Gartner has included a range of providers in this research to ensure coverage from a geographical, vertical, and capabilities perspective. Gartner estimates that more than 600 providers in this market claim to offer MDR services. Those included in this Market Guide represent a combination of those that:
- Are consistently visible to Gartner clients (based on inquiries in the prior 18 months and through Gartner Peer Insights reviews from the prior 12 months)
- Are variable in size and distribution to reflect the buying population
- Have a clear end-user and outcome-focused offering distinct from pure technology-driven offerings
A list of 30 representative vendors is provided in Tables 1 and 2, separated by those vendors that have dedicated, self-developed technology offerings available for sale independently, and those vendors that utilize and support third-party technologies exclusively.
These lists are not intended to be a list of all the providers in the MDR services market. They are not, nor are they intended to be, a competitive analysis.
Cybersecurity Technology Vendors Providing Managed Detection and Response Services
Provider | Service name | Headquarters |
Bitdefender | MDR Advanced/Enterprise | Bucharest, Romania |
CrowdStrike | Falcon Complete | Sunnyvale, California, U.S. |
Cybereason | Cybereason MDR Complete | Boston, Massachusetts |
Darktrace | Managed Detection and Response | Cambridge, U.K. |
ESET | MDR Ultimate | Bratislava, Slovakia |
Palo Alto Networks | Unit 42 MDR | Santa Clara, California, U.S. |
Rapid7 | Managed Detection and Response | Boston, Massachusetts, U.S. |
SentinelOne | Vigilance Respond MDR | Mountain View, California, U.S. |
Sophos | Managed Detection and Response | Santa Clara, California, U.S. |
Source: Gartner (October 2025)
Cybersecurity Services Vendors Providing Managed Detection and Response Services
Provider | Service name | Headquarters |
Arctic Wolf Networks | Managed Detection and Response | Eden Prairie, Minnesota, U.S. |
Binary Defense | Managed Detection and Response | Stow, Ohio, U.S. |
BlueVoyant | Detection & Response | New York, U.S. |
Critical Start | Managed Detection and Response | Plano, Texas, U.S. |
Cyderes | Enterprise Managed Detection and Response | Kansas City, Missouri, U.S. |
Deepwatch | Managed Detection and Response | Palo Alto, California, U.S. |
eSentire | Managed Detection and Response | Waterloo, Ontario, Canada |
Eviden | Managed Detection and Response | Bezons, France |
Expel | Expel MDR | Herndon, Virginia, U.S. |
Fortra | Managed Detection and Response | Eden Prairie, Minnesota, U.S. |
Kudelski Security | MDR ONE Resolute | Cheseaux-sur-Lausanne, Switzerland; and Phoenix, Arizona |
Mandiant | Managed Defense | Reston, Virginia, U.S. |
Obrela Security Industries | MDR Core | London, U.K. |
Ontinue | Ontinue ION Cyber Defense | Zurich, Switzerland |
Optiv | Managed Detection and Response | Denver, Colorado, U.S. |
Orange Cyberdefense | Managed Threat Detection | Paris, France |
Proficio | ProSOC Managed Detection and Response | Carlsbad, California, U.S. |
Quorum Cyber | Managed Detection and Response | Edinburgh, U.K. |
Red Canary | Managed Detection and Response | Denver, Colorado, U.S. |
Smarttech247 | Managed Detection and Response | Cork, Ireland |
WithSecure | Countercept Managed Detection and Response | Helsinki, Finland |
Source: Gartner (October 2025)
Market Recommendations
- MDR services are not a good fit for every organization. As discussed in the Market Analysis section, a variety of delivery styles for MDR services exist, and some are MDR only in name. As part of a drive to increase maturity, organizations must identify whether they will benefit from a combination of service capabilities both inside and outside of MDR. This includes co-managed, SOC-as-a-service engagements or an internal DIY approach.
- Define specific required outputs (incident ticket structure, reports) and goals that address defined use cases before engaging with a provider. As with any outsourcing initiative, if outcomes are not defined, regardless of what service provider is used, the chance of success will be lessened (see Redesign Your Security Services RFPs for Effective Delivery). Buyers should also be cautious of overemphasizing the value of SLAs as part of detection-and-response-driven services. This is especially true when many buyers are not able to consume the SLAs that they are constraining their services with.
- As MDR services are “consumable,” buyers must develop and operate their own internal incident response policies and procedures. This will ensure that the full value of the MDR service can be obtained. Relevant, internal business understanding is critical for the “right” response to a discovered threat. Some MDR providers are positioned to help their customers develop policies and processes if they don’t exist or require updating. Internal departments such as HR and legal may need to be involved as may incident response service providers (see Market Guide for Digital Forensics and Incident Response Retainer Services).
- Organizations must perform sufficient due diligence on MDR providers before signing a contract. Use an RFP and a POC, and assess the willingness of prospective providers to assess the current state/maturity of the environment. Most importantly, ask for sample deliverables to validate claims and fitness for purpose with your organization’s requirements. Use other sources as well such as your peer network and Gartner Peer Insights.
- If you have data residency and strong privacy or other compliance requirements, validate that the MDR providers can comply with them. Focus on MDR providers in your geographic region or those using a data collection architecture that adheres to data residency requirements. Separate log retention may be required as an addition to any MDR service to ensure alignment with regulatory requirements.
Acronym Key and Glossary Terms
| BAS | breach attack simulation |
| CPS | cyber-physical systems |
| CTEM | continuous threat exposure management |
| DFIR | digital forensics and incident response |
| DORA | digital operational resilience act |
| EDR | endpoint detection and response |
| IaaS | Infrastructure as a service |
| IoT | Internet of Things |
| MDR | managed detection and response |
| MSSP | managed security service provider |
| NIS2 | network and information security directive |
| OCSF | open cybersecurity framework |
| OT | operational technology |
| POC | proof of concept |
| RFP | request for proposal |
| SaaS | software as a service |
| SI | system integrator |
| SOC | security operations center |
| SSDP | security service delivery platform |
| TDIR | threat detection, investigation and response |
| TI | threat intelligence |
| TTPs | tactics, techniques and procedures |
Note: Gartner’s Initial Market Coverage
This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market, and market dynamics.
Note 1: Remote Mitigative Response
Remote mitigative response is defined as disruption or containment actions such as quarantining hosts and deauthenticating users.
Note 2: Incident Template
Reporting may include (see Table 3):
- A description of the incident, how it was discovered, and when it was reported.
- Any findings regarding how the incident occurred.
- A review of the incident timeline and actions taken.
- Recommendations to mitigate future incidents of a similar nature.
Example of Typical Cybersecurity Incident Ticket
Detail | Description |
Subject | An outline of the issue containing a reference to the priority of the incident. |
Notification time | A date and time stamp indicating the send time of the incident. |
References | Reference number generated by the provider and internal customer references, if applicable. |
Priority | A numerical representation of the priority/intended severity of the issue (usually on a scale of one to four, where one is the highest). |
Classification/category | Single-word classification of the type of issue such as “misconfiguration,” “malware,” or “phishing.” |
Date and time of activity | A date and time stamp indicating the time the activity took place; may include specific enrichment details such as hostnames to separate events across a common incident (could be a window of time or a single event). |
Source entities | If applicable, the details of hostnames, email addresses, IP addresses, vulnerability details, or other identifying factors that pinpoint the sources of the issue. |
Destination entities | The details of hostnames, email addresses, IP addresses, or other identifying factors that pinpoint the affected assets. |
Activity details | A descriptive set of sentences or bullet points that outlines the series of events, specific issues, or any other details relevant to the issue that explains the problem discovered. |
Risks | A descriptive set of sentences or bullet points that outlines the risks to the business as a result of an activity that may have already occurred or may occur in the future. |
Recommended actions | Simple-to-follow, intelligence-led instructions that outline follow-up remedial actions based on the provider’s mitigation actions and actions that the business needs to take following notification. This is often opinion-driven and nonmandatory advice. |
Mitigation/response actions taken | Details of assets that have been quarantined, users that have been subject to password changes or lockouts, and other details such as processes/files that have been stopped or deleted, or temporary firewall rules that have been activated. |
Source: Gartner (October 2025)