What Is Included in an MDR Service? Full Breakdown of Deliverables and SLAs
MDR is a broad category and what you actually get varies significantly between vendors and tiers. Some MDR services provide comprehensive managed security operations that replace the need for any in-house security staff. Others provide monitoring and notification without active response, requiring your team to still handle remediation. This page breaks down exactly what MDR includes across technology, people, process, and reporting deliverables with vendor-specific comparisons so you know what to expect and what questions to ask before signing.
MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor.
Technology Deliverables
The technology component of MDR includes the software tools that detect threats in your environment. Most MDR vendors provide their own technology stack as part of the service, which means you do not need to separately purchase and maintain EDR, SIEM, or threat intelligence tools. The exception is Expel, which layers monitoring on top of your existing tools.
EDR/XDR Agent
A lightweight software agent deployed on every endpoint (workstation, laptop, server) that monitors for malicious activity including malware execution, suspicious process behaviour, file system changes, and network connections. The agent runs continuously and sends telemetry to the vendor's cloud platform for analysis. CrowdStrike uses the Falcon agent, Arctic Wolf uses their proprietary agent, and Huntress uses their managed EDR agent. Agent deployment is typically automated through your existing RMM or endpoint management tools.
Detection Platform
A cloud-based platform that aggregates telemetry from all agents, applies detection rules (both signature-based and behavioural), correlates events across endpoints and data sources, and generates alerts for analyst review. The platform quality directly affects detection efficacy. CrowdStrike and SentinelOne are generally recognised as having the most advanced detection engines, while Arctic Wolf and Huntress prioritise analyst workflow efficiency over raw detection sophistication.
Threat Intelligence
Curated feeds of known indicators of compromise (IOCs) including malicious IP addresses, domain names, file hashes, and behaviour patterns. Premium MDR vendors like CrowdStrike maintain their own threat intelligence teams that produce original research, while others rely on third-party feeds. The practical impact is that higher-quality threat intelligence catches new threats faster because the vendor is tracking adversary groups and their evolving tactics.
Management Console
A web-based dashboard that gives you visibility into your security posture, active threats, historical incidents, and MDR analyst activity. Console quality varies significantly between vendors. CrowdStrike and SentinelOne offer feature-rich consoles with deep investigation capabilities. Arctic Wolf provides a clean, executive-friendly view with monthly posture scores. Huntress focuses on MSP multi-tenant management. The console is your window into what the MDR team is doing for you.
SLA Comparison Across 6 MDR Vendors
Service Level Agreements define the speed and scope of vendor response. Faster SLAs cost more because they require dedicated analyst capacity standing by at all times. For most mid-market organisations, a 4-hour response SLA provides adequate protection. Elite 1-hour SLAs are most valuable for organisations in critical infrastructure, financial services, or healthcare where regulatory requirements mandate rapid response documentation.
| Vendor | Response Time | Containment Authority | Escalation |
|---|---|---|---|
| CrowdStrike Falcon Complete | 1 hour | Pre-authorised active response | Phone + portal |
| Arctic Wolf | 4 hours | Guided with customer approval | Concierge team + phone |
| SentinelOne Vigilance | 4 hours | Automated + analyst guidance | Portal + phone |
| Sophos MDR Complete | 4-8 hours | Active response (Complete tier) | Portal + dedicated lead |
| Sophos MDR Essentials | 8 hours | Notification only | Portal + email |
| Huntress | Same day | Remediation guidance + auto-remediate | Portal + email |
| Expel | 4 hours | Analyst-led through your tools | Portal + phone |
What Is NOT Included in Standard MDR
Understanding what MDR does not cover is as important as knowing what it includes. These exclusions represent additional purchases or internal capabilities you need to maintain. MDR replaces the need for a 24/7 monitoring team but does not replace your entire IT security programme.
Vulnerability Remediation
MDR detects threats but does not patch your systems, fix misconfigurations, or remediate vulnerabilities. You still need patch management and vulnerability remediation processes. Some MDR vendors identify vulnerabilities as part of their monitoring but leave remediation to your team.
Penetration Testing
Annual or quarterly penetration testing is a separate engagement typically costing $15,000-50,000. MDR monitors for real threats but does not simulate attacks to test your defenses. See penetrationtestingcost.com for pen testing pricing.
Security Awareness Training
Employee security training and phishing simulations are generally separate purchases. Huntress is an exception that includes basic security awareness training in the base MDR price. KnowBe4 and other dedicated platforms cost $15-25 per user per year.
Network Security Management
Firewall management, IDS/IPS tuning, and network segmentation are outside MDR scope. Some vendors like Arctic Wolf ingest firewall logs for monitoring but do not manage or configure your network security devices.
Full Digital Forensics
Standard MDR includes investigation and containment. Full forensic analysis for legal proceedings, evidence chain of custody, and expert witness testimony require a separate incident response engagement at $250-400 per hour.
Compliance Assessments
MDR reporting satisfies some compliance controls but does not replace a full compliance assessment. SOC 2, ISO 27001, PCI DSS, and HIPAA assessments require separate audits. MDR evidence packages supplement but do not complete these assessments.
Questions to Ask Before Signing an MDR Contract
- What data sources are included in the base price? Endpoint only or also cloud, email, identity, and network?
- What is the specific SLA for initial notification, investigation completion, and containment action?
- What containment actions are the analysts authorised to take without my approval?
- What is the log volume cap and what are the overage charges?
- Is onboarding included or billed separately? What does onboarding include?
- What is the annual price escalation rate and can it be capped or locked?
- What incident response actions are included versus billed hourly?
- How many customers does each analyst manage?
- What happens if I want to exit the contract early?
- Can I see your compliance evidence package before signing?
What MDR Includes FAQ
What technology does MDR include?
Most MDR services include an EDR agent deployed on all endpoints (workstations and servers), a cloud-based detection platform that aggregates and correlates telemetry, threat intelligence feeds for known indicators of compromise, and a management console for visibility into alerts and incidents. Some vendors also include SIEM functionality, identity monitoring agents, and cloud security connectors. The technology is typically bundled into the MDR subscription price rather than licensed separately, with the exception of SentinelOne Vigilance which is an add-on to the separately licensed platform.
What do MDR analysts actually do?
MDR analysts provide three core functions: monitoring, investigation, and response. Monitoring means watching your environment 24/7 for alerts generated by the detection platform. Investigation means taking each alert and determining whether it is a true threat or a false positive, then assessing the scope and impact. Response means taking containment actions like isolating compromised hosts, blocking malicious processes, and removing persistence mechanisms. Beyond these reactive functions, MDR analysts also perform proactive threat hunting to find threats that evade automated detection rules.
What SLA should I expect from an MDR provider?
Standard MDR SLAs include an initial notification time of 15-60 minutes after a confirmed threat is detected, an investigation completion target of 1-8 hours depending on threat complexity, and a containment action time of 1-4 hours for critical threats. Premium SLAs reduce these times significantly. CrowdStrike Falcon Complete offers a 1-hour response SLA. Arctic Wolf and SentinelOne typically provide 4-hour SLAs. Sophos MDR Essentials offers an 8-hour SLA. Ask for SLA definitions in writing before signing.
What reporting does MDR provide?
MDR vendors provide monthly executive summary reports covering threat landscape, incidents detected, response actions taken, and security posture trends. Incident reports are generated for each confirmed threat with timeline, root cause, affected assets, and remediation steps. Compliance evidence packages map MDR capabilities to frameworks like SOC 2, ISO 27001, PCI DSS, and HIPAA. Some vendors like Arctic Wolf include quarterly business reviews with strategic security recommendations. These reports satisfy auditor and insurer documentation requirements.
What is NOT included in standard MDR?
Standard MDR typically does not include vulnerability remediation or patching, penetration testing, security awareness training beyond basic offerings, network security device management, full digital forensics and evidence preservation for legal proceedings, compliance gap assessments, and security architecture consulting. These services require separate procurement. Some vendors offer them as add-ons while others do not provide them at all. Huntress is an exception that includes basic security awareness training in the base price.