1 Executive Summary

Cybercriminals and state-sponsored espionage groups are constantly targeting organizations, subjecting them to relentless cyberattacks, making it more important than ever for organizations to be able to detect and responds to cyber threats 24/7. However, a global lack of cybersecurity skills means that many organizations cannot keep pace with these threats, and their security teams are often overwhelmed by the number of security alerts being generated by a multitude of disparate security systems.

This challenge is fueling the rapid growth of a broad managed detection and response (MDR) market, which includes Security Operations Center as a Service (SOCaaS) solutions and Managed eXtended Detection and Response (MXDR) solutions. The MDR market is experiencing significant growth and becoming more relevant in the cybersecurity industry, driven by regulatory compliance, digital transformation, the shift to remote working, the lack of cybersecurity skills, and the increasing sophistication of cyber threats, including ransomware, phishing attacks, and supply chain compromises.

MDR solutions involve managing an array of cybersecurity technologies typically through an integrated platform that offers advanced detection and response capabilities with the support of an expert team of analysts. Organizations of all sizes and types are adopting these solutions to either outsource security operations or supplement in-house security teams, especially during out-of-office hours and to fill expertise gaps. MDR service providers are increasingly supporting easy collaboration with in-house security teams of larger customers with high levels of cybersecurity maturity.

MDR solutions provide comprehensive cybersecurity with 24/7 expert monitoring, threat analysis, and support, going beyond the traditional compliance focus of Managed Security Service Providers (MSSPs). Unlike MSSPs, MDR services typically incorporate advanced technology like Artificial Intelligence (AI), Machine Learning (ML), active threat hunting, incident response, and thorough threat verification. This proactive approach, combined with a broader service scope, delivers a higher level of security expertise, making MDR a more robust option for organizations seeking advanced threat detection and containment.

Organizations of all sizes face similar cyber threats and require advanced detection and response capabilities. However, smaller organizations often lack the budget or expertise, and all organizations struggle to fill critical cybersecurity roles. MDR services allow even small businesses to access a dedicated team of experts available 24/7 to detect and respond to security incidents. These services also offer guidance on security investments, strategies, and processes, all without the financial and logistical challenges of building and maintaining an in-house cybersecurity team.

When organizations lack strong in-house threat detection and response capabilities, MDR solutions provide an opportunity to outsource a significant portion of their security operations. This includes managing networks, endpoints, applications, websites, databases, and security logs. Many MDR providers also offer the option to fully outsource the Security Operations Center (SOC) for organizations unable to act on security recommendations or handle threats autonomously. Moreover, MDR services increasingly incorporate automated response features for faster threat mitigation.

For organizations that have some security measures in place, MDR can provide supplemental support as needed. This ensures that they have all the necessary cybersecurity skills and resources to handle high-risk threats and critical incidents. This support is especially valuable for large organizations, which frequently face numerous cyberattacks and struggle with a shortage of skilled professionals. MDR helps bridge these gaps, enabling organizations to manage day-to-day threats effectively while developing long-term security strategies.

Large organizations with existing security teams often struggle to manage complex systems like Security Information and Event Management (SIEM); Network Detection and Response (NDR); Endpoint Protection Detection and Response (EPDR); Security Orchestration, Automation, and Response (SOAR); and Identity and Access Management (IAM). As a result, they are relying increasingly on MDR providers not only for assistance in managing these systems but also for quick, automated responses to common threats. The demand for MDR services is growing as cyber threats continue to rise, making it difficult for organizations to maintain an in-house SOC and consistently deliver high-quality service.

The main aims of MDR are to:

• Strengthen customers’ ability to monitor, detect, and respond to security threats 24/7
• Continually improve overall security strategy and posture
• Provide a comprehensive view across the security environment
• Enable in-house security teams to focus on and manage strategic security initiatives
• Increase value from existing security investments
• Provide tools and expertise to deliver or augment existing security systems such as EPDR, SOAR, SIEM, and eXtended Detection and Response (XDR)

MDR solutions typically help customer organizations to:

• Deal with high volumes of security alerts
• Reduce the time that it takes to identify and mitigate security incidents
• Apply advanced analytics to threats and user behavior
• Rationalize, update, and integrate/coordinate security tools
• Bridge skills gaps
• Improve visibility and governance of the business IT environment

Figure 1: Cybersecurity ecosystem flowchart

This Leadership Compass is designed as a tool to help organizations to identify their requirements and map them to the capabilities offered by specific vendors, taking into consideration the size, growth, skills, and budget of the customer organization. To better understand the fundamental principles this report is based on, please refer to the KuppingerCole Leadership Compass Methodology.

1.1 Key Findings

• Increasing cyber threats, alert overload, and the worldwide shortage of cybersecurity skills are among the top drivers for the ongoing evolution and growth of MDR market.
• MDR solutions include a wide range of cybersecurity services, ranging from simple alert triage or SOCaaS to full MDR, including incident response.
• A key element of MDR is the focus on continual improvement of cybersecurity posture, going beyond traditional services from MSSPs.
• MDR solutions that cater for all sizes of organizations provide the opportunity for even small companies to get the benefit of enterprise-level SOCs.
• Most MDR solutions now meet a range of use cases from assistance of in-house SOCs and security teams to full outsourcing of security operations.
• MDR solutions typically help organizations to fill skills gaps, maintain round-the-clock monitoring of IT assets, and deal with large volumes of alerts across increasingly complex business IT environments.
• There is a concerted effort by MDR providers to focus on risk prevention and risk management.
• MDR solution adoption has increased as organizations realize technology alone cannot fully protect against cyber threats.
• KuppingerCole Analysts project the market to grow to $7.9B by 2027.
• Security breaches, regulatory demands, mergers and acquisitions, requirements by insurers for cybersecurity coverage, and board mandates for cybersecurity reporting are the top drivers of MDR adoption.
• MDR is the only way many organizations are able to consolidate all of their security threats, tools, and systems into a single point of control.
• The Overall Leaders in MDR (in alphabetical order): Arctic Wolf, CrowdStrike, eSentire, Kroll, Proficio, ReliaQuest, and Sophos.