What is Included in an MDR Service?
Updated 26 March 2026
MDR is not a product. It is a combination of technology, people, and process delivered as a managed service. This page breaks down exactly what you get, what is typically excluded, and what questions to ask before signing a contract.
Technology
EDR agent deployment and management
The MDR provider deploys their EDR agent to all enrolled endpoints and manages updates, policy tuning, and exclusion management. Your team does not need to operate the tool.
SIEM or XDR data aggregation
Telemetry from endpoints, cloud platforms, email, and network devices is collected and correlated by the MDR platform. No separate SIEM licence or management is required at most providers.
Threat intelligence integration
Real-time feeds of indicators of compromise (IOCs), attacker infrastructure, and emerging threat campaigns are applied automatically to your environment.
Vulnerability exposure monitoring
Premium MDR services include passive monitoring of known vulnerabilities relevant to your software versions and notify you before exploitation is observed in the wild.
People and Process
24x7 alert monitoring and triage
A team of analysts monitors your environment around the clock. They review, investigate, and filter alerts to a manageable queue of confirmed or high-probability incidents.
Threat hunting
Scheduled proactive searches through historical telemetry looking for attacker behaviour that did not trigger an alert. Typically delivered monthly or quarterly depending on tier.
Incident notification and escalation
When a confirmed incident is identified, your designated contact is notified via phone, email, or ticketing system according to your SLA. Escalation procedures are documented in the onboarding runbook.
Containment and response actions
Subject to a pre-agreed authorisation policy, the MDR team can isolate endpoints, terminate processes, block IP addresses, and disable compromised user accounts without waiting for your approval.
Reporting
Monthly security report
Summary of alerts investigated, threats detected, incidents escalated, and threat hunting activities. Includes trend data and comparison to previous period.
Incident investigation reports
For each confirmed incident, a written report covering timeline, attack chain, IOCs, affected systems, actions taken, and recommended remediation steps.
Quarterly business review (QBR)
A call with your MDR provider to review security posture, discuss emerging threats relevant to your industry, and adjust monitoring configuration.
Compliance evidence package
Documentation of monitoring activities, incidents, and response actions in a format suitable for auditors. Relevant to SOC 2, ISO 27001, PCI DSS, and HIPAA requirements.
What is typically NOT included
Vulnerability remediation
MDR identifies vulnerabilities but does not patch systems. Remediation is your team's responsibility or requires a separate managed patching contract.
Security awareness training
Phishing simulation and staff training are separate products, though some MDR vendors offer them as add-ons.
Network security (firewall management)
Standard MDR covers endpoints and cloud workloads. Network perimeter management and firewall configuration are typically out of scope.
On-premises forensics
Physical forensic investigation and evidence preservation for legal proceedings usually requires a separate incident response retainer.
Application security testing
Penetration testing and code security review are not part of standard MDR services.
Key questions to ask your MDR vendor
What containment actions can your team take without my explicit approval? Ask for a written list.
What is your average time to escalate a confirmed incident? Ask for data from the last 12 months.
Do you use your own EDR technology or can you manage my existing tools?
What is the escalation process at 3am on a weekend? Who do I call and what is the response path?
How do you handle false positives that affect production systems if you take automated containment?
What is your staff-to-customer ratio? High ratios indicate shallow coverage per customer.