MSSP and MDR Guide — What Managed Security Actually Means and What You Should Be Paying

MSSP (Managed Security Service Provider): the broad term for outsourced security management. Traditional MSSPs manage security tools — firewalls, endpoint agents, SIEM — and alert you when something happens. The problem with traditional MSSPs: alert fatigue. An MSSP that sends you 500 alerts a week with no triage is not a security service, it is alert forwarding.

MDR (Managed Detection and Response): the evolution beyond MSSP. MDR providers don't just detect — they respond. A true MDR includes 24/7 human analysts who investigate alerts, determine if they're real threats, and take containment actions (isolating an infected endpoint, blocking malicious traffic) without waiting for you to respond. The keyword is response, not just detection.

SOC-as-a-Service: a security operations center capability delivered as a service. Functionally overlaps with MDR. The distinction is more marketing than technical — evaluate the actual service capability, not the label.

XDR (Extended Detection and Response): detection and response across endpoint, network, email, cloud, and identity — correlated into a single investigation workflow. MDR providers increasingly deliver XDR technology as the underlying platform.

• 24/7/365 SOC coverage with human analysts: not an automated playbook that fires an email. Real analysts who investigate.
• Threat hunting: proactive searching for threats that haven't triggered an alert. The attackers who dwell in your environment for months before triggering anything are caught by hunters, not reactive alerting.
• Endpoint Detection and Response (EDR) platform: MDR is built on an EDR agent deployed to every endpoint. The major EDR platforms used by MDR providers: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Carbon Black, Cybereason.
• SIEM or XDR platform: log aggregation, correlation, and alerting across all security data sources. The underlying analytics engine.
• Containment authority: the MDR provider should be able to isolate an infected machine from your network without waiting for your approval. Dwell time reduction is the primary value of MDR — this requires action authority.
• Threat intelligence integration: MDR analysis should be informed by current threat intelligence about what attackers are doing right now in your industry.
• Regular reporting: weekly/monthly reports showing what was detected, investigated, and resolved — not just what was alerted.
• Incident response escalation: a clear process for when an incident exceeds the MDR's automated containment capability and requires a full incident response engagement.

The MITRE ATT&CK framework coverage question: ask every MDR provider to show you their ATT&CK coverage map. What tactics and techniques are they able to detect? How was it validated?

The SOC staffing question: how many analysts are in the SOC? What is the analyst-to-client ratio? What happens when your assigned analyst is sick?

The SLA question: what is your mean time to detect (MTTD) guarantee? Mean time to respond (MTTR)? What are the contractual remedies if SLAs are missed?

The escalation question: what is the process when you find a serious intrusion? Who calls us, how fast, and what authority do your analysts have to act before the call?

The onboarding question: how long does full deployment and tuning take? An MDR that's generating huge alert volumes before it's been tuned to your environment is a liability, not an asset.

Reference customers in your industry: ask for three references from companies your size in your industry. Call them. Ask what false positive rate they experience and how the provider has improved it over time.

• Per-endpoint pricing: most common for MDR. Typical range: $15-$50 per endpoint per month for SMB/mid-market. Enterprise pricing often lower per endpoint at volume.
• Per-user pricing: $20-$75 per user per month for full-stack managed security.
• Annual contract value: for a 100-endpoint company, expect $18K-$60K/year for legitimate MDR with 24/7 human SOC coverage. Anything under $10K/year for meaningful SOC coverage should be scrutinized closely — you are likely getting alert forwarding, not MDR.
• Setup and onboarding fees: $5,000-$20,000 for deployment and initial tuning, depending on environment complexity.
• What is not included: full incident response (IR) for major breaches typically requires a separate retainer or is billed time-and-materials on top of MDR subscription. Confirm this upfront.
• Price vs coverage trade-off: the cheapest MDR providers cut corners on analyst staffing, threat hunting, and containment authority. The math: a single ransomware event costs $200K-$4M on average. MDR at $40K/year needs to prevent one event every 5-100 years to pay for itself, which dramatically underestimates the actual frequency.

Healthcare (HIPAA): MDR with HIPAA-specific compliance monitoring, PHI access logging, and a BAA (Business Associate Agreement). Healthcare is the most targeted industry — 46% of all ransomware attacks hit healthcare.

Financial services: MDR with SOC 2, PCI-DSS, and Gramm-Leach-Bliley Act (GLBA) / FTC Safeguards Rule alignment. Financial firms face both cybercriminal and nation-state threats.

Legal: law firms are targeted for client confidentiality data and M&A information. ABA and state bar ethics rules impose cybersecurity obligations. Look for MDR providers with legal industry references.

Government contractors: CMMC / NIST 800-171 compliance monitoring required. Look for providers with existing CMMC certifications and cleared staff if you handle CUI (Controlled Unclassified Information).

Managed service providers (MSPs) themselves: MSPs are increasingly targeted as the entry point to compromise all of their clients simultaneously. PSA/RMM tool security, multi-tenant MDR architectures.

Cyber insurers are now directly driving MSSP/MDR adoption: underwriters are either requiring EDR + 24/7 monitoring as a condition of coverage or offering significant premium discounts for it.

What insurers typically require in 2025: MFA on all remote access and email, EDR on all endpoints, offline/immutable backups, privileged access management, 24/7 security monitoring (MDR fulfills this).

Premium impact: companies with MDR typically see 15-30% lower cyber insurance premiums. On a $50K annual premium, that's $7,500-$15,000/year in premium savings that partially offsets the MDR cost.