Major Use Cases and Capabilities

The top use cases and capabilities that solutions in this market address. Choose your use case for a personalized view on product requirements.

Major Use Cases

The main use cases for Managed, Detection and Response adoption and their principal characteristics as observed are listed in the table below:

Managed, Detection and Response

MDR solutions mean that even smaller organizations can tap into the benefits of having a large team of experts continually on call to detect and respond to incidents and help guide investments, strategies and processes without the cost and challenges of finding and retaining people with the necessary skills.

Inhance Security Posture

Where there is some in-house security capability, MDR can be used to supplement this whenever necessary to ensure that an organization has at its disposal all the cyber security skills and capabilities required to deal with high-risk threats and critical incidents. This is also relevant for very large organizations, given the volume of cyber-attacks and the skills gap in the market, making it challenging to develop long term security strategies, while keeping on top of daily cyber threats and incidents.

Increase Value of Exisiting Tools

Large organizations with in-house security teams find it challenging to manage SIEM, NDR, EDR, SOAR, and even IAM systems to deliver the required security outcomes. As a result, they are turning to MDR service providers to help with this, as well as provide rapid automatic containment capabilities for common threats. Some vendors report a growing demand for MDR services from the world’s largest organizations due to the global lack of cybersecurity skills and high churn rates that make it challenging to run an in-house SOC and maintain the desired quality of service (QoS) levels.

High Volume and Complexity of Security Alerts

Enable in-house security teams to focus on and manage strategic security initiatives.

Advanced Analytics

Providing advanced analytics of threats and user behavior.

Improved Compliance

Governments have enacted various regulatory regimes mandating privacy, security of health and financial records, “Know Your Customer”, and payment processing security. Examples include EU General Data Protection Regulation (GDPR) and EU Revised Payment Service Directive (PSD2). Additionally, security certifications and standards such as FIDO2, ISO/IEC 27001, and SOC 2 Type II will appeal to customers in certain regulated industries and others that have strict security requirements.



Effective detection relies on comprehensive monitoring of the IT environment. This metric reflects the breadth of the solutions coverage in terms of monitoring and analysis of data movement across applications, systems, endpoints, protocols, groups, and locations. It also includes integrations with other security products such as DLP and EPDR.

Cloud Support

A measurement of the degree to which solutions provide monitoring and analysis of cloud environments, including service providers, applications, infrastructures, and data stores. It also includes cloud security posture management, workload protection and vulnerability scanning.


An evaluation of threat detection coverage and capabilities across modern IT environments. It includes the average detection times, behavior analytics, integrations with intrusion detection and prevention systems, and the capability to detect certain types of malicious tactics, techniques, and procedures.


This category looks at a solution’s ability to respond to threat detections, including blocking capabilities, rapid incident validation, response times, post-remediation support, and activity recording.


An in-depth look at a solution’s automation capabilities in terms of threat containment actions, including process termination, host isolation, port blocking, and file quarantining. It also looks at solution’s SOAR capabilities and integrations and provision of incident response playbooks.

Threat Intelligence

This is a measure of a solution’s threat intelligence and threat hunting capabilities, including provision of automated threat hunting, type and number of intelligence sources, and support for threat intelligence exchange.

Insider Threat Detection

This metric reflects a solutions ability to detect and block insider threats, including the detection of phishing attacks aimed at tricking employees into revealing their credentials which would give insider access, the abuse of privileged credentials, and the use of user behavior analytics.

Admin Support

An evaluation of the administrative support provided by the solution in terms of initial setup, incident response, language support, and professional support services. It includes the ability of the solution to provide full SOC services, to work as an extension of internal teams, to assist in developing security and governance policies, to provide dedicated analyst teams, and to provide continual improvement guidance.