Skip to content
Back to knowledge base Knowledge base

What is MDR — and why your insurance underwriter cares

Managed Detection and Response (MDR) explained without the marketing copy.

MDR (Managed Detection and Response) is a 24/7 service where a small team of security analysts watches the alerts coming out of your laptops, your cloud environment, and your identity provider — and responds when something looks wrong. It’s the difference between owning a smoke detector and paying a fire department to be on call.

What it actually is

Three pieces, working together:

  1. Sensors — software agents on your laptops (EDR) and your cloud environment, plus log feeds from your identity provider and any production systems
  2. A platform — usually a SIEM or XDR tool that aggregates and correlates those signals
  3. A staffed shift — humans, watching the platform around the clock, with playbooks for what to do when a high-confidence alert fires

A real MDR will isolate a compromised laptop from the network within minutes of the detonation, suspend the affected identity, page your on-call, and write up the timeline before you’ve finished your coffee.

What it isn’t

  • It is not a generic IT help desk that also looks at security alerts. The skill set is different.
  • It is not “we’ll forward you the alert email.” Forwarding alerts is not response.
  • It is not the EDR vendor’s own console. The EDR vendor sells you the sensor; the MDR provider does the watching.

A common failure mode in our practice is buying a top-tier EDR (Crowdstrike, SentinelOne), turning it on, and then nobody reading the alerts. The sensor caught the intrusion. Nobody looked at the screen.

Why insurance underwriters care

Cyber insurance applications now ask three questions about MDR explicitly:

  1. Do you have 24/7 monitoring of endpoints, identity, and cloud?
  2. Who provides it (in-house or named third party)?
  3. What’s the contractual response time?

“No,” “us, sometimes” and “we’ll get to it” are answers that materially affect your premium — often by 30% or more — and increasingly determine whether the insurer will quote you at all. The shift over the last 24 months has been sharp: MDR is moving from a “nice to have” line item to a hard underwriting requirement at the $1M-coverage tier.

What it costs

For a 30-person Bay Area SaaS or healthcare practice, MDR pricing in 2026 runs roughly $25–$60 per protected user per month, depending on:

  • Whether endpoint, identity, and cloud are all in scope or just one
  • Response SLA (15-minute critical-incident response is more expensive than 1-hour)
  • Whether the provider commits to active containment (isolating devices, suspending identities) or only to advisory alerting

Bundled with the EDR and SIEM licensing, total cost is usually 30–40% of an MSSP’s standalone “security retainer” pricing. The difference is that MDR is a recurring operational service, not a per-incident project.

When to buy it

Three triggers, any one of which we’d act on:

  • Your cyber insurance renewal is in the next 90 days and the application asks the MDR question
  • You’re going for SOC 2 Type II or ISO 27001 — your auditor will look for evidence of continuous monitoring
  • You’ve already had one phishing-driven compromise and the post-mortem read “we didn’t notice for three weeks”

Related reading: our blog post on why your SF startup needs Okta before it needs an office manager. MDR works best when identity is already done.

Want to talk through whether MDR makes sense for your stage? Book a 30-minute IT review.

Got a problem worth a conversation?

Book a free 30-min IT review.

A 30-minute call with a senior engineer. Zero pressure. Walk away with a written assessment of your top 3 IT and security risks — yours to keep, even if we never work together.

Book a free 30-min IT review See what we do