What is MDR? MDR vs SOC vs EDR explained.
MDR — managed detection and response — is security technology plus a 24/7 human team that watches it and responds to threats on your behalf. It’s how a small business gets enterprise-grade detection and response without building a security team of its own.
- EDR is the technology on the device; a SOC is the human team; MDR is both, delivered as one service.
- EDR without anyone watching is just a louder alarm — MDR is the alarm plus someone who answers it at 3am.
- What an SMB actually buys with MDR is an outcome: detection, triage and response, not a pile of tools to staff.
- 24/7 response matters because attacks land at nights and weekends, exactly when an in-house team is offline.
The three terms, in plain English
EDR, SOC and MDR get used interchangeably, but they describe three different things. Once you see how they stack, the rest is straightforward.
- EDR (endpoint detection & response) is technology that runs on each laptop, desktop and server. It records how software behaves and flags or stops anything that looks like an attack. If you want the full comparison, see our guide to EDR vs antivirus.
- SOC (security operations centre) is the human team — analysts plus their tooling — that monitors security signals and responds to incidents. It’s people, not a product.
- MDR (managed detection & response) is the two combined and delivered as a service: EDR and other telemetry, watched 24/7 by a SOC that responds on your behalf.
How they relate
Think of it as a chain. EDR sees the threat. The SOC decides what it means and what to do. MDR is the arrangement that connects the two and makes someone accountable for the outcome.
The mistake we see most often is buying EDR alone and assuming it’s “done”. EDR generates alerts — sometimes a great many — and an alert nobody triages is not protection. The technology is necessary but not sufficient; the response is the part that saves you.
EDR is the smoke detector. The SOC is the fire brigade. MDR is the contract that guarantees they turn up.
EDR vs MDR vs an in-house SOC
Here’s how the three options compare for a typical UK small or mid-sized business.
| EDR only | MDR | In-house SOC | |
|---|---|---|---|
| What it is | Technology on the device | Technology + a 24/7 SOC, as a service | Your own team + tooling |
| Who responds | You — if you notice | The provider’s SOC, on your behalf | Your staff |
| 24/7 cover | No | Yes | Only if you fund night and weekend shifts |
| Time to value | Days | Days to weeks | Months to hire and build |
| Typical SMB cost | Low, per device | Per seat, predictable | Several full-time salaries |
| Best for | Very small, low-risk setups | Most SMBs | Larger organisations at scale |
What an SMB actually buys with MDR
This is the part worth being clear about. When a small business signs up for MDR, it isn’t buying software licences to manage. It’s buying an outcome: someone is watching, and someone will act.
In practice that means a tuned Managed EDR deployment, the telemetry that feeds it, a 24/7 SOC triaging every alert, and agreed response actions — isolating a device, killing a process, locking an account — taken on your behalf without waiting for you to wake up. For most SMBs this is far cheaper than the standalone enterprise route, because it’s priced per seat and bundled into a managed service rather than sold as a £2k+/month product.
What “24/7 response” really means
It’s easy to treat “24/7” as a marketing line. It isn’t. Most serious intrusions begin outside office hours precisely because attackers know nobody is at the desk. Real 24/7 response means:
- Continuous monitoring — the SOC is staffed overnight, at weekends and on bank holidays, not just on call.
- Authorised action — the SOC can contain a threat itself, rather than emailing you and hoping you read it.
- A measured response time — detection and containment held to an SLA, not a best-effort promise.
Identity attacks deserve the same coverage. If you live in Microsoft 365, our Microsoft 365 MDR extends that watch to your tenant and sign-ins, not just your endpoints.
Questions we get asked.
What is MDR in simple terms?
MDR — managed detection and response — combines security technology (EDR and other telemetry) with a 24/7 human team (a SOC) that watches it, triages every alert and responds on your behalf. You get the technology and the people who operate it as one outcome, rather than buying tools and then having to staff them.
What’s the difference between MDR and EDR?
EDR is the technology that runs on each device and detects malicious behaviour. MDR is EDR plus a 24/7 SOC that monitors those detections and responds. EDR on its own raises alerts; without anyone watching, an alert at 3am is just a blinking light. MDR is the alarm plus the people who answer it.
What’s the difference between MDR and a SOC?
A SOC is the team and tooling that monitor and respond to threats. MDR is the packaged service that gives you SOC capability without building one yourself — for most SMBs, bundled into a managed service at per-seat pricing rather than bought as a standalone enterprise product.
Do small businesses need MDR or is EDR enough?
For most SMBs, EDR alone isn’t enough, because nobody is watching it overnight or at weekends — exactly when attacks tend to land. MDR closes that gap with 24/7 monitoring and response. Unless you can staff round-the-clock security yourself, MDR is the model that delivers protection rather than just alerts.
See our
SOC at work.
Book 30 minutes. We’ll walk you through a live detection, the exact steps our SOC takes, and tell you honestly whether your current setup has a response gap worth closing.