Facebook Twitter Linkedin Instagram

MDR | Managed Detection & Response – Managed Threat Detection and Response

MDR (Managed Detection & Response) is an advanced cybersecurity service that combines modern technologies with security experts to provide continuous protection against cyberattacks. By combining analytical tools and expert knowledge, MDR enables real-time detection and response to threats. This solution is ideal for companies looking to strengthen their security but lacking the internal resources or expertise to manage cybersecurity on their own.

MDR (Managed Detection and Response) — 24/7 monitoring and incident response for organisations that cannot afford an in-house SOC

A ransomware attack does not wait for business hours. According to Verizon DBIR and ENISA reports, most serious incidents — payload execution, privilege escalation, data exfiltration — happen outside the IT team’s working hours: at night, on weekends, during public holidays. An EDR platform generates alerts, but someone must read them, assess them and make a decision — in minutes, not hours. Managed Detection and Response (MDR) solves exactly that problem: an external SOC analyst team monitors your infrastructure 24 hours a day, 7 days a week, takes initial response actions and escalates incidents to your team with a concrete recommendation — not just a raw alert list.

Virtline delivers MDR in three variants: Co-Managed SOC (your EDR/SIEM console, our on-call duty and analysis), Full Managed SOC (the entire stack on our side) and a hybrid with vendor-managed platforms (WithSecure Co-Monitoring/MDR, ThreatDown MDR, Sophos MDR, ESET MDR). Every variant includes: 24/7 alert monitoring, classification and triage, initial response actions within agreed playbooks (endpoint isolation, account block, IP block), notifications via agreed channels (phone, e-mail, MS Teams, ServiceNow), quarterly management reports and an audit trail meeting NIS2, ISO 27001 and DORA requirements.

Contact us — match the MDR model to your organisation →

What does the MDR service at Virtline include?

MDR is not merely “someone reads alerts instead of us.” We operate in a model where every element has a specific responsible role and clients receive measurable effectiveness indicators:

 24/7/365 monitoring — SOC analyst on duty without interruption, including nights, weekends and public holidays; no need to build an internal shift team.

 Alert triage and analysis — event classification by criticality, SIEM correlation, noise reduction (typically from hundreds of daily alerts down to a handful requiring attention).

 Initial response actions — isolation of an infected endpoint, blocking a privileged account, IP block on the firewall, file quarantine — executed within the agreed SLA without waiting for client approval.

 Threat hunting — proactive search for attack symptoms in telemetry (beyond engine alerts), using Threat Intelligence and IoC indicators to surface hidden threats before they escalate.

 English-language communication — direct phone or Teams contact with the analyst, documentation and reporting in English — no translation bottleneck with a foreign call centre.

 Audit reporting — monthly and quarterly management reports, incident documentation as evidence of compliance with NIS2 Art. 21, ISO 27001 A.5.24–A.5.26, DORA Art. 17–23.

WithSecure Elements MDR — vendor logo
BlackBerry Cylance Guard MDR — vendor logo
MDR — Managed Detection Response platform
WithSecure Co-Monitoring — vendor logo

MDR variants — Co-Managed, Full Managed and vendor hybrid

There is no single universal MDR model. The choice depends on your IT team’s maturity, the tools you already have, and how much responsibility you want to transfer outside the organisation. The models we most commonly recommend:

 Co-Managed SOC (Co-Monitoring) — the client retains their own EDR/SIEM console (Defender for Endpoint, WithSecure Elements, Wazuh), Virtline provides on-call analyst duty, triage and recommendations.

Most common choice for clients with an existing toolstack.

 Full Managed SOC — the entire stack on Virtline’s side: EDR agent, SIEM, SOAR, on-call duty, reporting and compliance.

The client receives a ready-made service with a monthly per-endpoint fee, zero CAPEX outlay.

 WithSecure Elements MDR + Co-Monitoring — vendor-managed service based on the WithSecure Elements EDR agent, supplemented by our initial EN-language contact and response process.

 ThreatDown MDR by Malwarebytes — 24/7/365 managed service with strong behavioural detection, with a Managed Threat Hunting option in the premium tier.

 ESET MDR / Sophos MDR — options for clients already using ESET PROTECT or Sophos Intercept X platforms; integration with the existing fleet without replacing the agent.

 Integration with SOC (SIEM+SOAR) — in the Full Managed variant all events flow into our SIEM, and SOAR automates repetitive responses (endpoint isolation, IP block, account block).

How we deploy MDR in your organisation — 4 stages

Launching MDR is not just about connecting an agent to a console. Without a response process, escalation contacts and playbooks, the service is reduced to “sending an alert e-mail.” We work in a framework where every change in the client’s environment is documented, and from day one the client knows who, when, and what will happen in the event of an incident.

1. Onboarding and environment mapping — endpoint inventory, identification of critical systems (DC, ERP, databases, OT), collection of escalation contacts, agreement on client team working hours and maintenance windows.

2. Technology deployment — EDR agent installation (or integration of existing platform), connection of log sources to SIEM (firewall, AD, M365, helpdesk), correlation rule calibration, end-to-end alert testing.

3. Playbooks and SLA — development of response playbooks for typical scenarios (ransomware, phishing-as-initial-access, lateral movement, exfiltration), agreement on detection SLA (MTTD) and response SLA (MTTR), decision matrix (what we do autonomously, what requires client approval).

4. Go-live and first exercise — production launch, controlled purple-team exercise in the first month (verifying that alerts actually reach on-call and are handled correctly), first management report after 30 days.

MDR in NIS2, ISO 27001 and DORA requirements

Three key regulations affecting the European market require organisations not only to deploy detection tools, but also to have an incident handling process — with specific requirements for notification timing, documentation and reporting. MDR is the practical way to meet these requirements without building an in-house SOC.

  • NIS2 Art. 21(2)(b) — incident handling. Requires measures ensuring detection, analysis and response to incidents. MDR delivers the full set of operational capabilities: detection, classification and first-level response.
  • NIS2 Art. 23 — incident reporting obligation. Early warning of a significant incident within 24 hours, full report within 72 hours. MDR generates a documented incident timeline that forms the basis for these notifications.
  • ISO/IEC 27001:2022 A.5.24 — incident management planning. Requires defined roles, procedures and communication channels — MDR delivers this operationally through documented playbooks.
  • ISO/IEC 27001:2022 A.5.25–A.5.27 — assessment, response and lessons learned. MDR’s cyclical reporting (monthly, quarterly) fulfils the entire Deming cycle from detection through to lessons learned.
  • DORA Art. 17–23 — ICT incident management and reporting. Financial entities must classify, report and analyse incidents; MDR delivers documented artefacts in a format consistent with EBA/ESMA/EIOPA requirements.
  • KSB 3.15 — monitoring and incident handling. The National Cybersecurity Standard requires continuous monitoring and incident management — MDR is the most straightforward way for smaller public entities without their own SOC to satisfy this requirement.

Frequently asked questions about MDR

How does MDR differ from EDR?

EDR (Endpoint Detection and Response) is a technology platform — an agent on endpoints, a management console, a detection engine. MDR (Managed Detection and Response) is a managed service built on such a platform, in which a team of external analysts takes over alert handling, response decisions and client communication. In short: EDR sees, MDR sees and responds — 24 hours a day.

What response SLA do you offer?

SLA is tailored to the criticality of the environment and the chosen service variant. Standard SLA: detection (MTTD) ≤ 15 minutes for high-priority events (critical EDR/SIEM alerts), initial response (MTTR) ≤ 30 minutes (endpoint isolation, account block), full incident analysis with recommendations ≤ 4 hours. Enterprise variants can have shorter SLAs. All metrics are measured and reported.

Does MDR replace an internal security team?

It does not replace — it complements. MDR takes over 24/7 monitoring, alert triage and initial response actions, i.e. tasks that require shift duty and that small internal teams struggle to sustain. Strategic decisions (risk acceptance, security policy, technology selection) remain with the client. In the Co-Managed model we participate jointly in quarterly reviews and update playbooks together.

How much does MDR cost and what is the billing model?

The standard model is a monthly per-endpoint fee (or per-event/log in SIEM-only variants). Cost depends on the number of endpoints, chosen technology stack, variant (Co-Managed vs Full Managed) and SLA. For SMEs pricing starts from a modest per-endpoint monthly fee in the Co-Managed variant up to a higher per-endpoint charge in Full Managed enterprise. We prepare a quote after a brief discovery call — contact us.

What happens during a real incident?

The on-call analyst receives the alert, verifies whether it is a true positive (typically within 5–10 minutes), executes initial response actions per the playbook (endpoint isolation, account block) and contacts the escalation contact at the client (phone, e-mail, Teams). The client receives a live incident timeline, a recommendation for further actions and — after the incident is closed — a post-incident report with findings and proposed changes to prevent recurrence.

Can I terminate MDR if I build my own SOC?

Yes. The MDR agreement includes exit clauses with 30 days’ notice and a transition plan — we hand over complete documentation of playbooks, SIEM correlation policies and historical metrics. Some clients use MDR as a bridge for 12–24 months while building an internal team; for others MDR is the long-term operational model.

Who is MDR for?

We most commonly work with organisations for which building an in-house SOC is economically unjustified, yet the risk of a cyber incident is real and regulatory mandated. Typical clients:

  • essential and important entities covered by NIS2, without the budget to maintain a 24/7 in-house SOC team
  • financial institutions implementing DORA with ICT incident reporting requirements
  • manufacturing and logistics companies with OT/IT infrastructure where downtime means direct financial loss
  • local government units, hospitals and public entities subject to national cybersecurity standards
  • law firms, accounting offices and healthcare providers with obligations to protect sensitive data
  • organisations post-ransomware incident where MDR is part of the recovery and monitoring plan
  • organisations implementing ISO 27001, ISO 27017, TISAX with formal incident handling process requirements
  • technology companies with distributed teams (remote work, hubs in multiple countries) where 24/7 internal coverage is physically unfeasible

Why choose Virtline for MDR

Virtline has been launching and maintaining managed cybersecurity services for many years — in both Co-Managed and Full Managed models. We hold the ISO/IEC 27001:2023 certificate issued by TÜV NORD, an English-capable analyst team, 24/7/365 on-call duty and partnerships with leading EDR/MDR platform vendors (WithSecure, ThreatDown, ESET, Sophos, Microsoft). Unlike many foreign MDR providers, we understand the regulatory specificities of the European market (NIS2, DORA, GDPR) and provide direct escalation contact without language barriers.

Key benefits of MDR with Virtline:

 ISO/IEC 27001:2023 certificate issued by TÜV NORD — we work from the perspective of an audited organisation

 English-capable analyst team, direct communication, 24/7/365 on-call duty

 Three variants: Co-Managed, Full Managed, vendor platform hybrid

 Partnerships with WithSecure, ThreatDown by Malwarebytes, ESET, Sophos, Microsoft

 Detection SLA ≤ 15 min and initial response SLA ≤ 30 min for high-priority events

 Mapped to NIS2 Art. 21+23, ISO 27001 A.5.24–A.5.27, DORA Art. 17–23, KSB 3.15

 Quarterly management reports + audit documentation of incidents

 Exit clauses with 30 days’ notice and a full transition plan

Contact us to match the MDR model (Co-Managed, Full Managed or hybrid) to the scale of your organisation, team maturity and regulatory requirements — with concrete SLA, playbooks and direct English-language analyst communication.

Sleep soundly when the attack comes at night — launch MDR with Virtline’s 24/7 SOC analyst duty.

Contact us →

 ISO/IEC 27001:2023 Certification

Virtline certified by TÜV NORD

Virtline holds the PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029. The MDR service is covered by our information security management system and is subject to annual supervisory audits.

Talk to a Virtline expert

We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.

Contact us →