website.documents.preview·MDR / Managed SOC Buyer's Guide

website.documents.printTip

Confidential · For external distributionorizon.one

Buyer's Guide · 2026 Edition

Managed Detection & Response Buyer's Guide

A practical evaluation guide for organisations buying Managed Detection and Response (MDR) and managed SOC services in Europe — capabilities, coverage, pricing models and red flags, distilled from real-world buyer experience.

For CISOs, IT Directors & Procurement

Publication

April 2026

Audience

CISOs, IT Directors, Procurement

Version

1.0

Pages

01 · Overview

Executive Summary

Managed Detection and Response (MDR) is now the dominant model for security operations among mid-market and enterprise organisations in Europe. Building an in-house 24/7 SOC requires 8-12 analysts, three shift rotations, dedicated tooling and a permanent training budget. For most organisations under 5,000 employees, MDR is structurally cheaper, faster to deploy and more effective. This guide is the buyer-side companion to the procurement decision: capabilities, coverage requirements, pricing models, evaluation criteria and red flags.

24/7

Coverage

24/7/365 with no off-hours fallback

< 15m

Median MTTD

Time to detect a confirmed incident

< 1h

Median MTTR

Time to respond and contain

100%

EU analysts

Required for sovereignty + GDPR alignment

Key takeaways

MDR is fundamentally different from MSSP and SIEM-only services. The acronyms matter — confusing them in procurement leads to mismatched expectations and bad outcomes.
European buyers should require EU-resident SOC analysts and EU-only data residency. This simplifies GDPR Article 28 compliance and aligns with NIS2 and DORA expectations.
The most important MDR capability is response — not just detection. A vendor that surfaces alerts but cannot contain them is selling a different product.
Pricing models vary widely. The two most common are per-asset (per endpoint or per server) and per-employee. Both have failure modes — understand them before signing.
Vendor MTTD and MTTR claims are marketing until proven during a proof-of-concept. Insist on a paid POC with real incidents before committing.

Who should read this

CISOs and IT directors evaluating MDR vendors for the first time or refreshing existing contracts.
Procurement officers running MDR/SOC tenders.
Compliance officers driving NIS2 Article 21(2) incident handling and DORA Pillar 2 requirements.
Boards reviewing the build-vs-buy decision for the security operations function.

02 · MDR vs alternatives

MDR vs MSSP vs SIEM-only

The terms MDR, MSSP and SIEM are frequently confused — by vendors as much as by buyers. The differences are substantive and matter for procurement. The table below summarises what each delivers and what it does not.

Capability	MDR	MSSP	SIEM-only
24/7 monitoring	Yes (managed)	Yes (managed)	No (you operate)
Threat hunting	Proactive	Limited	No
Active response & containment	Yes	Limited (escalate to customer)	No
Tooling provided	Yes (vendor stack)	Customer or vendor	Customer (SIEM only)
Detection engineering	Continuous	Limited	You write the rules
Pricing model	Per asset / per employee	Per device / hour	Per ingestion / GB

Bottom line

If you do not have an in-house SOC team and you cannot operate a SIEM yourself, MDR is the only model that delivers actual outcomes. MSSP gives you alerts you have to triage. SIEM gives you a tool you have to operate. MDR gives you a service that detects, investigates and responds.

03 · 6 capabilities

The Six Capabilities to Evaluate

Vendors describe their capabilities differently but the underlying functions are the same. The six capabilities below are the minimum any MDR vendor must deliver. Anything missing is a disqualifier.

Continuous monitoring

24/7/365 monitoring of all in-scope sources — endpoints, network, cloud, identity, email — with no off-hours degradation. Verify staff coverage including weekends and public holidays.

Detection engineering

Continuously updated detection rules covering current TTPs. Rules should be mapped to MITRE ATT&CK and customisable to the customer's environment. Detection-as-code is a strong indicator of maturity.

Threat hunting

Proactive hunting for indicators of compromise that automated detection misses. Hunting cadence, methodology and reporting should be in the contract.

Investigation & triage

Human analysts investigating each alert before customer notification. False-positive rate and median time to triage should be measurable and reported monthly.

Active response

The vendor's ability to actually contain a confirmed incident — not just notify the customer. Containment options should be defined in the contract: kill process, isolate host, block IP, disable account, revoke session.

Reporting & metrics

Monthly metrics on alerts triaged, incidents confirmed, MTTD, MTTR, hunting findings and posture changes. Quarterly business reviews with actionable recommendations.

04 · MITRE coverage

MITRE ATT&CK Coverage

The MITRE ATT&CK framework is the industry standard for describing adversary behaviour. A serious MDR vendor maps its detection rules to ATT&CK and reports coverage by tactic. The bars below show typical coverage by tactic — anything below 70% on a critical tactic should raise questions.

Initial Access

92%

Phishing, exploit, valid accounts

Execution

88%

Command and scripting interpreters

Persistence

85%

Boot/logon autostart, scheduled tasks

Credential Access

78%

OS credential dumping, brute force

Lateral Movement

82%

Remote services, internal spear phishing

Exfiltration

70%

Exfiltration over web service, encrypted channels

Impact

88%

Data encryption (ransomware), inhibit recovery

Note that 100% coverage is impossible — and vendors who claim it are lying. The MITRE ATT&CK matrix has hundreds of techniques and dozens of sub-techniques. What matters is coverage of the techniques attackers actually use against your sector. Insist on coverage reports filtered by sector, not absolute counts.

05 · Pricing models

Pricing Models

MDR pricing is moving from per-device to per-employee and per-asset models. The donut below shows how a typical MDR budget breaks down. The two most common pricing models are described after — pick the one that matches your asset profile.

Service & analysts50%

Detection tooling20%

Threat intelligence12%

Hunting & engineering10%

Reporting & QBR8%

Per-asset (endpoint or server)

Most common model. Predictable and scales with your environment. Failure mode: cost explosion when you add a large number of cloud workloads or ephemeral containers.

Per-employee (subscription)

Increasingly popular for cloud-first organisations. Predictable independent of asset count. Failure mode: vendor incentives misaligned if your asset density per employee is unusually high.

Hybrid

Per-employee base + per-asset overage above a threshold. Most flexible. Failure mode: overage surprises if you do not monitor consumption.

06 · Red flags

Vendor Red Flags

Some vendor behaviours are immediate disqualifiers. The list below is the consensus from European MDR procurement teams. Any one of these is reason enough to remove a vendor from the shortlist regardless of price or marketing.

SOC analysts based outside the EU. For European customers this is a NIS2 third-party risk and a GDPR Chapter V transfer issue.
No paid proof-of-concept offered. Vendors that refuse a POC are hiding something.
"24/7" coverage that is actually "business hours + on-call escalation". Verify the staffing model.
Detection rules described in marketing terms only. Mature vendors can show their rule library and the MITRE mapping.
Active response limited to "alert and escalate to customer". That is not response — it is notification.
No customer references at your scale and sector. The vendor may be experienced — but not in environments like yours.
Contract terms that lock you in for three years with no exit clause. The vendor knows the relationship will sour and is protecting itself.
No metrics commitments in the SLA. MTTD and MTTR should be contractual, with credit clauses for missing them.
Threat intelligence claimed but never demonstrated. Ask for samples of intelligence reports — generic vendors regurgitate public feeds.
No clear Rules of Engagement for active response. Every MDR contract should specify what the vendor can and cannot do automatically vs. with customer approval.

07 · Why Oversight

Why Orizon Oversight

Oversight is Orizon's managed SOC and MDR offering. It is built around the European-buyer requirements in this document — EU-resident analysts, EU-only data residency, NIS2-aligned reporting, and active response that actually contains incidents instead of just notifying you about them.

EU-resident SOC

All Oversight analysts are EU-resident and operate from EU jurisdictions. No cross-border data exposure. NIS2 and GDPR third-party risk reduced to zero on this dimension.

Active response, contractual

Containment actions defined in the engagement Rules of Engagement and executed by analysts with no customer round-trip required. MTTR measured in minutes for known patterns.

NIS2 + DORA alignment

Monthly reports formatted for NIS2 Article 21 evidence and DORA Pillar 2 incident management. The supervisor reads the same report as the customer.

Detection-as-code

Rules versioned in git. Customer-specific tuning is auditable. The detection library is not a black box.

07 · Why Oversight

Next steps

Book a no-commitment Oversight scoping call to understand fit for your environment.
Request an Oversight POC — a real two-week trial with active monitoring of a defined scope.
Get a sample monthly Oversight report so you can compare reporting quality against other vendors.

Get in touch

Contact: [email protected] · orizon.one/oversight · EU sovereign infrastructure.