MDR services

What TechCare Canada's MDR service actually delivers

Managed Detection and Response (MDR) is a fully managed security service: we provide the technology, the 24/7 analyst team, the threat intelligence, and the response playbooks so your business does not have to build a security operations function in-house. Where a tool merely generates alerts, MDR delivers a decision and an action for every confirmed threat. That distinction — analyst-driven response, not just detection — is the entire value of the service.

Concretely, an MDR engagement with TechCare Canada includes seven capabilities working together, continuously:

1. EDR/XDR sensor deployment. We deploy an endpoint detection and response agent on every workstation, laptop, and server, and extend it into an XDR (Extended Detection and Response) layer that correlates endpoint signals with Microsoft 365, identity (Entra ID / Active Directory), firewall, and cloud telemetry. This is the raw signal our analysts work from.

2. 24/7/365 monitoring by security analysts. A staffed security operations team watches your environment every hour of every day, including statutory holidays and overnight windows when most Canadian attacks actually land. There is no "we will look at it Monday."

3. Proactive threat hunting. Senior analysts do not wait for the platform to fire an alert. They form hypotheses from live threat intelligence and the MITRE ATT&CK framework, then hunt through your telemetry for attackers who have slipped past automated detection.

4. Alert triage and validation. A modern endpoint platform can generate hundreds of signals a day, the vast majority benign. Our analysts validate each high-severity alert, eliminating the 95%+ false-positive noise that overwhelms internal teams, so you only hear about real threats.

5. Analyst-led containment. When a threat is confirmed, our analysts take pre-authorized action — isolating an endpoint from the network, locking a compromised account, killing a malicious process, blocking attacker infrastructure — within the contracted SLA window. This is the "response" in MDR.

6. Incident reporting and remediation guidance. Every confirmed incident produces a structured report: what happened, what was accessed, what we contained, and the validated remediation steps your IT contact should take next, mapped to MITRE ATT&CK.

7. Compliance and audit reporting. Monthly reports document coverage, alert volumes, incidents, and MTTD/MTTR performance — the evidence package you need for cyber insurance renewal, SOC 2, and PIPEDA / Quebec Law 25 breach documentation.

If any of these acronyms are unfamiliar, our standalone What is MDR? explainer breaks down the concepts without sales language. The rest of this page assumes you understand the model and want the service specifics, the stack, and the price.

24/7 detection: why the overnight window is where breaches happen

The single most important thing MDR buys you is continuous human coverage during the hours your business is dark. The Canadian Centre for Cyber Security (CCCS), operating under the Communications Security Establishment at cyber.gc.ca, has repeatedly noted that ransomware operators deliberately time detonation for evenings, weekends, and holidays to maximize dwell time before anyone responds. A breach that begins Friday at 11 p.m. has the entire weekend to encrypt file shares, exfiltrate data, and destroy backups if no one is watching until Monday.

TechCare Canada's MDR detection layer runs against a live stream of telemetry from your environment — typically 500,000 to 2,000,000 log events per day for a 50-user business. Automated correlation rules mapped to MITRE ATT&CK techniques and machine-learning anomaly detection surface candidate threats in real time; an analyst is on shift to triage every high-severity candidate the moment it appears. Detection without staffed response is theatre. A SIEM or EDR console lighting up at 3 a.m. with no one to act on it is exactly the false sense of security that gets organizations breached.

What "24/7 detection" specifically means in our service: a security analyst is on shift and accountable for your alert queue every minute of the year; high-severity alerts are triaged within the contracted MTTD window regardless of the hour; and the analyst can take containment action immediately under your pre-authorization profile without waiting for business hours. That is the difference between MDR and a monitoring product that simply emails you a notification you will read after the damage is done.

Proactive threat hunting, not just alert-watching

The feature that most clearly separates genuine MDR from rebranded antivirus or basic monitoring is proactive threat hunting. Automated detection is reactive by nature — it can only catch what its rules and models already know to look for. Sophisticated intrusions are specifically designed to evade those known signatures: living-off-the-land techniques that abuse legitimate Windows tools, slow credential harvesting, and patient lateral movement that never trips a single high-severity rule.

Threat hunting flips the model. Rather than waiting for an alert, our senior (Tier 3) analysts form a hypothesis — for example, "an attacker who gained initial access via a phishing email would attempt credential dumping with a tool like Mimikatz, then move laterally over SMB" — and proactively query your EDR/XDR telemetry for the faint indicators of that technique across the past hours or days. When a hunt surfaces something, it becomes an investigation; when it comes up clean, it still strengthens the detection rules.

For Canadian SMBs this matters because the most damaging incidents are rarely the noisy ones. They are the quiet, weeks-long intrusions where an attacker establishes persistence, studies the environment, locates the backups, and only then detonates ransomware or executes a wire-fraud scheme. Hunting is how those low-and-slow intrusions get caught before the payoff. TechCare Canada includes structured threat hunting on every MDR tier above Essential, with hunt frequency and depth increasing as you move up the tiers described in the pricing section below.

Response SLAs: what we commit to in writing

Marketing brochures are full of impressive-sounding response numbers. What matters is which of those numbers are contractually enforceable with a remedy when missed. TechCare Canada defines response performance in the service agreement, not the sales deck. The table below shows our committed SLA targets by alert severity.

Two definitions are critical when comparing any MDR provider's SLA, including ours. First, mean time to detect (MTTD) is the elapsed time from the malicious event occurring to an analyst confirming it warrants action — not the time for a tool to merely log it. Second, and most important, mean time to respond (MTTR) must include an actual containment action — endpoint isolation, account lockout, process termination — and not merely "we sent you an email." TechCare Canada's MTTR targets are measured to first containment action for Critical and High severities, under a pre-authorization profile we agree on during onboarding. When we miss a contracted SLA, service credits apply per the agreement. Ask any competing provider to put the same definitions and remedies in writing; many will not.

The EDR / XDR stack behind the service

MDR is only as good as the telemetry it runs on. TechCare Canada deploys a layered detection stack — endpoint at the core, extended outward to identity, email, network, and cloud — so attacks are visible no matter where they start. We are platform-flexible: if you already run a supported EDR, we operate it; if not, we deploy one as part of onboarding.

EDR (Endpoint Detection and Response): The foundation. Agents on every endpoint capture process execution, command lines, network connections, file and registry changes, and memory behaviour — the deep telemetry traditional antivirus never sees. Supported platforms include Microsoft Defender for Endpoint (P2 / E5), CrowdStrike Falcon, SentinelOne Singularity, and Sophos Intercept X. Every endpoint in scope must carry a sensor; a single unmanaged laptop is a blind spot an attacker will find.

XDR (Extended Detection and Response): The correlation layer. XDR ties endpoint signals together with Microsoft 365 audit logs, Entra ID / Active Directory sign-in events, firewall and VPN logs, DNS telemetry, and cloud workload logs (Azure, AWS, GCP). The point of XDR is cross-domain correlation: an isolated "unusual login" and an isolated "new endpoint process" may each look benign, but correlated they reveal an attacker who phished a credential and is now executing on a workstation. That cross-signal story is what XDR — and our analysts reading it — surface.

Threat intelligence enrichment: Alerts are enriched in real time against intelligence feeds (abuse.ch, VirusTotal, commercial feeds, and CCCS advisories) so analysts instantly know whether a destination IP, domain, or file hash is tied to a known ransomware operation or campaign currently active against Canadian targets. Enrichment is what turns a 20-minute manual lookup into a 20-second triage decision.

SOAR-assisted response: For well-understood, high-confidence detections, automated playbooks (SOAR — Security Orchestration, Automation, and Response) accelerate containment — for example, auto-isolating an endpoint the instant ransomware-encryption behaviour is confirmed — while a human analyst validates and owns the outcome. Automation speeds the response; it does not replace the analyst's judgment.

If your environment leans heavily on Microsoft 365, our Microsoft 365 for business hardening guide pairs naturally with the XDR layer, since the M365 audit and Entra ID signals are among the richest detection sources for the business-email-compromise attacks most common in the Canadian SMB threat landscape.

How a confirmed MDR incident is handled, step by step

1. Telemetry ingestion: EDR agents, M365 and Entra ID connectors, and firewall log forwarders continuously stream events to our XDR platform. Detection runs in real time, 24/7.
2. Detection or hunt trigger: A correlation rule, ML anomaly model, or proactive hunt surfaces a candidate threat and ranks it by severity and confidence. The candidate lands in the analyst queue immediately.
3. Tier 1 triage (within MTTD target): An analyst reviews the alert, enriches it with threat intelligence, examines surrounding events, and decides: close as validated false positive, or escalate to Tier 2 for active response.
4. Tier 2 scoping: A senior analyst reconstructs the attack chain — initial access vector, lateral movement, what data was reached, whether the attacker is still active — by querying XDR telemetry across the relevant time window.
5. Containment (within MTTR target): Under your pre-authorization profile, the analyst executes containment: endpoint isolation, account lockout in AD / Entra ID, malicious IP and domain blocks at the firewall and email gateway, and active-session termination in Microsoft 365.
6. Notification and hand-off: Your designated IT contact receives a plain-English incident summary with evidence, the containment taken, and a prioritized, validated remediation checklist — within the SLA window.
7. Post-incident report: For significant incidents, a formal report within 48–72 hours documents the full timeline, MITRE ATT&CK technique mapping, actions taken, and recommendations to prevent recurrence — forming part of your PIPEDA / Law 25 breach documentation.

The pre-authorization profile referenced in step five is the most important thing we configure during onboarding. It defines, in advance, exactly which containment actions our analysts may take without first phoning you at 3 a.m. Isolating a user laptop is almost always safe to pre-authorize; isolating a production server that runs a live application may warrant a 15-minute approval window with an emergency contact. Getting these boundaries right before an incident — never during one — is what lets us hit aggressive MTTR targets without disrupting your business.

MDR pricing in Canada (2026, CA$)

TechCare Canada prices MDR transparently by user/endpoint count and response depth. All figures below are in Canadian dollars, before HST/GST, and represent the recurring monthly service fee. One-time onboarding (typically CA$1,500–$6,000 depending on environment size) and any optional incident-response retainer are quoted separately. EDR/XDR endpoint licensing is included in the monthly fee unless you are bringing your own platform, in which case we credit the licensing line.

When you compare our quote against another provider's, normalize on five questions so you are comparing like with like: (1) Is EDR/XDR licensing included or billed separately by the platform vendor? (2) Is "response" defined as analyst containment or notification only? (3) How many incident-response hours are included before professional-services rates apply? (4) Is threat hunting included, and at what frequency? (5) Are compliance reports a deliverable or an upsell? These five variables routinely move an effective monthly cost by 30–60% versus a headline number. TechCare Canada answers all five explicitly in the proposal.

MDR vs EDR-only vs in-house: what you actually get for the money

The middle column is the trap most Canadian SMBs fall into: buying a best-in-class EDR platform, deploying it, and assuming they are protected. EDR is a superb tool, but a tool that nobody watches at 2 a.m. and that nobody tunes, hunts with, or responds through is a dashboard, not a defence. MDR is the difference between owning the instrument and having a musician. For a deeper breakdown of the whole managed-security category — SOC, SIEM, MSSP — see our managed security services page; MDR is the response-centric service within that family.

Onboarding: from contract to live 24/7 coverage in 2–6 weeks

MDR onboarding is a structured project, not a switch you flip. Our standard timeline runs two to six weeks depending on environment size and complexity, in four phases.

Week 1 — Discovery & deployment. We audit your environment to build a complete telemetry coverage map: every endpoint, server, cloud asset, SaaS app, identity provider, and network device. EDR/XDR sensors are deployed to all in-scope endpoints, log forwarders are configured, and Microsoft 365 / Entra ID audit logging is enabled and validated. You receive a signed coverage report listing what is monitored, what is out of scope, and any gaps to remediate before go-live.

Weeks 2–3 — Tuning & baseline. The XDR layer learns your environment's normal behaviour — login patterns, application usage, network baselines — and detection rules are tuned to suppress false positives from known-good activity. This is the phase weak providers skip; it is what determines whether you get 10 high-confidence alerts a day or 300 noisy ones. We also finalize your pre-authorization profile and emergency escalation contacts here.

Weeks 3–4 — Validation & go-live. We run validation tests (including benign simulated detections) to confirm the full detect-hunt-respond pipeline works end to end, then switch on full 24/7 monitoring. Your first weekly check-in confirms alert quality and escalation routing.

Weeks 5–6 — Optimization & first report. A 30-day review covers coverage quality, any gaps found during tuning, SLA performance against targets, and the format of your monthly compliance report. For organizations facing a SOC 2 audit or cyber-insurance renewal, this is where we align the evidence package to your requirements. Onboarding folds neatly into a broader IT engagement — see how it sits within our managed IT services framework if you want a single accountable provider for both IT and security.

Onboarding readiness checklist for Canadian businesses

You can accelerate onboarding and get more value from day one by having these prerequisites in place. We will help you close any gaps, but the more of this that exists before kickoff, the faster you reach effective coverage.

• MFA enforced on all remote access — VPN, RDP, and Microsoft 365 — before monitoring goes live
• An inventory of endpoints and servers so no device is left without an EDR sensor
• Microsoft 365 / Google Workspace audit logging enabled and ready to forward to the XDR layer
• Firewall and network device logs available via syslog or API connector
• A named emergency contact list — who we call at 2 a.m., and in what order
• Agreement on a pre-authorization profile — which containment actions we may take without calling first
• Cloud accounts (Azure / AWS / GCP) identified if they are in scope for monitoring
• Your cyber insurer's monitoring requirements documented, so reporting aligns to renewal
• Log retention expectations confirmed — we recommend 90 days hot, 12 months cold, per PIPEDA best practice
• A designated internal owner for the monthly security review and quarterly business review

Compliance: how MDR maps to PIPEDA, Law 25, OSFI, and cyber insurance

For most Canadian buyers, MDR is no longer just a risk-reduction decision — it is increasingly a compliance and insurability requirement driven by four overlapping frameworks.

PIPEDA requires safeguards "appropriate to the sensitivity" of the personal information you hold. The Office of the Privacy Commissioner has signalled through breach investigations that active monitoring — not just perimeter controls — is expected for organizations handling financial, health, or employee data. MDR is direct, documented evidence of active detection and response.

Quebec Law 25 mandates breach notification and incident documentation under the Commission d'accès à l'information. MDR produces the detection timestamp, scope analysis, and audit trail Law 25 requires — and without continuous monitoring, many organizations cannot even determine a breach's scope and timeline, which is itself a documentation failure. See our full Quebec Law 25 compliance guide for the complete obligation set.

OSFI Guideline B-13 requires federally regulated financial institutions to maintain continuous threat monitoring, incident detection, and documented response. MDR is a cost-effective way for OSFI-regulated entities to meet those B-13 monitoring obligations without standing up an in-house SOC.

Cyber insurance underwriting has tightened dramatically across the Canadian market — Intact, Aviva, Northbridge, Chubb, Zurich. Most underwriters now require evidence of EDR plus 24/7 detection-and-response capability for standard-rate coverage. Organizations without it face ransomware and BEC exclusions, higher retentions, or premium loadings of 20–50%. Our onboarding includes a cyber-insurance readiness report you can submit at renewal. For the broader prevention program these controls sit within, our small business cybersecurity guide covers the full picture. A growing number of Canadian organizations also pair MDR with on-site and remote remediation through partners such as IT Cares managed cybersecurity and IT support across Canada, giving them a single point of accountability for both detection and the hands-on fixes that follow an incident.

Common mistakes when buying MDR — and how to avoid them

The MDR market is crowded and vendors use identical terminology for materially different services. These are the mistakes we most often see Canadian buyers make.

Buying "MDR" that is really EDR with email alerts. Some low-cost offerings deploy an EDR sensor and forward its alerts to you — no analyst triage, no hunting, no containment. That is EDR-as-a-service, not MDR. Ask precisely what happens when a Critical alert fires at 2 a.m. Sunday: who triages it, and what can they do without you?

Accepting marketing SLAs instead of contractual ones. "Under 15-minute response" in a brochure is meaningless unless it is in the agreement with a defined remedy and a clear definition of "respond" (containment vs notification). Insist on both.

Leaving telemetry blind spots. MDR cannot defend what it cannot see. Personal devices without sensors, M365 without log forwarding, or unmonitored cloud workloads are exactly where attackers operate. Require a complete coverage map and a plan for every gap before go-live.

Skipping the pre-authorization conversation. If analysts find an endpoint exfiltrating data at 2 a.m., do they isolate it instantly or wait for a callback? Decide this during contracting, not during the incident.

Comparing price without comparing coverage depth. A CA$600/month "MDR" with no hunting and notification-only response is not a cheaper version of a CA$1,500 analyst-led, SLA-bound service — it is a different and weaker product. Evaluate against a coverage checklist, not the headline number.

Anonymized case study: an Ontario logistics firm

A logistics and warehousing company near Mississauga — 64 employees, roughly CA$28 million in annual revenue — moved to TechCare Canada MDR Pro after a cyber-insurance renewal demanded evidence of 24/7 detection and response. Their prior posture was an EDR platform they had purchased but no one actively monitored after hours, plus Microsoft 365 without advanced audit logging enabled.

Onboarding ran four weeks: we adopted their existing EDR (crediting the licensing line), extended XDR correlation into their M365 and Entra ID tenant, tuned detections against their baseline, and set a pre-authorization profile permitting endpoint isolation and external-account lockout without prior approval, with a 15-minute approval window for any server-level action.

In week six, a proactive threat hunt — not an automated alert — surfaced anomalous activity: a service account executing PowerShell with encoded commands consistent with a credential-harvesting tool, during the overnight window. The Tier 3 hunter escalated immediately. Tier 2 scoping confirmed the account had been compromised through a reused password and the attacker was beginning lateral movement toward a file server holding shipping and client data. Within 18 minutes of the hunt finding, analysts isolated the affected endpoint, locked the service account, blocked the attacker's command-and-control infrastructure at the firewall, and notified the firm's IT manager with a full evidence package and remediation checklist.

Automated detection alone had not fired on this intrusion — the technique was deliberately quiet. Without proactive hunting and 24/7 human coverage, the most likely outcome was ransomware detonation over the following weekend. Total MDR Pro cost for this firm: CA$2,400/month. Estimated value of the avoided incident, based on comparable Canadian logistics-sector ransomware events: CA$250,000–$600,000 in downtime, recovery, and breach-notification costs.

Frequently asked questions about MDR services