What Is MDR (Managed Detection and Response)?

What Is MDR? The Plain-Language Definition

Managed Detection and Response is a cybersecurity service that combines detection technology with a team of human security analysts who monitor your environment continuously and respond to threats on your behalf. The "managed" in MDR is the critical word: you are not buying a piece of software that you then have to operate yourself — you are buying an outcome, delivered by people whose full-time job is watching for and stopping attacks against your business, twenty-four hours a day, every day of the year.

The term emerged around 2016 when industry analysts at Gartner recognized a gap that conventional security products could not fill. By then, sophisticated detection tools like EDR had become widely available, but a hard truth had become obvious: a detection tool is only as good as the team watching its alerts. Most organizations — and almost all small and mid-sized businesses — had bought the tools and then discovered they had nobody to operate them around the clock. A high-confidence ransomware alert that fires at 2:14 a.m. on a Saturday is worthless if the only person who could act on it is asleep and will not see the dashboard until Monday. MDR was created to solve exactly that problem: it supplies the missing humans, the missing hours, and the missing response capability.

In concrete terms, an MDR engagement gives a Canadian business three things it almost certainly does not have in-house. First, detection tooling — usually an EDR agent on every laptop, desktop, and server, increasingly extended into your Microsoft 365 email and Entra ID identity layer for XDR-class visibility. Second, a 24/7/365 security operations centre staffed by trained analysts who watch the resulting telemetry continuously, triage each alert to separate genuine attacks from the constant background noise of false positives, and investigate anything suspicious. Third, and most importantly, active response — when the SOC confirms a threat, they take containment action (isolating the affected device, terminating the malicious process, disabling a compromised user account) within minutes, then hand you a clear incident report and remediation guidance.

For a business owner without a security background, the practical meaning is straightforward. MDR is the difference between an attacker who is detected and ejected within fifteen minutes of breaching one laptop, and an attacker who roams undetected through your network for the 197-day average dwell time documented in IBM's Cost of a Data Breach research before quietly exfiltrating your client database or detonating ransomware across every server you own. It converts the security tools you may already be paying for into an actual defence — staffed, watched, and acted upon.

Why MDR Exists: The Alert Problem No SMB Can Staff

To understand why MDR has become the fastest-growing category in cybersecurity, you have to understand the specific failure it was built to address — a failure that is almost universal among Canadian SMBs.

Over the past decade, detection technology became genuinely excellent. Modern EDR and XDR platforms catch fileless malware, living-off-the-land attacks using legitimate Windows tools, credential theft, and the early stages of ransomware with remarkable accuracy. But that accuracy comes at a price: volume. A single detection platform monitoring 40 endpoints generates a continuous stream of alerts — many of them benign, some ambiguous, a few genuinely dangerous. A real environment routinely produces dozens of medium-severity alerts per day. Each one must be examined by someone who can tell the difference between a developer running an unusual but legitimate PowerShell script and an attacker doing the same thing to deploy a payload. That judgment requires training, context, and time.

Now consider who is supposed to do that work in a typical 35-person accounting firm, dental practice, or engineering consultancy in Canada. The answer is usually one of two people: a generalist IT manager who is also responsible for the help desk, printers, the network, and a hundred other things, or an external MSP whose technicians are focused on keeping systems running rather than hunting threats. Neither is a trained security analyst, and — decisively — neither works at 3 a.m. Attackers know this. A large share of ransomware detonations are deliberately timed for nights, weekends, and holidays precisely because that is when detection alerts go unwatched. The Canadian Centre for Cyber Security (cyber.gc.ca) has repeatedly noted that ransomware operators target the predictable gaps in SMB monitoring coverage.

This is the core economic problem MDR solves. To staff a genuine in-house 24/7 SOC, a business needs a minimum of five to six full-time analysts to cover three shifts plus weekends, vacation, and sick leave — at CA$80,000–$110,000 each in Toronto or Vancouver, that is well over half a million dollars a year in salary alone, before tooling, training, and management. No SMB can justify that. MDR spreads the cost of a shared SOC across hundreds of client businesses, so each one pays a small per-device subscription and receives expert 24/7 coverage that would be financially impossible to build alone. That is the entire value proposition, and it is why MDR has displaced both the do-it-yourself EDR model and the older MSSP model for businesses that take security seriously.

How MDR Works: From Telemetry to Contained Threat

An MDR service operates as a continuous loop across five stages. Understanding this flow helps you evaluate providers intelligently and set realistic expectations about what the service does — and does not — do.

Stage 1 — Onboarding and deployment. The provider deploys lightweight detection agents across all your endpoints (laptops, desktops, servers) and connects to your cloud sources — typically Microsoft 365 email and Entra ID identity. Deployment is silent and remote, pushed through Microsoft Intune, your RMM, or Group Policy, and usually completes in one to three business days for a 50-device SMB. During an initial baselining period of one to two weeks, the platform learns what normal behaviour looks like in your specific environment, and the provider tunes out the false positives generated by your legitimate IT tools.

Stage 2 — Continuous monitoring and detection. Once live, the detection layer streams behavioural telemetry to the provider's cloud platform around the clock. Machine-learning models and threat-intelligence feeds — enriched with indicators of compromise seen across the provider's entire client base — flag suspicious activity in real time. Crucially, this telemetry now lands in front of human analysts on rotating shifts, not just in a dashboard nobody is watching.

Stage 3 — Triage and investigation. When an alert fires, a SOC analyst examines it within minutes. They determine whether it represents a real threat or a false positive, and if real, they investigate scope: which device, which user, what stage of the attack chain, whether other endpoints show related activity. Mature MDR providers map every detection to the MITRE ATT&CK framework so the analyst can immediately see what technique the attacker is using and what the appropriate response is. This human triage is the single most valuable part of the service — it converts a flood of raw alerts into a small number of confirmed, contextualized incidents.

Stage 4 — Active response and containment. On a confirmed threat, the SOC takes pre-authorized containment action immediately: isolating the affected device from the network (while keeping the management channel open), terminating the malicious process, quarantining files, or disabling a compromised account in Entra ID. This is the defining feature that separates true MDR from older monitoring services — the provider acts, rather than simply emailing you to say something is wrong. Leading providers commit to response SLAs measured in minutes for critical alerts. Containment stops a ransomware incident at one device instead of letting it spread across your entire network.

Stage 5 — Reporting, remediation, and proactive threat hunting. After containment, the SOC delivers an incident report documenting the timeline, the technique used, the actions taken, and recommended remediation — the same report you will need for a PIPEDA or Quebec Law 25 breach notification. Your IT team or MSP then completes recovery (reimaging, restoring from backup). Beyond reactive alerts, good MDR providers also conduct proactive threat hunting — searching historical telemetry for subtle indicators of compromise that no single alert caught — and deliver regular posture reports to your leadership and your cyber insurer.

MDR vs EDR vs MSSP vs SOCaaS: What Each Actually Is

These four acronyms are used almost interchangeably in vendor marketing, which causes expensive confusion during procurement. They are not the same thing, and the differences determine whether your business is actually protected or merely owns tools that nobody operates. Here is a precise breakdown.

The plain-English version: EDR is a tool, and it does nothing useful unless someone operates it. An MSSP manages your tools and tells you when something looks wrong, but expects you to investigate and respond — a model that fails badly for businesses with no security staff to do that. SOCaaS rents you analysts and a monitoring platform, usually built around your own SIEM and priced on log volume; it suits mid-market organizations that already own infrastructure. MDR is the packaged answer for SMBs: the provider brings the detection technology, staffs the 24/7 SOC, and actively responds to threats, all under one per-device subscription. The acronym soup hides one decisive question — when a real attack is confirmed at 3 a.m., who stops it? With EDR, MSSP, and some SOCaaS arrangements, the answer is often "you." With MDR, the answer is "the provider, within minutes."

MDR vs EDR: The Most Important Distinction to Get Right

Because EDR and MDR are so frequently conflated, it is worth dwelling on the difference — it is the single most consequential procurement decision a Canadian SMB makes in endpoint security.

EDR is technology you own; MDR is an outcome you buy. When you purchase an EDR licence, you receive a powerful detection engine that will faithfully generate alerts about suspicious activity on your endpoints. What it will not do is tell you which of those alerts matters, decide what to do about the one that does, or take that action at the speed an attack requires. Those tasks demand trained analysts working continuously — and the EDR licence includes zero analysts. The predictable result, seen repeatedly across Canadian SMBs, is a business that has paid for excellent detection and is nonetheless breached, because the alert that would have saved them sat unread in a console over a long weekend.

MDR closes that gap by wrapping the EDR platform (and usually extending it across email and identity for XDR-class coverage) with the 24/7 human SOC that the technology depends on to be effective. You can think of EDR as a sophisticated smoke detector and MDR as the monitored alarm service with a fire crew on standby: the detector is necessary, but on its own it only makes noise — somebody has to hear it and show up. For a business with a mature in-house security team and analysts on rotation, buying EDR alone and operating it yourself is reasonable. For everyone else — which is the overwhelming majority of Canadian SMBs — MDR is the correct procurement decision, because it is the only model that actually delivers protection rather than just the potential for it. If you want the deeper technical mechanics of the detection layer itself, the companion EDR Explained guide walks through the agent architecture and how behavioural detection works.

MDR vs MSSP: Why "Managed" Does Not Mean the Same Thing

MSSPs — Managed Security Services Providers — predate MDR by more than a decade, and many businesses assume the two are interchangeable because both contain the word "managed." They are fundamentally different in the one dimension that matters: who is responsible for stopping the attack.

The classic MSSP model grew up around managing security devices: firewalls, intrusion-detection appliances, antivirus consoles, and log collectors. The MSSP keeps those tools patched, configured, and running, and monitors the alerts they produce. When something suspicious appears, the traditional MSSP's job ends with notification — they raise a ticket or send an alert to your team, and the responsibility to investigate, decide, and respond shifts to you. For a large enterprise with its own security staff, that division of labour works. For an SMB with no security team, it is precisely the gap that gets businesses breached: the MSSP dutifully forwards an alert at 2 a.m. to an inbox nobody reads until morning, by which time ransomware has encrypted every server.

MDR is response-led by design. The provider does not merely tell you that something happened — it takes ownership of the threat and contains it, then reports what it did. This shift from "detect and notify" to "detect and respond" is the entire reason MDR exists as a distinct category. There is also a tooling difference: an MSSP typically manages whatever security products you already own, whereas an MDR provider brings its own modern detection stack (EDR/XDR) as part of the service, so you are not dependent on legacy tools the MSSP happens to support. Many capable providers now blend the two — running help-desk-style managed IT alongside true MDR response — but when you evaluate any "managed security" proposal, the question to ask bluntly is: when you confirm a real threat in my environment, do you contain it yourselves, or do you forward it to me? If the honest answer is the latter, you are buying an MSSP, not MDR, regardless of what the brochure says.

MDR vs SOCaaS: Overlapping but Not Identical

SOC-as-a-Service (SOCaaS) is the newest of these models and the one most often confused with MDR, because both deliver outsourced 24/7 security operations. The distinction is real but increasingly blurry, and worth understanding before you compare quotes.

SOCaaS, in its purest form, rents you security operations capacity — analysts, a monitoring platform (usually a SIEM that ingests logs from across your environment), and the processes to run them — typically scoped and priced around the volume of log data you generate. It is, in effect, an outsourced version of building your own SOC, and it suits organizations that already own a SIEM or have complex, varied log sources they want correlated. SOCaaS is often more customizable and broader in data scope, but it can also place more of the response burden back on the customer depending on how the contract is written, and log-volume pricing can become unpredictable as you grow.

MDR, by contrast, is a more opinionated, packaged service. The provider decides the detection stack (you get their EDR/XDR), prices it predictably per device or per user, and includes active threat response with defined SLAs as standard. MDR trades some flexibility for simplicity and a guaranteed outcome — which is exactly what a 30-person Canadian firm without a security team wants. As a rough heuristic: if your organization already owns a SIEM and wants experts to operate it across many data sources, SOCaaS may fit; if you want a provider to bring everything, watch your endpoints and Microsoft 365 around the clock, and stop attacks on your behalf for a predictable per-seat price, MDR is the better match. Because vendors increasingly market overlapping offerings under both labels, the only reliable way to compare is to read what response actions are contractually included and how pricing scales — never assume the acronym tells you.

When Does a Canadian SMB Actually Need MDR?

MDR is not equally necessary for every business, and a responsible guide should say so. Use the following thresholds — calibrated for the Canadian regulatory and threat environment — to judge where your business sits.

You almost certainly need MDR now if: you hold personal, financial, or health data about clients; you process payments or are subject to PCI-DSS; you are bound by PIPEDA's breach-notification duties or — for Quebec businesses or anyone handling Quebec residents' data — Quebec Law 25's 72-hour notification requirement; you are a federally regulated financial institution under OSFI B-13; your cyber insurer requires 24/7 monitoring and response as a condition of coverage; or you operate in professional services (legal, accounting, healthcare, financial advisory, engineering) — the sectors the Canadian Centre for Cyber Security flags as disproportionately targeted by ransomware. If any of these apply and you cannot staff genuine round-the-clock monitoring internally, MDR is the defensible standard, not a luxury.

MDR is strongly advisable if: you have between 10 and 250 endpoints, no dedicated in-house security analyst, and any regulated data or meaningful revenue dependence on your IT systems. This describes the vast majority of Canadian SMBs. At this size, you are large enough to be a worthwhile ransomware target but too small to staff a SOC — the exact profile MDR was designed for.

You can reasonably defer MDR if: you are a micro-business under roughly 10 devices, hold no regulated personal data, and process no payments. In that case, a well-configured baseline — Microsoft Defender for Business through Microsoft 365 Business Premium, MFA enforced on every account, automatic patching, and tested backups — is a sensible starting point, with MDR added as you grow, hire, or take on data obligations. Even here, the moment you start holding client data or take on a contract that requires security attestations, the calculus changes immediately toward MDR.

The decisive test is simple. Ask yourself: if an attacker breached a laptop in my business at 2 a.m. on a Saturday of a long weekend, who would notice, and how fast could they stop it? If your honest answer is "nobody until Tuesday," you need MDR, and the only real question is which provider.

MDR Decision Table: Which Model Fits Your Business

The following table maps common Canadian SMB profiles to the security operating model that fits, so you can locate your own situation quickly.

The dominant pattern for Canadian SMBs: the second and third rows above describe the large majority of businesses reading this guide — 10 to 200 endpoints, real data obligations, and no dedicated security staff. For these firms the answer is consistently MDR, with SMB-optimized providers (typically Huntress paired with Microsoft Defender for Business) at the lower end and full-platform services (Arctic Wolf, Sophos MDR) for those wanting broader network and cloud coverage in one contract.

MDR Pricing in Canada 2026: What to Budget in CA$

MDR is almost always priced per device (or per user) per month, which makes budgeting straightforward and scaling predictable. The figures below are Canadian dollars before HST/GST, based on 2026 market rates; larger deployments and annual commitments negotiate lower per-device pricing. Critically, MDR pricing should be compared against the true cost of the alternative — staffing equivalent monitoring in-house — not against a bare EDR licence, because the licence buys you a tool while MDR buys you the team to operate it.

Worked example — a 30-device Canadian firm. SMB-optimized MDR at CA$8/device/month costs about CA$2,880/year; full-platform MDR at CA$30/device costs about CA$10,800/year. Either figure is dwarfed by the cost of a single security analyst (CA$80,000–$110,000 plus overhead, and still only business-hours coverage), and is a rounding error against the CA$250,000–$400,000 a successful ransomware event typically costs a professional-services SMB in recovery, downtime, regulatory fines, and lost clients. The business case for MDR over both self-managed EDR and in-house staffing is not close for any SMB in the 10–250 device range. For a structured comparison of managed security packages and what they include, see the Managed Security Services page.

How to Choose an MDR Provider: Evaluation Checklist for Canadian Buyers

Evaluate any MDR proposal against the following criteria before signing. These questions are calibrated for the Canadian regulatory environment and the realities of SMBs without in-house security teams. Treat them as a checklist — a provider who cannot answer any one of them clearly should be a concern.

• Genuine 24/7/365 coverage: Is monitoring and response truly around the clock, including nights, weekends, and Canadian statutory holidays? Ask specifically how shifts are staffed — not whether a dashboard is "always on," but whether a human analyst is watching at 3 a.m. on Boxing Day.
• Active response, not just alerts: Does the provider take containment action themselves — isolate devices, kill processes, disable accounts — or do they forward alerts for you to handle? This is the line between true MDR and a repackaged MSSP. Get it in writing.
• Documented response SLA: What is the committed time from alert generation to analyst response and to containment? Acceptable: under 15 minutes to analyst action on critical alerts. Ask for evidence from a real (anonymized) incident, not a marketing number.
• Canadian data residency / Law 25 compliance: Where is your telemetry stored and processed? Can the provider supply a Data Processing Agreement that satisfies Quebec Law 25 and PIPEDA cross-border transfer requirements? Microsoft-based stacks can keep data in Canada Central (Toronto) and Canada East (Québec City) regions.
• Coverage scope: Does the service cover all your endpoints and operating systems (Windows, macOS, Linux servers), and does it extend into Microsoft 365 email and Entra ID identity? Endpoint-only MDR misses the email and identity attacks where most breaches now begin.
• MITRE ATT&CK-mapped detections: Are incidents mapped to specific ATT&CK technique IDs in the reports? This is a maturity indicator — it shows the SOC understands attacker behaviour rather than just relaying raw alerts.
• Incident reporting quality: Ask for a sample post-incident report. It should include a timeline, technique mapping, root-cause analysis, indicators of compromise, containment actions taken, and remediation guidance — detailed enough to submit to your cyber insurer and, if needed, to the OPC under PIPEDA or the CAI under Law 25.
• Proactive threat hunting: Does the service include human-led hunting through historical telemetry for threats no single alert caught, or is it purely reactive? Proactive hunting catches the slow, low-and-slow intrusions that evade automated detection.
• Pricing transparency and contract terms: Is response included in the per-device price, or billed separately during an incident (a costly surprise)? What is the minimum term, and can you export your telemetry if you switch providers? Avoid multi-year lock-ins with no data-export rights.
• Canadian SMB references: Ask for two or three references from Canadian businesses of similar size in your sector. A provider who has onboarded fifteen Toronto or Montréal professional-services firms understands your compliance and workflow realities far better than an enterprise-focused generalist.
• Coordination with your IT team or MSP: How does the MDR provider hand off to whoever does your recovery (reimaging, restore from backup) after they contain a threat? Clear coordination prevents an isolated device from sitting unusable for days. Many Canadian MSPs resell MDR precisely to keep this seamless.

MDR and Canadian Compliance: PIPEDA, Law 25, OSFI B-13, and Cyber Insurance

No Canadian regulation mandates MDR by name, but several frameworks require the capabilities MDR delivers — continuous monitoring, rapid detection, and the ability to scope and report an incident quickly. Regulators consistently interpret "appropriate security safeguards" to include active monitoring for organizations handling sensitive personal data, and a managed service is often the only realistic way an SMB can satisfy that expectation.

PIPEDA, administered by the Office of the Privacy Commissioner (priv.gc.ca), requires "security safeguards appropriate to the sensitivity of the information." For any organization handling financial, health, or identity data, the OPC's guidance points to real-time monitoring and incident-detection capabilities as appropriate technical measures — exactly what an MDR service provides, with the added benefit of an outside SOC that can document the incident timeline PIPEDA breach reporting demands.

Quebec Law 25 imposes the strictest obligations in Canada, including 72-hour breach notification to the Commission d'accès à l'information (CAI) and fines up to CA$25 million or 4% of worldwide turnover. Meeting a 72-hour clock is operationally impossible if you learn of a breach from a ransom note rather than from a monitored alert — MDR's 24/7 detection and rapid incident reconstruction is what makes the deadline achievable. Pair your MDR program with the Law 25 compliance guide to address the full obligation stack, including privacy impact assessments.

OSFI Guideline B-13 (in force since November 2023) requires federally regulated financial institutions to maintain continuous endpoint monitoring and documented threat detection and containment controls proportional to their size and risk. For smaller FRFIs, a managed MDR service satisfies this requirement far more cost-effectively than building an in-house SOC.

Cyber insurance underwriting, 2026. Canadian cyber insurers — including Intact, Aviva, Chubb, and specialist markets — increasingly require not just EDR deployment but 24/7 monitoring and response as a precondition for coverage at standard rates. Application questionnaires now ask explicitly whether you have managed detection and response in place; answering no can mean denial, a 40–80% premium surcharge, or a reduced ransomware sub-limit. An MDR contract should be treated as a compliance obligation, not discretionary spend.

Five Mistakes Canadian SMBs Make with MDR

These are the most common failure modes seen across managed-security engagements with Canadian SMBs — documented patterns, not theoretical edge cases.

Mistake 1: Buying an EDR licence and assuming it is MDR. The most expensive misunderstanding in SMB security. A self-managed EDR licence generates alerts that nobody on staff is qualified or available to act on around the clock. If you cannot staff a 24/7 SOC internally — and you cannot — buy the managed service, not just the tool.

Mistake 2: Accepting an "MDR" that only forwards alerts. Some providers market MSSP-style alert-forwarding as MDR. If the contract does not commit the provider to actively contain threats themselves, with a response SLA, you are paying for notifications, not protection. Insist on response in writing.

Mistake 3: Partial coverage. Deploying the MDR agent on most devices but skipping "a few" — an executive's personal laptop, a server excluded during onboarding and never re-added — leaves the exact foothold attackers exploit. Coverage must be complete; devices that cannot be enrolled should be blocked from company resources via conditional access.

Mistake 4: Treating MDR as the whole security program. MDR is the detection-and-response layer; it does not replace MFA, patching, email security, or tested backups. The correct layering is prevention first (MFA everywhere, patching), then MDR for detection and response, with tested offline backups as the recovery safety net. See the MFA Deployment guide and the Business Data Backup and DR guide for the layers MDR depends on.

Mistake 5: Never testing the response workflow. Most SMBs that buy MDR never run a simulated incident to confirm the handoff works. Who does the SOC call when they isolate a device at 2 a.m.? Who authorizes returning it to the network? What is your client-notification protocol if data may be involved? Map these answers — with your MDR provider and your IT team — before an incident, not during one.

Case Study: A 40-Person Engineering Firm in Laval

The following is a composite case study based on a recurring pattern in managed-security engagements with Quebec professional-services firms. Identifying details are anonymized.

A 40-person civil engineering firm in Laval, Quebec, ran a major-brand EDR platform across its 48 endpoints — 40 staff laptops, 6 servers, and 2 specialized workstations — and considered itself well protected because it had "the same tool the big firms use." What it did not have was anyone watching the EDR console outside business hours. The firm held project data, client financial records, and personal information about Quebec residents, placing it squarely under PIPEDA and Quebec Law 25. Its cyber insurance renewal questionnaire now asked specifically whether it had 24/7 managed detection and response — a question it could only answer "no."

A security assessment found that the EDR platform had been quietly generating medium-severity alerts for weeks that nobody had triaged. A retroactive threat hunt through the platform's historical telemetry surfaced an alert — fired on a Friday evening eleven days earlier — showing a credential-dumping tool executed on a file server, followed by reconnaissance commands. The EDR had detected the activity correctly and even logged it in detail. The problem was entirely human: the alert landed in a console at 6:40 p.m. on a Friday, and the firm's part-time IT contractor did not return until Monday, by which point the alert was buried under newer notifications and never reviewed.

The firm engaged the IT Cares team to handle emergency containment and coordinate a same-day MDR onboarding across the Greater Montréal area and remotely. The compromised server was isolated and rebuilt from a clean backup. A Huntress Managed EDR service, layered on the firm's Microsoft Defender for Business deployment, was rolled out silently to all 48 devices within hours, and the Huntress SOC began active 24/7 monitoring the same day — immediately flagging two additional endpoints carrying residual persistence artefacts from the same intrusion that the manual review had missed.

Final scope: one server rebuilt, three devices cleaned, eleven days of attacker presence — but the forensic review found no evidence of data exfiltration, suggesting the access had been established as a beachhead for a later ransomware attempt that the firm's transition to MDR pre-empted. The incident was reported to the CAI within Quebec Law 25's 72-hour window using the incident timeline the EDR telemetry reconstruction provided, and to the OPC under PIPEDA. Direct cost: roughly CA$31,000 in incident response and remediation, plus about CA$4,600/year for ongoing MDR at SMB-optimized rates. The counterfactual — a successful ransomware detonation across a fully compromised network — would conservatively have cost CA$250,000–$400,000 in recovery, downtime, regulatory exposure, and lost client trust. The cyber insurance surcharge was reversed at renewal once the MDR deployment was documented. The single decisive change was not better technology; the firm already had excellent detection. It was adding the humans who watch it around the clock.

Frequently Asked Questions about MDR