Market Guide for Managed Detection and

Response Services
Published: 11 June 2018 ID: G00334680

Analyst(s): Toby Bussa, Kelly Kavanagh, Sid Deshpande, Craig Lawson, Pete Shoard

Managed detection and response services allow organizations to add 24/7

dedicated threat monitoring, detection and response capabilities via a
turnkey approach. Security and risk management leaders can use this
research to determine whether MDR services are appropriate for their
environments.

Key Findings
■ MDR services are filling the need of organizations of all sizes that lack internal security
resources and expertise, and want to expand their investments beyond preventative security
technologies to address their detection, response and 24/7 monitoring gaps.
■ Managed EDR is one of the most visible offerings within the market, available from MDR
providers, MSSPs and the EDR technology vendors leveraging their own solutions.
■ Response capabilities are evolving toward faster reactions once a threat is detected. The ability
to disrupt and contain threats is becoming a standard offering. However, incident response
retainers are still needed when an incident reaches a threshold that requires significant support.
■ Many MSSPs are adding MDR-type services to their portfolios to compete against MDR service
providers. This trend will continue over the next 12 months.

Recommendations
IT security and risk management leaders responsible for security monitoring and operations:

■ Use MDR services to add threat detection, lightweight incident response, and 24/7 monitoring
capabilities when they don't exist or are immature within an organization. Incident response
retainers will still be required when significant support for large incidents and recovery is
required.
■ Use MDR services offering a turnkey technology approach so that your organization can focus
on the outcomes delivered by a provider.
 ■ Scrutinize how providers deliver services to ensure the technology stack fits well with existing
security technology investments and the entire IT environment, from on-premises to cloud.
■ Embrace threat disruption and containment as an incident response feature of MDR service
providers, particularly where you do not have 24/7 operations to respond to threats that require
immediate attention.

Strategic Planning Assumption

■ By 2020, 15% of organizations will be using MDR services, up from less than 5% today.

Market Definition
This document was revised on 11 July and 11 June 2018. The document you are viewing is the
corrected version. For more information, see the Corrections page on gartner.com.

Managed detection and response (MDR) providers deliver 24/7 threat monitoring, detection and
lightweight response services to customers leveraging a combination of technologies deployed at
the host and network layers, advanced analytics, threat intelligence, and human expertise in
incident investigation and response. MDR providers undertake incident validation, and can offer
remote response services, such as threat containment, and support in bringing a customer's
environment back to some form of "known good."

Market Description
MDR providers deliver services for buyers looking to implement or improve their threat detection,
response and continuous-monitoring capabilities. Many MDR providers' services leverage
technologies at the host and network layers that generate and collect security event and contextual
data that support both the detection of threats and incident investigation (such as forensic data).
Additionally, there is a focus on threat analytic detection techniques, threat intelligence and incident
response activities, all of which can be expensive, difficult to obtain and hard to sustain for many
organizations (midsize enterprises [MSEs] as well as larger enterprises). For large-enterprise-
oriented MDR providers, the focus may be on leveraging the customer's existing technologies.
However, this is only if the enterprise can provide the necessary data, context and functionality to
detect, investigate and respond to threats, as well as augment security expertise and cover gaps in
customer's security technologies.

MDR services are characterized by the following attributes, many of which are distinct from
managed security services providers (see Figure 1 and Note 2):

■ A focus on threat detection, geared toward attacks that have bypassed existing security
controls. Use cases such as vendor-agnostic security technology management and compliance
monitoring and reporting are not a focus of MDR services and are rarely addressed.

Page 2 of 16 Gartner, Inc. | G00334680

 ■ The delivery of services using the provider's curated technology stack, such as network traffic
analysis, endpoint activity monitoring and deception technologies, deployed on a customer's
premises and managed by the provider. These technologies allow the MDR providers to monitor
"south of the perimeter" as opposed to focusing on monitoring at internet ingress/egress points.
Few MDR providers rely solely on logs generated by a customer's exiting security tools to
monitor and detect threats, and where logs are collected, they may be used more as secondary
data sources for additional context.
■ Security event and data analytics systems that use threat intelligence and advanced data
analytics that are fed curated events from the provider's technology stack (and, in some cases,
customer-owned technologies as well).
■ 24/7 monitoring, analysis and customer alerting of validated security events with incident triage
performed by a person (not relying just on automation), as well as more direct communication
with the provider's analysts and less emphasis on using a portal as the primary interface with
the customer.
■ The provider takes responsibility for determining what and how threats are detected. Customers
may have little opportunity to customize threat detection use cases relative to their environment.
For example, the MDR providers might be looking for specific tactics, techniques and
procedures (TTPs) that indicate a threat is active in a customer's environment, but if the
customer wants some rules specific to their environment, that level of customization may not be
supported.
■ Incident validation and some remote incident response activities are included in the service (or
available as a premium add-on, in some instances), without the need for an incident response-
specific retainer. Such activities may include malware analysis, identifying indicators of
compromise (IOCs) and threat containment. Incident response retainers are reserved for
significant circumstances where a major incident may have occurred. In most cases, recovery of
an environment to a known, good state (reimage, rebuild, restore from backup and so on) falls
on the client to manage (or coordinate via other means).
■ An emphasis on a fast, turnkey deployment of services. This is due to the use of the provider's
curated technology stack, which may be faster to deploy compared to the traditional MSS
approach requiring the customer to identify critical event sources and implement log forwarding
to a central collection appliance.

Gartner, Inc. | G00334680 Page 3 of 16

 Figure 1. MSS and MDR Characteristics

Source: Gartner (June 2018)

Market Direction
MDR Is a Dynamic Market
The MDR market is growing, as Gartner observes continued interest in the market. Approximately
25% of all inquiries in 2017 related to acquiring security event monitoring services were specifically
about MDR. The market today is characterized by acquisitions by firms looking to enter the MDR
market, and general dynamism as new ideas and approaches are introduced by providers. MSSPs
are reacting to customer demand and the MDR provider competition by adding or expanding
managed EDR and threat hunting-as-a-service offerings. However, some claim they have MDR
offerings, with minimal evidence to support those claims.

Key observations of the dynamism of the market include over the last 12 months:

■ Demand from midsize enterprises has been particularly strong, as MDR services are viewed as
a better fit than procuring security event monitoring services from an MSSP. Buyers' lack of
investment in threat detection technologies, processes and people continues to drive demand.
Gartner clients with little to no investments in threat detection and response technologies report
that outsourcing security event monitoring to an MSSP has led to unmet expectations and
negative experiences. Clients often question why they have little to show for the money spent.

Page 4 of 16 Gartner, Inc. | G00334680

 ■ There is market segmentation between MDR as a turnkey service for midsize and smaller
enterprises, and MDR to augment existing threat detection and response capabilities in larger
enterprises. In conversations with MDR providers, we find that many try to align to one of these
segments, though fewer claim to be competing in both. The exceptions are when they are able
to segment how the service is delivered, usually via the technologies deployed (for example,
managed EDR only versus use of a full network and host technology stack), or the target
customer size is so wide that they end up competing in both segments.

"Response" Is a Defining Element of MDR Services, and Capabilities Are Going

Further
Many MSSPs offer security event monitoring and threat detection and alerting services, where the
customer's security or IT team provides incident triage, analysis and associated response activities,
such as containing and mitigating the threat. Gartner clients state that they want more
comprehensive threat detection and response services than are typically provided by many MSSPs.
MDR services include varying degrees of "lightweight," remote incident response services as part of
the core services. MDR providers favor dedicated response experts in their security operations
centers (SOCs). These experts validate potential incidents, assemble the appropriate context,
investigate as much as is feasible about the scope and severity given the information and tools
available, provide actionable advice and context about the threat, and increasingly the ability to
remotely disrupt and contain threats.

These capabilities are very appealing to midsize and smaller enterprises, as they lack 24/7
operations to respond when threats are detected outside of business hours. MSEs indicate a
greater acceptance of containment actions where and when threats represent business-level
impact. Larger enterprises that have 24/7 IT operations and a security operations team to handle
response activities currently tend to be less interested in containment being done by the provider.
However, they are interested in having the technical capability to initiate the containment
themselves, such as through a button in a portal that will initiate containment through an EDR agent.

Disruption and containment of threats can take various forms, and MDR providers are trying
different options. There is no one winning approach, although isolation of a host via an EDR tool and
blocking traffic on a firewall appear more frequently. Example methods include:

■ Changing firewall rules via APIs, watchlists and rules updates

■ Isolating a process or a host from the network using an endpoint agent
■ Locking and suspending user accounts
■ Integrating with a customer's network access control (NAC) tool
■ Blocking network activity via DNS requests and TCP resets

More MSSPs Now Offer MDR-Type Services

Over the last 12 months, many more MSSPs have added MDR-type offerings that supplement their
existing services, primarily in the form of managed EDR and threat-hunting services (or a

Gartner, Inc. | G00334680 Page 5 of 16

 combination). However, there are some MSSPs with credible offerings that include their own
proprietary host and network technologies, supported by their own threat intelligence and advanced
analytics capabilities (see the MSS Portfolio section in "Magic Quadrant for Managed Security
Services, Worldwide"). These offerings tend to be purchased by larger enterprise buyers with
specific MSS requirements that cannot be met by stand-alone MDR providers (such as technology
management, vulnerability management and compliance reporting) and want more "advanced
threat detection," along with traditional managed security services. Depending on their risk
tolerance and culture, an organization may choose to adopt an approach that uses MSS for certain
capabilities, and augments the MSSP with MDR services. However, this approach is the exception,
rather than norm.

Adoption of the term "MDR" by MSSPs should be met with healthy skepticism by buyers, as
Gartner has observed increasing use of the term in the last 12 months. In some situations, the use
of the term is legitimately warranted. In other cases, there is little evidence that a service is really
aligned to the characteristics defined in this note. Those exploring MSSPs for these services should
assess the MSSPs' technology stacks (or supported technologies) and the availability of threat-
hunting skill sets.

Market Analysis
Since Gartner defined MDR services in 2016, the number of providers claiming to be MDR has
increased dramatically. A survey of the Representative Providers section shows the breadth of
providers available across different regions and home markets. North America has a large
population of providers, followed by Europe, in particular the Nordics region. Asia/Pacific and the
rest of the world have few regional providers visible in the market today.

The current state of the MDR market can be summarized as follows:

■ It is a dynamic market, with new providers entering and trying to differentiate themselves
against existing providers, which in turn are adjusting their branding and offerings.
■ Acquisitions are occurring as firms without MDR offerings seek to enter the market (for
example, Booz Allen Hamilton acquiring Morphick and ADT acquiring DATASHIELD).
■ MDR is seeing investments from venture capital and private equity, indicating support of MDR
as a growth market (see Note 3).
■ Endpoint protection platform (EPP) and EDR vendors are increasingly adding services to
provide 24/7 threat detection (either in real time or via threat-hunting capabilities) to address
customer demand.
■ MSSPs actively attempt to compete in the MDR space, as evidenced by the new offerings
being added, as well as by the maturation of more established offerings.
■ Proactive capabilities are starting to enter the picture for some MDR providers that support
MSEs and are looking to extend their services to help address other "security hygiene" gaps
(such as vulnerability management).

Page 6 of 16 Gartner, Inc. | G00334680

 MDR Providers Generally Target Two Types of Buyers
MDR services generally target two types of buyers as described earlier — MSEs and larger
enterprises — both of which increasingly require 24/7 coverage. Providers focus on one of these
types of buyers, but as expected, several support a range of buyer sizes and maturity, primarily by
segmenting their services (for enterprises, for example) and packaging those services into specific
offerings (such as for MSEs).

Over the next 12 months, Gartner expects to see MDR providers continue to segment their offerings
to these distinct buyers. MDR providers focused on MSE and less mature organizations will drive
packaged offerings that include the necessary technology backed by the provider's experts and
processes. Larger enterprises and more mature enterprises will look to adopt MDR services when
there are options available that allow the provider to address the specific situation of each customer.
One example is the ability to leverage existing security technology investment where appropriate (if
the enterprise has already invested in EDR or network forensic technologies, whether it's for a short
duration as the enterprise gains experience with the solution, or as a long-term relationship). The
provider can then segment its offerings to fill gaps in the customer's threat detection and response
capabilities (such as using managed EDR only).

The Technology Stacks Employed by the MDR Providers Are Starting to Mature, but
Still Have Gaps
The following characteristics of the technology stacks employed by MDR providers are being
observed in the market:

■ EDR agents have become the common technology employed for MDR — especially those
offering containment capabilities. Most providers are aligned with a single EDR vendor, but we
increasingly see MDR providers support two to three vendors. A number of EDR vendors are
using their own proprietary technology. However, these are a work in progress for several
vendors, and many don't yet support the response capabilities required to contain a threat (see
"Market Guide for Endpoint Detection and Response Solutions").
■ Network-monitoring capabilities using on-premises deployed sensors (physical or virtual) are
being extended to include other vectors, such as DNS traffic and NetFlow data.
■ Email monitoring is available from few providers, but it is appearing on more providers'
roadmaps to shift threat detection capabilities earlier in the attack life cycle — for example, to
the delivery phase — rather than focusing solely on the command and control (C2) phase (see
"Addressing the Cyber Kill Chain").
■ Deception technologies are offered by a few providers to address such challenges as
accelerating service implementation and concerns about deploying EDR agents onto endpoints.
■ Technologies to monitor industrial control systems (ICS), supervisory control and data
acquisition (SCADA) and other operational technology (OT) environments is available in the
market, and offerings are increasing based on MDR provider roadmaps. Europe, in particular,
has several examples of providers with OT security monitoring offerings.

Gartner, Inc. | G00334680 Page 7 of 16

 ■ Monitoring of cloud-delivered services, such as SaaS and IaaS in public cloud services, is still
nascent outside of providers specifically focused on monitoring cloud environments, either
agnostically or as part of a wider set of cloud management services. Adoption of direct
monitoring of SaaS and IaaS environments has been slow, although Microsoft Office 365 and
Amazon Web Services (AWS) CloudTrail are becoming more common. For SaaS there is a
reliance on a customer procuring a cloud access security broker (CASB) solution (see "Magic
Quadrant for Cloud Access Security Brokers"). However, MDR providers are starting to
establish partnerships with CASB vendors to expand their monitoring capabilities (if they don't
have their own CASB solution already).
■ Log management is not widely available from MDR providers, since the focus is on analyzing
events and data from their own technology stacks, and not on compliance monitoring and
reporting capabilities. This means some end users may see MDR as a misalignment to their
main buying drivers. MDR buyers with this requirement may have to leverage their own log
management tool when a preferred MDR provider is unable to meet that requirement (see "Use
Central Log Management for Security Event Monitoring Use Cases").

Reliance on More Advanced Analytics

Another critical component observed with MDR services is reliance on more advanced analytics in
event and data analysis platforms. MDR providers have entered this market with the ability to
leverage commodity big data analytics platforms, such as Hadoop and Elastic, along with a growing
pool of data science talent. This big data analytics approach takes the curated data out of the MDR
provider's technology stack and enables the provider to do more-precise, real-time threat detection.
However, buyers should realize that not all threat detection has to, or even could, be done with
advanced analytics like machine learning. A range of analytics is required to do great threat
detection, including whitelists, correlation rules, simple statistics and machine learning approaches.

The ability to collect large volumes of data also helps the MDR providers' incident investigation and
response activities. Investment in log and data capture and analysis capabilities enables MDR
providers to invest in smaller teams of experienced analysts focused on incident investigation and
response. It also allows many providers to perform automated and manual threat hunting through
their customers' logs and data, looking for IOCs.

A few MDR providers take the approach of leveraging commercial security information and event
management (SIEM) solutions for security analytics and threat detection that are deployed on the
customer's premise. Most MDR providers rely on a central, multitenant platform for analysis. This
does not necessarily imply that a lack of advanced analytics and machine learning is an impediment
to doing more precise threat detection (especially as many commercial SIEM solutions have
advanced analytic capabilities). However, buyers should ask potential providers what tools and
methods they employ, and how they differentiate their services from those of their competitors.

Pricing Models Are Primarily Based on the Size of the Buyer

When pricing is based on the size of the buyer's organization, the common metric is either number
of employees or the number of IT assets being monitored. Many MDR providers use organization
size as a core component of their pricing, not the volume or velocity of logs processed, or number

Page 8 of 16 Gartner, Inc. | G00334680

 of devices generating logs. Final pricing is based on a variety of factors. For example, variables
affecting pricing may include the technology stack components employed; such pricing is a
combination of organization size and the number of network appliances and EDR agents deployed.
Some providers are more closely aligned with some MSSP pricing models; pricing services are
based on the volume or velocity of events analyzed. Finally, some providers are employing
approaches based on the number of incidents generated by a customer over a set period of time,
usually monthly.

Representative Vendors
The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

Market Introduction
The MDR market has a variety of service providers around the globe. Representative providers
listed in this section are referenced by the region where their corporate headquarters are located.
However, many have a strong presence in multiple regions, ranging from a sales presence through
to having regional headquarters and in-region SOCs. Buyers interested in specific providers should
confirm their geographic presence in the buyer's region, especially as Gartner has witnessed many
providers expanding, or planning to expand, their footprint outside of their home regions.

Gartner, Inc. | G00334680 Page 9 of 16

 Table 1. Representative Providers Headquartered in North America

Provider Corporate Headquarters Product, Service or Solution Name

Location

ADT Cybersecurity Salt Lake City, Utah ADT Cybersecurity

Alert Logic Houston, Texas ActiveWatch Managed Detection and Response

Services

Arctic Wolf Networks Sunnyvale, California AWN CyberSOC

Booz Allen Hamilton McLean, Virginia Booz Allen Managed Threat Service

Cisco San Jose, California Cisco Active Threat Analytics

Critical Informatics Seattle, Washington Managed Detection and Response

eSentire Cambridge, Ontario Managed Detection and Response

Expel Herndon, Virginia Expel

FireEye Milpitas, California FireEye Managed Defense

Ingalls Information Security Alexandria, Louisiana Managed Detection and Response

IntelliGO Networks Toronto, Ontario IntelliGO Managed Detection and Response

Platform

IronNet Cybersecurity Fulton, Maryland Cyber Operations Center

Leidos Foxborough, Massachusetts Leidos Managed Detection and Response

Masergy Plano, Texas Masergy Unified Enterprise Security

Paladion Reston, Virginia Managed Detection and Response Service

Proficio Carlsbad, California Managed Detection and Response

Rapid7 Boston, Massachusetts Rapid7 Managed Detection and Response

Raytheon Foreground Waltham, Massachusetts Managed Detection & Response

Security

Red Canary Denver, Colorado Red Canary

Rook Security Carmel, Indiana Managed Detection and Response

UnitedLex Overland Park, Kansas Managed Detection and Response

Source: Gartner (June 2018)

Page 10 of 16 Gartner, Inc. | G00334680

 Table 2. Representative Providers Headquartered in Europe

Provider Corporate Headquarters Location Product, Service or Solution Name

CSIS Copenhagen, Denmark Security Analytics Centre

Countercept Basingstoke, U.K. Countercept

EY London, U.K. EY Advisory: Cybersecurity

Ezenta Herlev, Denmark Ezenta Managed Detection and Response

F-Secure Helsinki, Finland F-Secure Rapid Detection & Response Service

Kudelski Security Cheseaux-sur-Lausanne, Switzerland Kudelski Security Managed Endpoint Detection and
and Phoenix, Arizona Response Service and Managed Attacker Deception

Mnemonic Oslo, Norway Argus Managed Defence

SecureLink Malmö, Sweden, and Sliedrecht, SecureDetect and SecureRespond

Netherlands

Source: Gartner (June 2018)

Table 3. Representative Technology Vendors Offering Managed EDR Services

Vendor Corporate Headquarters Location Product, Service or Solution Name

Binary Defense Hudson, Ohio Binary Defense Vision

Carbon Black Waltham, Massachusetts Cb ThreatSight

CrowdStrike Sunnyvale, California Falcon OverWatch

Cybereason Boston, Massachusetts Active Monitoring

Digital Guardian Waltham, Massachusetts Advanced Threat Protection

Source: Gartner (June 2018)

Market Recommendations
■ Organizations that have not yet invested, or are underinvested, in detection and response
technologies and internal capabilities should consider MDR services. MSE buyers should look
for providers with comprehensive technology stacks, while larger enterprises should look for
providers that have flexible technology options.

Gartner, Inc. | G00334680 Page 11 of 16

 ■ Do not assume that all MDR providers are the same. Choose a provider that is oriented toward
your organization's size, security maturity level, specific requirements, and existing threat
detection and response capabilities. The variability across offerings, delivery models, vertical
expertise and pricing can make direct comparisons challenging. Having a strong set of
requirements at the beginning will ease the analysis and selection process.
■ Threat-oriented use cases beyond detecting and responding to external attackers, such as
insider threats, privilege abuse and web-application level attacks, are not usually addressed by
MDR service providers. Organizations with gaps in these use cases and requirements, must
augment an MDR service with other providers, or look for a single provider that may offer a
more comprehensive set of services. These include consultancies, system integrators or IT
outsourcers that also offer managed security services.
■ If internal response capabilities are nascent or immature, they should be treated just as
important as threat detection capabilities when evaluating MDR providers. Time to detect a
threat is great, but if the time to respond is still too challenging for an organization, then
weighting response capabilities for a provider is critical. If an organization does not have 24/7
operations available to help with response, then focus on MDR providers that offer the ability to
disrupt or contain a threat to buy time for the customer to initiate mitigation and recovery
activities.
■ Enterprises implementing an SOC should leverage MDR services as a way to accelerate threat
detection while their SOC is being implemented and as it matures. This can mean an SOC is
operating at a greater maturity level in several months, rather than several years. If the
relationship is successful with the MDR provider, don't kick them out if you think you should be
able to run everything yourself. Retaining the MDR provider as a long-term partner may be the
best approach once the SOC is fully operational and self-sustaining.
■ Use proofs of concept (POCs) to your advantage to validate claims and fit for purpose with your
organization's requirements. Most MDR providers lack the vetting and decades of competition
that MSSPs have faced. Therefore, the customer must perform sufficient due diligence on the
MDR providers before signing a contract (see "How to Work With an MSSP to Improve
Security" for more advice when a POC is not feasible).
■ If you have data residency and strong privacy or other compliance requirements, validate that
the MDR providers can comply with them. Focus on MDR providers within your geographic
region, or those using a data collection architecture in which your data remains on-premises,
and only metadata or event data is sent back to a central SOC.

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

"Shift Cybersecurity Investment to Detection and Response"

"Magic Quadrant for Managed Security Services, Worldwide"

Page 12 of 16 Gartner, Inc. | G00334680

 "How to Work With an MSSP to Improve Security"

"Foundational Elements to Get Right When Selecting an MSSP"

"How to Plan and Execute Modern Security Incident Response"

"Designing an Adaptive Security Architecture for Protection From Advanced Attacks"

"Five Styles of Advanced Threat Defense"

Note 1 Representative Vendor Selection

Gartner included a wide range of providers in this report to ensure coverage from a geographic,
vertical and capabilities of provider perspective. Gartner estimates that there are now over 75
providers visible in this market claiming to offer varying degrees of MDR services. The list here are
those that are visible with Gartner clients based on inquiries, have differentiators that are
representative of the dynamic nature of the MDR market, and represent future capabilities and
offerings that may drive the direction of the market.

Note 2 MDR vs. MSS

Table 4 summarizes the differences at a high level across the MDR and MSS providers' landscape.

Gartner, Inc. | G00334680 Page 13 of 16

 Table 4. Differences Between MDR and MSS

Characteristic MDR MSS

Deployment time scales Simple deployment and setup, service Complex deployment, significant
delivery usually in days or weeks. infrastructure changes and setup required,
service delivery usually within months.

Security event log and Proprietary technology stack provided by Event-source-agnostic. Data sent to the
context sources the provider and deployed at the provider is determined by the customer.
customer's premises, which is included in
the service price.

Remote device Only for their own technology stacks. Yes. Vendor-agnostic for most common
management security controls — e.g., firewalls, intrusion
detection systems (IDSs), intrusion prevention
systems (IPSs) or web gateways — or tools
deployed with MDR-type services.

Compliance reporting Very rarely. Yes.

Interface to service Rely on more direct communication Portal and email acts as the primary
(voice, email) to analysts, rather than interface, with secondary access to analysts
portals. provided via chat functions and phone.

Incident response Lightweight, remote, incident response Both remote and on-site provided by a
support support typically included in basic separate retainer.
services. On-site incident response
provided by retainer.

Incident containment Provided using provided technology stack
or customer-owned technologies,
leveraging scripts and APIs to
programmatically make changes.
When remote, full management of security
controls is managed for a customer and
MDR-type services are offered — e.g.,
managed endpoint detection and response
(EDR).

Provide service-level Rarely. Yes.

agreements (SLA) for
incident detection and
response

Source: Gartner (June 2018)

Note 3 Investment in the MDR Market

Examples of the investment observed in the MDR market over the last 12 months include:

■ A reported investment of over $100 million in eSentire by Warburg Pincus was announced in
August 2017. See eSentire, "eSentire Announces Growth Equity Investment From Warburg
Pincus" and Fortune, "Term Sheet, Monday, August 21."
■ Arctic Wolf Networks raised an additional $16 million of funding in January 2018, increasing
their investment to over $43 million. See Business Wire, "Arctic Wolf Secures $16M in New

Page 14 of 16 Gartner, Inc. | G00334680

 Funding to Accelerate Growth in Rapidly Expanding Security Operations Center-as-a-Service
Market" and SDxCentral, "Security Startup Arctic Wolf Raises $43.2M for SOC Services."
■ Expel announced Series B funding of $20 million in April 2018, increasing their investment total
to $27.5 million. See Business Wire, "Cybersecurity Company Expel Announces $20 Million in
Series B Funding."

Gartner, Inc. | G00334680 Page 15 of 16

 GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,

visit http://www.gartner.com/technology/about.jsp

© 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see "Guiding Principles on Independence and
Objectivity."

Page 16 of 16 Gartner, Inc. | G00334680