Threat detection: the differences between EDR and MDR | Redscan
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

With so many acronyms in cyber security, it isn’t always easy to distinguish between the many product and service offerings available.


This can create significant confusion for IT and security personnel that need to make quick purchase decisions to address holes in their security coverage.

Two of the more common acronyms that are likely be encountered by organisations looking to improve threat detection and quickly shut down threats are EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response). This blog seeks to clarify the differences between the two and help buyers make the right security investments.


What is EDR?


Endpoint Detection and Response (EDR) is a term used to describe cyber security technologies that help organisations detect threats that target host devices such as laptops, servers and desktops. EDR combines elements of next-gen antivirus with additional functionality to deliver real-time anomaly detection, support threat hunting and help automate incident response processes.

EDR solutions work by collecting endpoint data and using behavioural analytics to examine it for evidence of suspicious activity. When an anomaly is detected, an alert is generated for human investigation. Endpoint telemetry can be used to perform kill chain analysis, contain and quarantine infected devices, create custom threat watchlists and block malicious IPs. This provides security teams with a crucial layer of visibility to identify and respond to intrusions.

Learn about the difference between EDR and EPP


What is MDR?


Managed Detection and Response (MDR) is a term used to describe a service that combines human expertise, threat intelligence and a range of network and endpoint detection technologies to help organisations detect and respond to threats.

Managed Detection and Response services, delivered by specialist MDR providers, are designed to help organisations that lack extensive internal expertise and resources to achieve an enterprise-grade cyber security capability at a fraction of the cost of building the same capabilities in-house.

MDR acts as a virtual extension of an organisation’s in-house team to hunt for and respond to cyber threats around-the-clock. Going well beyond the scope of a traditional managed security service, MDR providers proactively hunt for, investigate and provide the support needed to swiftly remediate threats 24/7.


Does MDR include EDR?


EDR technologies form a crucial part of the MDR technology stack, enabling MDR security teams to leverage endpoint telemetry to achieve deeper threat visibility and coverage. Some providers even offer MDR services specifically dedicated to endpoint detection, which are often marketed as Managed EDR.

However, in most cases, EDR just one of several tools included as part of an MDR service. To achieve comprehensive visibility, MDR providers also typically include logging and network monitoring solutions like SIEM, intrusion detection, network traffic analysis and vulnerability management tools. In delivering an MDR service, an MDR provider will deploy, configure and monitor all technologies included as part of the service.

Unlike legacy managed security services, however, MDR services are not defined by their underlying technologies – these services instead offer a turnkey approach built around defined outcomes and goals to address specific security use cases.


The challenges of in-house endpoint monitoring


As the number of sophisticated cyber threats continues to grow, the perimeter security controls that have traditionally been relied upon are now insufficient. This has made it vital to swiftly detect and respond to threats that are able to bypass the security perimeter.

With an increasing number of cyber threats now specifically targeting endpoints, EDR technologies have become essential in helping organisations to identify and disrupt threats at the earliest stages of attack. The problem for many organisations, however, is that they lack the skills and resources needed to get the most out of them.

The cost of buying and integrating the necessary technology is already extensive, but organisations also need to hire and train dedicated staff to manage them.

Many organisations rush into expensive technology investments without considering the resource burden. The potential that solutions like EDR offer is significant, but no organisation can expect to unlock this potential without a dedicated team to proactively configure, manage and monitor them around-the-clock.

Overstretched IT teams without specialist security training often struggle to implement technologies effectively to maximise their value, and can quickly find themselves suffering from alert fatigue, leading to important information being ignored and rendering the technology redundant.

These challenges have led many organisations to seek out managed security services to help bridge the resource gap.


The rise of MDR


Managed Detection and Response has emerged in recent years in response to growing concerns in the market that traditional managed security services (MSS) are proving insufficient to protect businesses from modern cyber threats.

Many MSSPs have been criticised for ‘passing threats over the wall’, offering only basic monitoring and alerting whilst failing to provide the level of context and guidance organisations need to identify genuine security incidents and effectively respond to and remediate them.

MDR goes well beyond the scope of a traditional managed security service, adopting a more proactive, outcome-driven approach. Elements typically included as part of MDR include security orchestration, continuous network and endpoint monitoring, threat hunting and integrated response measures such as remote threat containment and disruption.

Some advanced MDR services may also offer extended cloud service coverage. This could include detection and response in AWS, Azure and GCP, or common SaaS application suites like Office 365 and G Suite. Some providers are also expanding capabilities across ICS and SCADA systems in operational technology (OT) environments.

The turnkey, outcome-focused approach of MDR has proved an effective antidote to legacy MSSP limitations, and this has made it one of the fastest growing sectors in the industry. Gartner predicts that, by 2024, a quarter of organisations will be using MDR services, up from less than 5% today. In that same timeframe, 40% of midsize enterprises will use MDR as their only managed security service.


Why choose Redscan as your MDR provider?


ThreatDetect™, Redscan’s flagship and award-winning Managed Detection and Response service, provides the extensive capabilities your organisation needs to hunt for and eradicate threat actors across your on-premise, cloud and hybrid environments.

Functioning as an extension of your IT team, ThreatDetect combines world-class security expertise, leading network and endpoint detection technologies, and aggregated security intelligence to help hunt for threats and shut down breaches before they can damage and disrupt your business.


Learn more about ThreatDetect MDR


Read more:

Redscan a double finalist at the TEISS Awards 2020

Ethical Hacking Roundtable 2020

What is Business Email Compromise (BEC)?