Managed IT security might look like a pretty complicated landscape, and it is. Sometimes, it might be difficult for a customer to understand what a cybersecurity service provider offers. Yet, it goes without saying, that managed security simplifies the life and business of customers, allows them to do business, and become much more protected against cyber threats thriving in today’s world. However, to get to this safe place, customers must first comb through available service offerings. After that, they will be able to make a choice best meeting their urgent and potential needs in this area. Quite logically, the best first step to start this cybersecurity journey is to study and understand the main acronyms of the managed cybersecurity world. So, let us see what they mean and compare MSSP vs MDR vs Managed SIEM vs SOC-as-a-Service service models.

They come with small or more essential differences, so here goes a short guide on the types of managed cybersecurity solutions and services. At first sight, the differentiation of MSSP vs MDR vs Managed SIEM vs SOC-as-a-Service might seem difficult to see. But, in reality, the differences, though essential, are not critical.

All the more, today more and more managed security service providers offer different types of services described below. For instance, we offer different models of managed security partnership as well because we see that boundaries between them are blurring more and more every year.

If you need a quick comparison of MSSP vs MDR vs Managed SIEM vs SOC-as-a-Service then you can look at it this way: MSSP is a cybersecurity company providing security monitoring of the customers’ IT infrastructure, while MDR is a more advanced (and expensive) form of MSSP providing more cybersecurity forensic capabilities. Managed SIEM is a provision of SIEM in hosted variant to the customer not willing to buy this costly solution and install onsite. At the same time, SOC, or Security Operation Center, is a crucial component of MSSP or MDR service provider, comprised of cybersecurity team, tools (SIEM in the first place), and processes.

Managed Detection and Response or MDR is a managed cybersecurity service helping to detect and eliminate different threats quickly. They can be intrusions, viruses, other malware, and malicious activities in the network. MDR usually takes into account the company’s structure, positions, and roles, relies on its proprietary technology stack and it involves an assigned team of forensic analysts as well as an in-house security team. It dramatically reduces the time to detect and eliminate incidents. In many cases, the reduction is from months to literary hours, which makes MDR an effective cybersecurity solution. MDRs are all about the response, which is not simply automated but is human or AI-led. Note that these functionalities, especially those involving humans, will add to the bill.

Additionally, sometimes you can come across SOC-as-a-Service offerings. In most cases, that will be the same MDR service, possibly with limited detection functionality. This is because SOC-as-a-Service model usually provides for outstaffing of Tier 1, Tier 2, and Tier 3 SOC analysts to augment customer’s SOC team. So, make sure it will meet your needs.

Essentially, MSSPs offer a security solution that relies on automation technologies. It lets fully outsource cybersecurity to a security service provider. Traditionally, there is no need for an in-house cybersecurity team of the customer, but its technology stack will participate. It makes MSSP offering cheaper than MDR’s and assumes that the support team will be the customer’s internal.

Note that MSSPs are pretty flexible in relations with a customer, adapt to its IT environment, and will monitor security events in it, sending alerts on detected anomalies. However, MSSPs, as a rule, do not investigate them or respond to threats. These functions can be made available with a special retainer.

MSSP vs MDR: Are They Really so Different?

MSSP is the most common name for cybersecurity service providers. Eventually, behind all of the acronyms mentioned in this article, there hide this or that type of managed security service provider. But, one should distinguish them. So, the answer to the title question would be ambiguous: yes, and no. Let’s go deeper into detail.

Historically MSSPs precede MDRs. However, the current trend is that the line between MSSPs and MDRs blurs year by year. Some MSSPs partner with pure MDR providers or expand their portfolios to add incident detection and response capabilities. For instance, Trilight Security MSSP offers packages with MDR functionality, such as Professional and Enterprise. Vise-versa, some MDRs offer MSSP functionality to expand to a new customer base.

Remember that some MSSPs, especially those working with SMB, also provide essntial cybersecurity services. These are email encryption, antimalware, firewall management, backup & restore, identity & access management (IAM). In this regard, it seems as justified to say that MDRs tend toward large enterprises. MSSPs, though working with such customers as well, are a better choice for SMBs. But…

...this is not entirely true...

Primary customers of MDRs are large enterprises with in-house security teams and their own cybersecurity technology stack. These customers usually want to improve their threat detection and response capabilities. But, somewhat surprisingly, the MDRs are also a good fit for SMBs with NO or almost no cybersecurity team and infrastructure. The MDR brings these assets. MSSP, as you should remember, relies on customers’ technological stack and offer no incident response functionality as a standard offer. With a little bit a big approximation, one can claim that MDRs are fit for entities with minor to no or big to perfect cybersecurity capability. MSSPs lie somewhere in between.

MSSP vs MDR: Differentiators

From the above, it is clear that MSSP will be a good option for customers not using sensitive data. Also, a customer should be ready to assume responsibilities. It will be responsible for handling detected anomalies, doing (or not doing) incident responses and investigations, and eliminating false positives.

Clear that customers will demand MDR services under the pressure of regulatory requirements. Most likely, those will be banks, insurance companies, healthcare service providers, food & beverages manufacturers, etc. Those with no fully operational SOC or lacking IT security staff sooner or later will come to either eliminating these insufficiencies or hiring an MDR service provider. Traditionally, MSSP services do not cover the compliance demands of such customers. However, MDRs will also be a good choice for SMBs having only cybersecurity tasks and having no cybersecurity capacities.

Gartner pointed out in 2017, that the overlap between MSS and MDR is increasing and adding to the confusion of buyers. Ever since, this process has only accelerated. Still, we can and will differentiate MDRs and MSSPs by technological and process distinctions.

MDRs vs MSSPs by Gartner:

• Security event log and context sources. So, MDR will rely on its own technological stack while MSSP will work with the data sent by the customer.
• MDRs will provide remote device management with their own service platform. Traditionally, MSSPs cover intrusion detection or prevention systems, web gateways, firewalls, and more, getting logs and analyzing them irrespective of vendors.
• Service provider interaction for MDRs will be direct with SOC analysts via voice or email. While MSSP mainly interacts with customers via portals and emails.

Incident response support is one of the primary differentiators.

• MDRs offer a remote and basic incident response as a part of a typical service package. The investigation or assistance in the elimination of incident will be by a separate retainer. On the other hand, MSSPs offer both remote and on-site support, with the active participation of security experts by a separate retainer.
• During incident containment MDRs will work with their own technology stack plus some of the customer-owned technologies. On the contrary, common MSSPs will work mostly with available customers’ technological stacks.
• MSSP will usually provide SLAs for incident detection and response. While MDRs provide them quite rarely.
• Compliance reporting is rarely a subject area of MDRs. They usually specialize on better threat detection, incident response and security monitoring capabilities. MSSPs usually cover requirements for reporting in different industries.

If you want to check the difference between MSSP and MDR approaches to managed security on a real world example, then scroll down to the end of the article. So, you will see the table where we differentiate our levels of managed security. In case, you are using mobile device, see our pricing page.

Let us reiterate again. The major difference between MDRs and MSSPs lies in manner and scope of incident response. On one hand, typical MSSPs will detect and alert leaving the in-house security team responsible for handling. On the other hand, MDRs will typically provide at least some core remote support with incident handling. Also, MDRs populate their SOCs rather by security analysts, than operators, so that incident responses become more personalized and intellectual.

Again, note, that boundaries between MSSPs and MDRs are blurring year by year, making comparison MSSP vs MDR vs Managed SIEM vs SOC-as-a-Service somewhat less obvious.

So, the answer to the question: what is the difference between MDR and MSSP, can be like this. MSSPs are predecessors to MDRs. They are less expensive and offer considerably less forensic capability. And though, as we stated above, the boundaries between MSSPs and MDRs are more and more overlapping, the answer to the question: is MDR an MSSP will be negative, and the explanation is simple. MSSP alert when the threats are detected, and MDRs respond to them.

Managed SIEM

Additionally, together with classical MSS and MDR, there also exists a relatively simpler (and cheaper) version of managed security, such as Managed SIEM or Security Information and Event Management. Usually, it refers to the provision of SIEM solution, on-site or cloud, for a customer with the need to strengthen its security monitoring capacity. Also, the Managed SIEM service can include administration and support of the SIEM solution and even collection and analysis of events in the customer’s IT environment. This is where Managed SIEM service would start overlapping with MSS. Despite its relative “simplicity”, Managed SIEM service would help meet many regulatory requirements.

Security Monitoring Package:

MSS

MDR

MDR

Service Levels:

Basic 8/5 

Online 24/7

Professional 24/7

Enterprise 24/7

Monthly Rate per User*:

From €8**

Vulnerability Analysis

  • Scanning for IT infrastructure vulnerabilities

Security Monitoring

  • Collection, analysis, correlation of events
  • Checking for updated IoC base

Threat Analysis

  • Initial prioritization of threats
  • Informing about security incidents

Threat Management

  • Expert based analysis of vulnerability report and suggesting action points
  • Analysis of incidents, communication with customer’ security team (24×7)

Incident Response

  • Minimization of incident losses

Dedicated Security Team

  • Online tracking, investigation of incidents with customer’s team (24×7)
  • Dedicated Expert Threat Management

Learn About Benefits We Bring


Managed Security Service Providers have already become a new reality for businesses of all sizes. Indeed, partnership with true MSSP brings you and your security team more than just a few serious benefits. DOWNLOAD our whitepaper and find out more.

Download Whitepaper

Trilight Security

EU, Estonia, Tallinn,
Harju maakond,
Kesklinna linnaosa,
Vesivärava tn 50-201, 10126

[email protected]
+3728801525