24×7 SOC monitoring
Your computers are not waiting for someone to notice an alert in the morning. The SOC watches endpoint activity continuously and can contain suspicious behavior before it spreads.
Managed Detection & Response
24×7 monitoring. Human review. Real response.
Most SMBs can't staff a 24×7 SOC, but attackers still work nights and weekends. Obsidian Ridge delivers MDR on the platform we operate end-to-end: monitoring, human triage, containment, and CISSP-led response from $15 per agent per month.
TL;DR
What you get, what it costs, and when it pays for itself
We deploy and operate managed detection and response on every endpoint and identity tenant in your organization. The 24×7 SOC watches for the patterns that precede a breach, isolates threats within minutes, and escalates confirmed incidents to an Obsidian Ridge practitioner who coordinates response. Pricing starts at $15 per agent per month with no minimum and no contract. Average payback: stopping a single ransomware incident covers two years of service.
What's included
Everything that goes into managed detection
Human alert review
You only hear about alerts that deserve attention. Analysts review isolation events, filter noise, and escalate confirmed threat activity with context.
Identity threat detection
Account break-ins are treated like security incidents, not IT annoyances. Microsoft 365, Entra ID, and Google Workspace are monitored for impossible travel, MFA fatigue, suspicious app consent, and other takeover patterns.
Incident response coordination
If something happens, you are not left translating tool alerts into next steps. We coordinate containment, investigation, leadership updates, and the debrief that turns the incident into a prevention plan.
Endpoint, server, and cloud coverage
Coverage follows the systems your business actually uses. The endpoint agent can be deployed across Windows, macOS, Linux, and supported cloud workloads with repeatable rollout steps.
Audit-ready reporting
You get usable proof, not screenshots dumped in a folder. Monthly summaries and quarterly reviews translate detection activity into evidence for SOC 2, ISO 27001, HIPAA, and cyber-insurance renewals.
Compare honestly
MDR vs. EDR-only vs. running your own SOC
| Question | Managed Detection & Response | EDR license only | Build a full SIEM team |
|---|---|---|---|
| 24×7 monitoring with human review | Yes — every alert triaged by an analyst | Software alerts; you triage | Yes, but you operate it |
| Time to first response | Minutes | Whenever someone notices | Depends on your team |
| Total cost (50-endpoint org, year 1) | ~$9K — no infrastructure to run | ~$3K license + ~$80K analyst time | $60K+ in tools and staff |
| Compliance-ready evidence | Built in | You assemble it | You configure it |
| Best fit | 5–500 employees, no internal SOC | Tech-mature teams, dedicated security staff | Regulated, 1000+ employees, dedicated team |
Most small and mid-market organizations land on MDR because EDR-only leaves the alert queue with someone who can't reasonably be on-call at 2 am, and a full internal SOC costs more than a year of your security budget. MDR splits the difference.
How MDR works
From antivirus to managed detection — the short version
A 60-second walkthrough of how endpoint defense evolved from signature antivirus to managed detection and response, what a real ransomware kill chain looks like, and the controls that stop it before it spreads.
Pricing
Three concrete tiers, no middleman markup
Prices in USD · per agent or per user
Tier 01 · Foundation
Foundation
$15/ agent / mo
Month-to-month · no minimum
Always-on protection for every endpoint, watched 24/7 by a real SOC so a compromised workstation isn't left waiting for the next business day.
What's included
- Always-on protection on every endpoint.MDR / EDR: endpoint activity is watched 24/7 by a real security team, so a compromised workstation is not left waiting for the next business day.
- Human review before alerts reach you.SOC triage: analysts review suspicious activity first, filter noise, and escalate confirmed threats with context.
- Quarterly posture check-in.Posture review: we look at what changed, what improved, and what still needs attention before small gaps become expensive problems.
- Direct email support from a senior practitioner.Security advisory: a person to ask when something feels off, not a generic ticket queue.
- Install or remove agents at any time.Agent-based deployment: coverage can follow the devices you actually use without locking you into unused seats.
Replaces or complements
- Antivirus subscriptions that flag everything and stop nothing
- Generic IT-installed protection with no one reviewing alerts
- Monthly log review your team never finds time for
Cyber insurance baselineSOC 2 readinessHIPAA Security Rule
Tier 02 · Protected
Protected
$32/ user / mo
Annual term · billed monthly
Adds the email and Microsoft 365 / Google Workspace identity monitoring attackers actually target — plus the documentation your auditor or insurer will ask for.
Everything in Foundation, plus
- Email and cloud account monitoring.ITDR: Microsoft 365, Entra ID, and Google Workspace accounts are watched for break-in attempts and identity-based attacks.
- Security training for staff.security awareness training: short lessons and realistic phishing simulations help people recognize common attacks before they become incidents.
- Training records for audits and insurance.Compliance evidence: you have documentation ready when SOC 2, ISO 27001, HIPAA, client questionnaires, or insurers ask what staff received.
- Monthly security review and stakeholder report.Executive reporting: leaders see what was watched, what was investigated, and what needs a decision without learning another console.
- Senior practitioner included.Security advisory: the same email channel as Foundation, scoped for the wider Protected program.
Replaces or complements
- Standalone antivirus or endpoint subscriptions
- Separate phishing-training tools you bought and forgot to roll out
- One-off compliance gap assessments with no follow-through
Cyber insurance baselineSOC 2 readinessHIPAA · add-on
Tier 03 · Complete
Complete
from$55/ user / mo
Scoped · log sources priced separately
Full program plus audit-ready logs, 90-day retention, and quarterly drills. For teams that already feel the weight of compliance and want it handled.
Everything in Protected, plus
- Audit-ready security records.SIEM: logs from endpoints, identity, network, and cloud tools are collected so investigations and evidence requests are easier to answer.
- Searchable evidence for 90 days.Log retention: when someone asks what happened, we can investigate from stored security records instead of rebuilding the story after the fact.
- Quarterly practice drill.Tabletop exercise: we walk through what your team would do if a real incident hit, before the pressure is real.
- Senior practitioner — 4 hrs/mo reserved.Practitioner hours: security questions, policy decisions, vendor reviews, audit prep.
- Dedicated framework alignment support.Compliance readiness: we help turn detection and response work into clearer evidence for audits, renewals, and client reviews.
Replaces or complements
- Separate logging tools no one reads
- Advisory retainers with no monitoring behind them
- A patchwork of security tools that don't talk to each other
Cyber insurance baselineSOC 2 Type IIHIPAA · PCI-DSS
From $15 / agent / moStart with Foundation
Request pricingEndpoint posture
Want fewer preventable MDR alerts?
MDR is the detection and response layer. Managed ESPM is the upstream posture work: app control visibility, vulnerability prioritization, endpoint hardening checks, and remediation tracking before attackers get an easy opening.
Read the Managed ESPM page →Honest fit check
Who this is not for
Managed Detection & Response is the right fit for most small and mid-market businesses that want serious cybersecurity without building an internal team. It is not the right fit if:
- You want a ticket-only MSP that responds to your tickets but never tells you what to do.
- You're looking for a one-time PDF report you'll file and forget. Buy a consultant.
- You already have a fully-staffed internal SOC and you just need someone to procure tools. Buy a tool reseller.
- You expect cybersecurity to be a checkbox you do once. It's a practice, not a purchase.
If any of those describe you, we are not the right fit and we will tell you that on the triage call. No hard feelings.
What happens after you reach out
From first call to first alert handled — typically 14 days
Free 20-minute triage
A direct call with the practitioner. We confirm fit, scope, and whether you actually need MDR or something simpler. If it's not a fit, we tell you what is.
30-minute briefing & written proposal
Within one business day after the briefing, you get a fixed-fee proposal with scope, term, onboarding fee, and timeline. No surprise costs in the contract.
Onboarding (1-2 weeks)
Agent deployment, identity baseline, alert routing, and escalation paths. Most clients are fully operational within two weeks.
24×7 operation, ongoing
The SOC is watching from day one. You get a 30-day check-in, monthly reports, and a practitioner you can call when something feels off.
FAQ
Questions that come up before signing
What's the difference between EDR and MDR?
EDR is the software that detects threats on endpoints. MDR is EDR plus a 24×7 team that reviews and acts on what the software finds. Buying EDR alone means you own the alert queue. Buying MDR means we do.
Do you replace our existing antivirus?
Yes for most cases. The platform we deploy includes endpoint protection, ransomware canaries, and EDR — typically replacing legacy AV plus a separate MDR add-on. We confirm fit during the briefing.
How long does deployment take?
For most small and mid-market businesses: the agent rolls out within a day, alert routing is configured within the first week, and the first monthly report lands at day 30. No multi-month onboarding.
What if we already have Microsoft Defender?
Defender is a strong endpoint product. The gap most teams have is the human SOC behind it. Many organizations keep Defender and add managed detection on top — we coordinate the monitoring and response layer instead of forcing a replacement.
What does a real incident look like with you?
A typical sequence: SOC isolates the endpoint within minutes, an analyst confirms threat actor activity, your designated point of contact gets a call within an hour with a containment plan, and we coordinate remediation, communication, and the post-incident debrief. You get a written report within 5 business days.
Can we cancel?
Foundation tier is month-to-month with no contract — cancel anytime. Protected and Complete tiers are typically annual because identity and SIEM benefit from continuity, but the term is disclosed up-front in the proposal.
Related
Before the briefing, you might want to read
Next step
Stop watching your endpoints alone.
Briefings are free and we tell you when you don't need us. 30 minutes, real answers, no follow-up sales sequence.