24×7 SOC monitoring
Every endpoint is watched continuously. When something acts like an attacker, it is isolated within minutes — not at 9am the next business day.
Managed Detection & Response
24×7 monitoring. Human review. Real response.
Most small and mid-market businesses can't justify a 24×7 internal Security Operations Center — but they still get attacked at 2 am on a Sunday. Managed Detection & Response (MDR) closes that gap. We deliver it on the Huntress platform, backed by a real practitioner, starting at $15 per agent per month.
TL;DR
What you get, what it costs, and when it pays for itself
We deploy and operate the Huntress platform on every endpoint and identity tenant in your organization. A 24×7 Security Operations Center watches for the patterns that precede a breach, isolates threats within minutes, and routes confirmed incidents to a human practitioner who coordinates response. Pricing starts at $15 per agent per month with no minimum and no contract. Average payback: stopping a single ransomware incident covers two years of service.
What's included
Everything that goes into managed detection
Human alert review
Every isolation event is reviewed by a real analyst before it lands in your inbox. False positives stay out of your way; real threats get owned.
Identity threat detection
Microsoft 365, Entra ID, and Google Workspace tenants watched for the patterns that show up before account takeover — impossible-travel logins, MFA fatigue, suspicious app consents.
Incident response coordination
When something happens, we coordinate the response. Containment, investigation, communication with leadership, and the post-incident debrief that prevents the next one.
Endpoint, server, and cloud coverage
Windows, macOS, Linux, and the major cloud workloads. The agent is light, signed, and the deployment is repeatable across your fleet.
Audit-ready reporting
Monthly written summaries in business-readable language. Quarterly reviews with metrics. Every report is reportable for SOC 2, ISO 27001, HIPAA, and cyber-insurance renewals.
Compare honestly
MDR vs. EDR-only vs. running your own SOC
| Question | Managed Detection & Response | EDR license only | Build a full SIEM team |
|---|---|---|---|
| 24×7 monitoring with human review | Yes — every alert triaged by an analyst | Software alerts; you triage | Yes, but you operate it |
| Time to first response | Minutes | Whenever someone notices | Depends on your team |
| Total cost (50-endpoint org, year 1) | ~$9K — no infrastructure to run | ~$3K license + ~$80K analyst time | $60K+ in tools and staff |
| Compliance-ready evidence | Built in | You assemble it | You configure it |
| Best fit | 5–500 employees, no internal SOC | Tech-mature teams, dedicated security staff | Regulated, 1000+ employees, dedicated team |
Most small and mid-market organizations land on MDR because EDR-only leaves the alert queue with someone who can't reasonably be on-call at 2 am, and a full internal SOC costs more than a year of your security budget. MDR splits the difference.
Pricing
Three concrete tiers, no middleman markup
Foundation
$15 /agent / month
Month-to-month. No minimum. EDR-only.
- Managed EDR on every endpoint, monitored 24×7 by the Huntress SOC
- Alert triage and human review of every isolation event
- Quarterly posture check-in
- Install / uninstall agents at any time
Most common
Protected
$32 /user / month
Annual. EDR + ITDR + SAT bundle.
- Everything in Foundation
- Managed ITDR for Microsoft 365 / Entra ID and Google Workspace identity threats
- Managed Security Awareness Training with phishing simulations
- Compliance-reportable training records (SOC 2 / ISO 27001 / HIPAA)
- Monthly security review and stakeholder report
Complete
From $55 /user / month
Scoped. EDR + ITDR + SAT + Managed SIEM.
- Everything in Protected
- Managed SIEM with log aggregation across endpoint, identity, network, and cloud
- 90-day searchable log retention for audit response
- Quarterly tabletop exercise
- Dedicated framework alignment support
Honest fit check
Who this is not for
Managed Detection & Response is the right fit for most small and mid-market businesses that want serious cybersecurity without building an internal team. It is not the right fit if:
- You want a ticket-only MSP that responds to your tickets but never tells you what to do.
- You're looking for a one-time PDF report you'll file and forget. Buy a consultant.
- You already have a fully-staffed internal SOC and you just need someone to procure tools. Buy a tool reseller.
- You expect cybersecurity to be a checkbox you do once. It's a practice, not a purchase.
If any of those describe you, we are not the right fit and we will tell you that on the triage call. No hard feelings.
What happens after you reach out
From first call to first alert handled — typically 14 days
Free 20-minute triage
A direct call with the practitioner. We confirm fit, scope, and whether you actually need MDR or something simpler. If it's not a fit, we tell you what is.
30-minute briefing & written proposal
Within one business day after the briefing, you get a fixed-fee proposal with scope, term, onboarding fee, and timeline. No surprise costs in the contract.
Onboarding (1-2 weeks)
Agent deployment, identity baseline, alert routing, and escalation paths. Most clients are fully operational within two weeks.
24×7 operation, ongoing
The SOC is watching from day one. You get a 30-day check-in, monthly reports, and a practitioner you can call when something feels off.
FAQ
Questions that come up before signing
What's the difference between EDR and MDR?
EDR is the software that detects threats on endpoints. MDR is EDR plus a 24×7 team that reviews and acts on what the software finds. Buying EDR alone means you own the alert queue. Buying MDR means we do.
Do you replace our existing antivirus?
Yes for most cases. The Huntress platform we deploy includes endpoint protection, ransomware canaries, and EDR — typically replacing legacy AV plus a separate MDR add-on. We confirm fit during the briefing.
How long does deployment take?
For most small and mid-market businesses: the agent rolls out within a day, alert routing is configured within the first week, and the first monthly report lands at day 30. No multi-month onboarding.
What if we already have Microsoft Defender?
Defender is a strong endpoint product. The gap most teams have is the human SOC behind it. Many of our clients keep Defender and add managed detection on top — we coordinate, you don't replace.
What does a real incident look like with you?
A typical sequence: SOC isolates the endpoint within minutes, an analyst confirms threat actor activity, your designated point of contact gets a call within an hour with a containment plan, and we coordinate remediation, communication, and the post-incident debrief. You get a written report within 5 business days.
Can we cancel?
Foundation tier is month-to-month with no contract — cancel anytime. Protected and Complete tiers are typically annual because identity and SIEM benefit from continuity, but the term is disclosed up-front in the proposal.
Related
Before the briefing, you might want to read
Next step
Stop watching your endpoints alone.
Briefings are free and we tell you when you don't need us. 30 minutes, real answers, no follow-up sales sequence.