Watchouts for Investing in the Managed Detection & Response (MDR) Market

Watchouts for Investing in the Managed Detection & Response (MDR) Market

Marissa Licursi & Yiwei Jiang • October 23, 2024
Marissa Licursi & Yiwei Jiang • October 23, 2024

Share

Broad Trends

There has been an emergence of new cybersecurity threats in both number and severity—the average number of attacks across attack types (e.g., ransomware) over the last two years has increased significantly across verticals. This surge can be attributed to an increase in human endpoints, the expansion of remote work, increased reliance on cloud services, and the adoption of sophisticated tools by cybercriminals. In addition, ransomware attacks have skyrocketed over the past five years, with a 2023 whitepaper claiming that reported events have grown at a CAGR of 71%.

 

These challenges will only persist, resulting in an increased emphasis on investment within the managed detection and response (MDR) market to address and mitigate cyber threats. In addition, customer and regulatory requirements on security continue to tighten. At the same time, maintaining in-house talents becomes increasingly challenging, resulting in an increased need to leverage outsourced services. 

Connection to Managed Detection & Response (MDR)

Historically, endpoints (PCs, mobile phones, etc.) are the most fragile point of an organization’s security system. To address these weaknesses, companies have invested in specific tools such as EDR (Endpoint Detection and Response) and SIEM (Security Information & Event Management) to proactively identify and detect threats.

   

  • EDR solutions are designed to detect and correlate advanced endpoint threats and continuously monitor endpoints to detect malicious behavior.   
  • SIEM tools gather data from multiple sources (across endpoints, network, etc.), analyze the large volume of log data collected, and correlate alerts to isolate true risks from false positives.


EDR and SIEM can also complement each other—many companies adopt a layered approach where log information from EDR tools is fed into SIEM tools, allowing the SIEM to analyze security alerts across an entire organization.

 

MDR extends the capabilities of EDR and SIEM by maximizing the utility of these tools in maintaining an organization’s security posture, a task that is difficult and costly for organizations to do in-house.

 

MDR provides a 24/7/365 service run by security experts who monitor an organization’s endpoints, networks, and cloud environments and respond to security threats. Additionally, MDR goes deeper than other cybersecurity technology solutions by augmenting technology with advanced human expertise. 



MDR is a massive, high-growth market as cybersecurity transitions from pure tech solutions to proactive risk management. The opportunity size is massive and underpenetrated, with the demand for MDR growing due in part to a number of drivers:

Image of Marissa Licursi

Marissa Licursi

Senior Manager

Image of Yiwei

Yiwei Jiang

Manager

Image of Marissa Licursi

Marissa Licursi

Senior Manager

Image of Samantha Pinkes

Yiwei Jiang

Manager

Broad Trends

There has been an emergence of new cybersecurity threats in both number and severity—the average number of attacks across attack types (e.g., ransomware) over the last two years has increased significantly across verticals. This surge can be attributed to an increase in human endpoints, the expansion of remote work, increased reliance on cloud services, and the adoption of sophisticated tools by cybercriminals. In addition, ransomware attacks have skyrocketed over the past five years, with a 2023 whitepaper claiming that reported events have grown at a CAGR of 71%. 


These challenges will only persist, resulting in an increased emphasis on investment within the managed detection and response (MDR) market to address and mitigate cyber threats. In addition, customer and regulatory requirements on security continue to tighten. At the same time, maintaining in-house talents becomes increasingly challenging, resulting in an increased need to leverage outsourced services. 

Connection to Managed Detection & Response (MDR)

Historically, endpoints (PCs, mobile phones, etc.) are the most fragile point of an organization’s security system. To address these weaknesses, companies have invested in specific tools such as EDR (Endpoint Detection and Response) and SIEM (Security Information & Event Management) to proactively identify and detect threats.   


  • EDR solutions are designed to detect and correlate advanced endpoint threats and continuously monitor endpoints to detect malicious behavior.   
  • SIEM tools gather data from multiple sources (across endpoints, network, etc.), analyze the large volume of log data collected, and correlate alerts to isolate true risks from false positives.


EDR and SIEM can also complement each other—many companies adopt a layered approach where log information from EDR tools is fed into SIEM tools, allowing the SIEM to analyze security alerts across an entire organization.

 

MDR extends the capabilities of EDR and SIEM by maximizing the utility of these tools in maintaining an organization’s security posture, a task that is difficult and costly for organizations to do in-house. 


MDR provides a 24/7/365 service run by security experts who monitor an organization’s endpoints, networks, and cloud environments and respond to security threats. Additionally, MDR goes deeper than other cybersecurity technology solutions by augmenting technology with advanced human expertise. 


MDR is a massive, high-growth market as cybersecurity transitions from pure tech solutions to proactive risk management. The opportunity size is massive and underpenetrated, with the demand for MDR growing due in part to a number of drivers:

Image showing the drivers of demand for MDR software.

Vendor Landscape

However, the landscape of vendors is extensive, and competition continues to intensify: 

Image of the landscape of MDR providers/participants.

Each vendor employs a unique approach to positioning themselves within the MDR landscape:


  • Tech-focused vendors want to deepen and expand core software capabilities. 
  • Service-focused vendors prioritize enhancing and managing existing software.

 

Further, vendors are consistently refining their offerings and expanding services and software. Software vendors are adding additional capabilities, especially adjacent ones such as ITDR whereas services-focused vendors and services vendors are adding solutions such as PenTesting. Arctic Wolf, for example, started as a service-oriented solution but has since expanded to include a SOAR software offering.

 

However, the difficulty for customers and investors alike is understanding how differentiated a given MDR player is from another, understanding:  


  • Blurry lines between MDR, XDR, and EDR. In some cases, MDR overlaps with MSSPs as well. 
  • Difficulty in understanding whether the so-called breadth of capabilities is perception vs. reality (exacerbated by the number of MDR vendors that ‘claim’ to be true MDR solutions, when in reality, their capability sets fall short of fully meeting the standards of a true MDR offering.  
  • Whether they are truly a service versus a technology product: some MDRs have proprietary tech offerings (e.g., Rapid7, Arctic Wolf), vs. some are pure service providers.   
  • Nature of service-oriented space: CISOs view MDRs as providing the same services/achieving the same goal, with the decision ultimately coming down to which vendors provide more “peace in mind” (which may be subjective). 


How Can Vendors Differentiate?

While there are several attributes shared with MDR providers, such as robust detection and response technology/services, 24/7/365 support, and leading SOC analysts, we see that vendors across the MDR landscape are differentiating in a variety of ways to attract investment.

Differentiators

Assessing an investment in an MDR vendor demands cautious scrutiny, particularly regarding the vendor's distinctive qualities that extend beyond fulfilling the “table stakes” discussed earlier. 


Today, we are seeing an extremely intense vendor landscape, and it has become very challenging to carve out a niche and stand apart from alternative MDR solutions. More successful vendors, however, have found ways to differentiate themselves by strategically concentrating on one or more of the following areas:

Expertise on Core Security Platform: 

  • MDR vendors often differentiate by specializing in specific security platforms (e.g., DeepWatch on Splunk, BlueVoyant/Quorum Cyber/Difenda/Ontinue on Microsoft)

Vertical Expertise: 

  • MDR vendors can also differentiate via demonstrating expertise in certain verticals. 
  • Since attacks and threats frequently target specific sectors, solutions are being oriented to address industry-specific challenges. 
  • For example, vendors like Adarma and Bridewell focus on high-risk verticals (e.g., critical infrastructure, FinServ). 

While not as pronounced of a differentiator as core security platform and vertical expertise, service level, and automation can also drive differences:

  • Service-Level: Reflected in responsiveness, experience of SOC analysts, customization, and willingness to understand customers’ unique needs. 
  • Degree of Automation (e.g., automated ticket response): While perhaps not a primary concern for customers, it significantly enhances the operational efficiency of MDR.

There are numerous examples of companies that have differentiated themselves and carved out a specific market for themselves.

Investment Considerations

A heavily fragmented vendor landscape, coupled with a need to differentiate from a mass of vendors beyond “table stakes” attributes, presents challenges to current MDR players. As such, investors are deeply focused on understanding how vendors differentiate across different dimensions, and how the collection of a vendor’s differentiators impacts purchase decisions and elevates (or lessens) a vendor’s positioning in the broader landscape.   


Once MDR vendors with significant differentiation have been identified and further evaluated, there are additional factors for investors to consider. Differentiating on service quality is a tall order but some MDR vendors have succeeded in doing so—usually pairing with other differentiators as well. Furthermore, MDR vendors by nature are services-oriented businesses and one key consideration is whether a given vendor can maintain quality service as it scales:

 

  • What expansion plans exist around ensuring a dedicated team of security experts (SMEs, threat analysts, etc.) are allocated to clients? 
  • To what extent has a given vendor proven the ability to scale while maintaining service level, particularly when expanding across geographies? 
  • What other value-add services make sense for a given vendor to include, and would “sit well” with existing capabilities? 
  • Example services: incident response (IR), automation/workflow development (i.e., automated workflows to reduce manual time required to execute common security tasks. 
  • Has the given vendor built meaningful relationships with customers in a way that can be leveraged for cross-selling other security recurring services (e.g., MXDR, ITDR)?


MDR vendors with deep expertise on a specific security platform are positive from a differentiation standpoint; while, at the same time, introducing potential concentration risk. Therefore, the stability and potential of security tech platforms need to be thoroughly evaluated in diligence:   


  • What does the growth in licenses/products of a given security platform (e.g., Microsoft, Splunk) look like? 
  • Which platforms are expected to see fastest growth and what are key underlying growth drivers (e.g., module/product expansion, rise in volume of net-new licenses)? 
  • Is there a disintermediation risk from the security platform (e.g., security platforms start offering service and/or release more tailored products such as dashboard and playbooks, diluting MDR vendors’ differentiation)?


Since attacks and threats are often industry specific, MDR vendors are increasingly specializing and tailoring MDR solutions to meet the requirements and specifications of certain verticals. However, in doing so, key diligence questions to evaluate include:  


  • Which verticals are a given vendor specialized in (and to what extent are those verticals attractive)? 
  • E.g., high liquidity market, high risk market correlated with higher perceived mission criticality, etc. 
  • Is there enough runway/at-bat opportunity in the given verticals (e.g., from non-adopters, displacement of industry-agnostic players)?

 

Stax is equipped to handle the escalating cybersecurity landscape, particularly in the realm of Managed Detection and Response (MDR). Drawing on our extensive experience in advising firms and investors across various sectors, Stax has guided clients to successful investment strategies and value creation opportunities within the MDR market. To hear more about our services and expertise, visit www.stax.com or contact us here.    

Read More

Featured by MicroGrid: How President Trump’s China Tariffs Could Undermine Distributed Energy Gains

Featured by MicroGrid: How President Trump’s China Tariffs Could Undermine Distributed Energy Gains in the U.S.

April 23, 2025
Phil Dunne was featured by MicroGrid to share his thoughts on the Trump administration's tariffs on China and how they could impact the US energy and EV markets. Read the full feature here.
Stax Recognized by Consulting Magazine for Mentorship and Enrichment Program

Stax Recognized by Consulting Magazine for Mentorship and Enrichment Program

April 22, 2025
Stax was recently honored by Consulting Magazine at the Rising Star Awards in Chicago for its innovative approach to talent development. Read about the award ceremony here.
Darren Buskirk Featured on Management Consulted's Podcast

Darren Buskirk Featured on Management Consulted's Podcast

April 22, 2025
Discover what makes Stax a standout in the consulting world as Managing Director Darren Buskirk shares insights on firm culture, career growth, and private equity work. Learn more here.
How Destination Management Drives Value from Strategy to Execution

How Destination Management Companies (DMCs) Drive Value from Event Strategy to Execution

By David Lindsay April 21, 2025
As demand for in-person corporate events rebounds, David Lindsay explores how DMCs are positioned to scale through advisory services, expansion, and adjacent event types. Learn more.
Stax Provides Sell-side Support to Koozie Group on its Acquisition by Garyline​

Stax Provides Sell-side Support to Koozie Group on its Acquisition by Garyline​

April 17, 2025
Stax congratulates Koozie Group, a leading US-based manufacturer, decorator, and supplier of promotional products, on its recent acquisition by Garyline. Learn more about the deal here.
How Leading Teams Are Growing Through Disruption

How Leading Teams Are Growing Through Disruption

By Peter Rodrigues-Renon April 16, 2025
Management teams have operated in a generally benign environment. Now, as tariffs cause global disruptions, Peter Rodrigues-Renon shares how teams can still create value. Read more.
Show More