What is managed XDR? A plain-English guide for IT managers

Why this matters

XDR has become a marketing word. Half the vendors selling "XDR" mean a platform you operate yourself. The other half mean a service where someone else operates it for you. The two products do very different things, cost very different amounts, and solve very different problems.

If you are evaluating "XDR" without knowing which one you are looking at, you will buy the wrong layer. This article covers the second category: managed XDR. What is included, what is not, and how to pick a provider that actually closes the gap an SMB security team feels at 2am on a Sunday.

What managed XDR actually is

A managed XDR service has two parts. The first part is the platform: software that pulls telemetry from across your environment and correlates it into prioritised alerts. The second part is the service: a team of analysts running detection and response on your behalf using that platform.

Sold separately, the two cost very different things. An XDR platform on its own is typically £15 to £40 per endpoint per month. A 24/7 analyst team is the much larger line item. Managed XDR bundles them, usually with a single SLA covering both.

The simplest test: if the contract describes only software features and tenant configuration, you are looking at a platform. If it describes what an analyst will do when an alert fires, you are looking at a service.

What is inside the platform layer

A typical XDR platform pulls from at least four telemetry sources:

• Endpoint signals from EDR (Endpoint Detection and Response) tools such as Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne.
• Identity signals from Microsoft Entra ID, Okta, or Google Workspace.
• Email signals from Microsoft Defender for Office 365, Mimecast, or Proofpoint.
• Cloud signals from Azure, AWS, or Google Cloud control planes.

A SIEM (Security Information and Event Management) platform like Microsoft Sentinel or Splunk does something similar but is general-purpose log storage. XDR is opinionated: it ingests specific signals and runs prebuilt detections across them. Many mature setups run both.

What the platform produces is a stream of alerts, ranked by confidence. The platform does not contain threats. It tells you something is wrong.

What is inside the service layer

This is where the real value sits. A managed XDR service typically includes:

• 24/7 alert triage by tier 1 analysts.
• Investigation of suspicious alerts by tier 2 analysts.
• Contractual response actions: isolating endpoints, revoking sessions, blocking accounts, killing processes.
• Tuning and detection engineering as your environment changes.
• Regular reporting on incidents, posture, and detection coverage.
• Onboarding support to get the platform integrated with your tenant.

What it usually does not include: deep forensic investigation, regulatory reporting support, recovery work after an incident, or strategic roadmap consulting. Those typically sit in a separate incident response retainer or a security advisory contract.

Two delivery models: vendor-stack vs your-stack

Managed XDR providers come in two shapes.

Vendor-stack model. The provider runs their own proprietary XDR platform and operates it for you. Examples: CrowdStrike Falcon Complete, Sophos MDR, Arctic Wolf. The advantage is a tightly integrated service. The trade-off is platform lock-in. Switching providers usually means switching the entire detection stack.

Your-stack model. The provider operates on top of a platform you already own, most commonly Microsoft Defender XDR or Microsoft Sentinel. The advantage is no lock-in: you keep your platform if you change providers. The trade-off is a more nuanced operating model, because the provider has to integrate with your existing tenant and tooling.

For SMBs already invested in Microsoft 365, the your-stack model usually makes more sense. You are paying Microsoft for the licences anyway. Adding a service layer on top costs less than starting again with a separate proprietary platform.

What managed XDR is not

A few common misreadings:

• Not the same as MDR, but very close. MDR (Managed Detection and Response) is a broader category that includes managed XDR but also services running on SIEMs or EDR-only stacks. In practice, the labels overlap. Read the contract.
• Not the same as a managed SOC. A managed SOC service is the people and process layer. Managed XDR includes the SOC layer plus a defined platform. If a "managed SOC" contract does not mention the platform, you are buying analyst time on top of whatever you already have.
• Not a replacement for incident response. A managed XDR service contains threats. It does not run forensics, regulatory reporting, or full recovery. Most contracts include the first hour of an incident and stop there.
• Not a SIEM replacement. XDR and SIEM solve overlapping problems with different shapes. Many regulated SMBs end up running both.

What to ask before signing

Build your shortlist around five questions:

1. What are your analysts contractually allowed to do at 3am without calling me? This separates real response from "we will tell you about it".
2. Which platform is this running on, and who owns it? Vendor-stack and your-stack models behave differently when you eventually want to switch.
3. What is included beyond detection and response? Tuning, threat hunting, reporting cadence, and onboarding scope vary widely.
4. What is your mean time to detect and respond, with real numbers? Marketing claims do not count. Ask for medians from the last 12 months.
5. What happens after the first hour of an incident? Find out where the managed XDR contract ends and an incident response retainer begins.

For SMBs running on Microsoft 365 specifically, three options worth comparing are Sophos MDR (vendor-stack), CrowdStrike Falcon Complete (vendor-stack), and CyberQuell's managed XDR for Microsoft 365, which runs on top of your existing Microsoft tenant. Score each on response authority and contract scope, not feature counts.

Realistic costs in 2026

Honest ranges for SMB managed XDR contracts in 2026:

• 25 to 100 endpoints: £25,000 to £45,000 per year. Core 24/7 detection, response on endpoint and identity, monthly reporting.
• 100 to 250 endpoints: £45,000 to £75,000 per year. Full detection across endpoint, identity, email, and cloud; faster response SLAs; named analyst.
• 250 to 750 endpoints: £75,000 to £100,000+ per year. Above plus threat hunting, custom detections, and regulatory reporting support.

What pushes cost up: more endpoints, faster response SLAs, broader response authority, custom detections, threat hunting. What a cheap quote usually leaves out: response actions, identity coverage, after-hours containment, and tuning.

Our take

Managed XDR sounds like a tool. Treat it like a service. The platform is the cheap, commoditised part. The thing that decides whether your business is better protected after signing is what the analysts behind it are allowed and trained to do.

The vendor that wins your evaluation should not be the one with the slickest dashboard. It should be the one whose contract spells out, in writing, what their analyst is allowed to do when a confirmed compromise lands on one of your laptops at 3am on a Sunday. The platform features are the wrapping. The response authority is the gift.

Where to go from here

If you are mid-evaluation, build a shortlist of three providers across the two delivery models. At least one should be a your-stack provider that runs on what you already own. Score each on response authority, scope of included service, and exit cost. Ignore the dashboard demo until you have read the contract.

If you are earlier, start by mapping what you already have. List your endpoints, identity, email, and cloud signals. Anywhere a signal is produced but nobody watches it, you have a candidate alert source for managed XDR. Buying a service before you know what it should ingest is how SMBs end up paying for coverage they do not get.