One vendor says you need MDR. A second says you need managed SIEM. A third is pitching MXDR over the same slides with different colours. All three promise 24/7 detection, expert analysts, “complete security operations.” None of them explain how the three services actually differ, and none of them volunteer which combination your organisation actually needs.
Falconer Security delivers managed Microsoft Sentinel (SIEM), MDR, and MXDR to organisations running Microsoft 365 and Azure. This guide breaks down what each service really covers, where they overlap in practice, and how to pick the right model without overbuying or under-covering.
The three service models, defined
You cannot compare these services without clear definitions, because the security industry uses the same three acronyms to mean three different things depending on the sales deck. Below is what each service actually delivers when implemented properly, stripped of the marketing.
Managed SIEM
Think of managed SIEM as an outsourced platform-operations service. A provider deploys, configures, tunes, and runs your Security Information and Event Management platform on your behalf. Log ingestion, detection rule engineering, cost optimisation, platform maintenance. You get a working SIEM without hiring the two-to-three specialists it would take to run one in-house. For most Microsoft-aligned buyers that means a provider is operating your Microsoft Sentinel instance: connecting data sources, writing KQL detection rules, tuning alert thresholds, optimising ingestion costs, and keeping compliance reporting honest.
Key distinction: managed SIEM is about the platform. The provider makes sure your SIEM collects the right data, generates accurate alerts, and stays cost-efficient. Some providers include basic alert monitoring, but the core value is platform operations, not threat response.
MDR (Managed Detection and Response)
MDR is the opposite framing. Where managed SIEM sells platform discipline, MDR sells outcomes: the provider’s SOC analysts monitor your environment 24/7, investigate alerts, hunt for threats, and respond to confirmed incidents. The human-led versus automated MDR distinction really matters here; they are not the same product under the hood. On our assessments the human-led variant almost always outperforms the tool-led variant on anything subtle. MDR providers usually bring their own detection technology stack. For Microsoft environments that typically means analysts working across Defender for Endpoint, Defender for Identity, and Defender for Office 365 to detect and respond across endpoints, identities, and email.
If you want a deeper concept-level comparison of MDR versus SIEM, read the MDR vs SIEM guide.
MXDR (Managed Extended Detection and Response)
MXDR is the attempt to close the gap the other two services leave between them. One provider manages your SIEM platform, operates XDR tools across several security domains, and delivers 24/7 detection, investigation, and response as a single service. In Microsoft’s ecosystem that usually means operating Sentinel alongside the full Defender XDR suite (Endpoint, Identity, Office 365, Cloud Apps) as one joined-up operations platform. Microsoft itself offers this through Defender Experts for XDR, and certified partners deliver MXDR through verified programs.
Key distinction: MXDR removes the seam between platform management and threat operations. Instead of buying managed SIEM from one vendor and MDR from another, you get both under a single service with unified visibility.
Managed SIEM vs MDR vs MXDR: comparison
| Capability | Managed SIEM | MDR | MXDR |
|---|---|---|---|
| SIEM platform management | Yes (core focus) | No (uses own tools) | Yes (integrated) |
| 24/7 threat monitoring | Limited or add-on | Yes (core focus) | Yes (core focus) |
| Detection engineering | Yes (rule creation & tuning) | Vendor-managed rules | Yes (custom + vendor rules) |
| Threat hunting | Rare | Yes | Yes |
| Incident response | Alerting only | Active containment | Active containment |
| Log retention & compliance | Yes (full log archive) | Limited to tool telemetry | Yes (SIEM + XDR data) |
| Cost optimization | Yes (ingestion tuning) | Not applicable | Yes (ingestion tuning) |
| Coverage scope | All log sources | Endpoints, identity, email | All log sources + endpoints, identity, email, cloud |
| Typical starting cost | $3,000-8,000/month | $5,000-15,000/month | $8,000-25,000/month |
What each service misses
Every service model leaves something uncovered. Knowing which gap you’re buying into is usually more useful than memorising what each service includes.
Managed SIEM gaps
The wrong way to think about managed SIEM: “we now have 24/7 coverage.” You don’t. You have a well-tuned detection platform. Whether anyone is watching the alerts it generates is a completely separate question. Most managed SIEM providers are focused on platform health: are the connectors working, are the rules firing correctly, is ingestion cost-optimised? The things they usually do not do include live human investigation of every alert, proactive threat hunting beyond scheduled queries, active containment (isolating devices, blocking users, revoking sessions), and response coordination during an actual attack. If your organisation already runs an internal security team capable of alert triage and response, managed SIEM is the perfect fit for the expertise gap. If you don’t have that team, managed SIEM leaves your alerts technically visible and practically uninvestigated.
MDR gaps
MDR providers monitor and respond, but almost always within their own technology stack. They deploy their preferred EDR agent. They work in their own detection platform. Their coverage stops where the tools they control stop. Things that typically fall outside: custom log sources like firewalls, SaaS applications, and cloud infrastructure logs; SIEM platform management and ingestion optimisation; compliance log retention beyond endpoint telemetry; detection rules for business-specific threats such as unusual financial transactions or anomalous access patterns; Sentinel cost tuning of any kind.
For anyone running Sentinel alongside MDR, this creates the classic double-vendor problem: you pay for managed threat monitoring through MDR, and your SIEM still needs separate management. Two contracts. Two consoles. Two partial views of the same environment, with overlap in the wrong places.
MXDR gaps
MXDR’s trade-off is different: broad coverage at a cost. Four things to watch for when buying. The price tag runs above either managed SIEM or MDR individually. You’re signing up for a single provider’s operating philosophy and technology preferences, which is fine until it isn’t. Customisation is usually lighter than a best-of-breed architecture, and your MXDR provider may not support every niche log source you care about. Quality varies wildly because “MXDR” has no universal definition; two providers with the same label can be offering quite different services.
How these services work in a Microsoft environment
The Microsoft security stack changes the calculus. The tools are deeply integrated, which creates both a tailwind and some specific failure modes.
The Microsoft security stack
Most organisations running Microsoft 365 and Azure will have some subset of the following available to them.
- Microsoft Sentinel: Cloud-native SIEM for log aggregation, detection rules, and incident management
- Defender for Endpoint: EDR for device protection, threat detection, and automated response
- Defender for Identity: Identity threat detection monitoring Active Directory and Entra ID
- Defender for Office 365: Email and collaboration security (anti-phishing, safe attachments, safe links)
- Defender for Cloud Apps: Cloud access security broker (CASB) for SaaS monitoring
- Defender XDR: Unified portal correlating signals across all Defender products
Between them, these tools generate security telemetry across the whole Microsoft estate. The question is not whether you have data. The question is whether anyone is actually operationalising that data into detection and response.
Where each service fits
Managed SIEM (Sentinel-focused): a provider runs your Sentinel instance. Connecting sources, writing custom KQL detection rules, optimising ingestion costs, maintaining compliance retention. Your internal team or a separate MDR provider handles the alert investigation and response work.
MDR (Defender-focused): a provider runs the Defender XDR suite. Endpoint alerts, identity threats, email-based attacks. They operate inside Microsoft’s native tools but generally do not touch your Sentinel instance or custom log sources.
MXDR (Sentinel + Defender unified): one provider operates both Sentinel and the full Defender suite as a single security operations platform. Detection rules span both. SIEM data correlates with XDR telemetry. Incident response is unified. That is the model Falconer Security’s managed security services deliver.
Decision framework: which service do you need?
Three variables decide the answer: your internal security capability, your compliance obligations, and your budget. The combination tells you where to land.
Managed SIEM tends to be the right call when you have internal security analysts who can actually investigate and respond, when you need compliance log retention and reporting (NIS2, ISO 27001, SOC 2), when your primary gap is SIEM engineering expertise rather than operational capacity, and when cost control of Sentinel ingestion is a real concern before adding monitoring services on top.
MDR is the better fit when you have no internal security team at all and need 24/7 coverage immediately. Also when your primary threat concern is endpoint and identity, when Defender’s native coverage genuinely matches your environment without a lot of custom log sources, and when the top priority is speed to operational security rather than architectural completeness.
MXDR is where buyers land when both halves matter: platform management and 24/7 operations. That tends to apply when Sentinel runs alongside the Defender XDR suite, when compliance needs broad retention plus active monitoring, when consolidating vendor management is a business priority, and when the environment contains custom log sources (firewalls, SaaS apps, cloud infrastructure) that sit outside Microsoft’s native tools.
NIS2 consideration: the NIS2 Directive requires organisations in essential and important sectors to implement risk management measures including incident handling, business continuity, and supply chain security monitoring. Managed SIEM alone may satisfy the logging side. NIS2’s incident response obligations typically require the operational capability of MDR or MXDR, which is worth factoring in before you sign.
The real-world progression
Very few organisations start with MXDR. The typical path is a staged one, moving through these services as security maturity and budget grow together. Stage one is usually managed SIEM: deploy Microsoft Sentinel with a managed provider running configuration, detection rules, and cost optimisation, while IT handles high-priority alerts internally. Cost lands around $3,000-8,000 a month depending on data volume.
Stage two adds MDR on top. Twenty-four-by-seven monitoring and response for the Defender XDR suite, with the MDR provider covering endpoint, identity, and email threats while the managed SIEM provider keeps broader log visibility. Combined cost sits around $8,000-20,000 a month. Stage three consolidates: a single provider running both Sentinel and Defender as one integrated platform. Visibility gap between SIEM and XDR closes. Vendor management overhead drops. Cost runs $8,000-25,000 a month for the unified service and, in our experience, often comes in under the combined stage-two number.
According to the ISC2 2025 Cybersecurity Workforce Study, 33% of organisations cite budget constraints as the primary driver of security staffing shortages. That is precisely why the staged approach works: it lets an organisation build security operations incrementally instead of committing to a full MXDR engagement on day one.
Common mistakes when choosing a service
Buying MDR without SIEM visibility
MDR watches your endpoints and identities. Without SIEM, you lose sight of firewall logs, cloud infrastructure events, SaaS application activity, and custom application logs. Attackers increasingly target the gaps between tools, and this is one of the biggest. The Verizon 2025 DBIR found that 30% of breaches involved third-party access, double the previous year. Third-party access patterns show up in SIEM logs (VPN connections, service account activity, API calls), not in endpoint telemetry alone.
Assuming managed SIEM includes monitoring
Here’s a scenario we see on almost every first assessment. An organisation deploys Sentinel with a managed provider, assumes 24/7 security coverage is now in place, and discovers during an incident that nobody was watching the alerts. They had 24/7 data collection. They did not have 24/7 detection. Those are different products. Read the statement of work carefully.
Choosing based on label, not scope
Two providers can both call their service “MXDR” and deliver almost nothing in common. One might monitor only endpoints with a single EDR tool. Another might integrate SIEM, EDR, identity, email, cloud, and network telemetry under unified operations. Ask the concrete questions instead of the category question. Which specific data sources do you monitor? Do you manage our SIEM platform, or only consume its alerts? Which response actions can you take directly without calling us first (isolate devices, block users, revoke sessions)? How many detection rules do you maintain, and how often are they updated? What is your mean time to detect and mean time to respond?
Ignoring Sentinel cost management
Microsoft Sentinel bills per GB of data ingested. Without active cost optimisation, Sentinel spend can quietly eat the entire security operations budget. Any service model that includes Sentinel (managed SIEM or MXDR) should include ingestion optimisation as a core deliverable. Not a line item. Not a later phase. A core deliverable from day one.
Falconer Security typically cuts Sentinel ingestion costs by 30-40% through data source optimisation, transformation rules, and tiered storage strategies, and does it without reducing detection coverage.
Frequently asked questions
What is the difference between managed SIEM and MDR?
Managed SIEM is a platform-operations service. A provider deploys, configures, and maintains your SIEM (for most buyers that is Microsoft Sentinel), including detection rules and cost optimisation. MDR is a security-operations service. A provider’s SOC analysts monitor your environment 24/7, investigate threats, and respond to incidents. Managed SIEM makes sure you have the right detection platform. MDR makes sure someone is watching and acting on what that platform detects.
Is MXDR the same as MDR?
No. MDR typically focuses on endpoint and identity threat detection using the provider’s own tools. MXDR extends that by integrating SIEM platform management with multi-domain detection and response covering endpoints, identities, email, cloud infrastructure, and custom log sources under a single managed service. A useful shorthand: MXDR is MDR plus managed SIEM delivered as one unified service.
Do I need managed SIEM if I already have MDR?
It depends on your compliance and visibility requirements. MDR covers endpoint and identity threats but typically does not provide log retention for compliance, visibility into custom log sources (firewalls, SaaS apps), or Sentinel cost optimisation. If you need broad log visibility or have to meet NIS2, ISO 27001, or SOC 2 logging requirements, you need managed SIEM alongside MDR, or an MXDR service that bundles both.
What does MXDR cost compared to MDR?
MDR typically costs $5,000-15,000 per month depending on endpoint count and service tier. MXDR ranges from $8,000-25,000 per month because it bundles SIEM platform management with detection and response. MXDR often comes in below the combined cost of buying managed SIEM and MDR separately, because it eliminates duplicate tooling and vendor-management overhead.
Does NIS2 require MDR or managed SIEM?
NIS2 does not prescribe specific technologies. It requires organisations to implement appropriate cybersecurity risk management measures including incident detection, handling, and reporting. Managed SIEM can satisfy the logging and detection side. NIS2’s incident response and reporting obligations (Article 23 requires reporting significant incidents within 24 hours) typically require the operational response capabilities that MDR or MXDR provide. Most organisations in scope of NIS2 end up needing both detection (SIEM) and response (MDR) capabilities.