Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
At 9am on a Monday, the security dashboard is green. Firewall logs look clean. The EDR agent on every laptop reports healthy. Multi-factor authentication is on. Email filtering is catching the obvious phishing. Backups completed overnight. From the chair you’re sitting in, everything’s fine.
At 3am on Tuesday, the same dashboard is also green. What’s different is that nobody’s looking at it. An EDR alert fires when a service account starts enumerating file shares from a laptop it’s never touched before. The alert sits in a queue. At 9am Tuesday, the morning IT person scrolls past it, assuming it was tuning noise. By Wednesday, the data’s already staged for exfiltration.
I’ve seen some variation of that scene in nearly every Canadian SMB discovery call I’ve taken in 2026. IBM’s 2025 Cost of a Data Breach Report puts the average time to identify and contain a breach at 241 days, the lowest figure in nine years. That’s still eight months of undetected intrusion, and it’s happening to companies that already own the tools. The gap isn’t the tools. The gap’s the 24/7 team watching them. That’s what Managed Detection and Response (MDR) is. This guide covers what MDR actually is, how it differs from EDR, XDR, SIEM, and MSSP, why 2026 changed the math for Canadian SMBs, and how to evaluate an MDR provider without overpaying for the acronym.
Key Takeaways
- MDR is an operating model, not a product. A vendor-run security operations center monitors the tools a business already owns, around the clock, and takes documented response action on confirmed threats.
- IBM’s 2025 Cost of a Data Breach Report puts the average breach identify-and-contain time at 241 days. Best-in-class MDR providers cut that to under 20 minutes median (Expel 14 min, SentinelOne ~18 min).
- Gartner projects 60 percent of organizations will be using MDR by 2026, up from 30 percent in 2023. Canadian SMB growth is being driven by cyber insurance renewal requirements, not enterprise demand.
- A 25 to 100 endpoint Canadian SMB should expect MDR pricing of $2,500 to $5,000 per month fully loaded, versus roughly $1 million per year for true in-house 24/7 SOC coverage.
- MDR, EDR, and XDR are not competitors. EDR and XDR are what gets watched. MDR is who watches. Most Canadian SMBs need both.
Book a Free Cybersecurity Assessment
Why security tools fail at 3am: the watching gap
Security tools fail at 3am because nobody is looking at them. Firewalls, EDR agents, and MFA generate alerts continuously, but those alerts only become a response when a human triages them. IBM’s 2025 Cost of a Data Breach Report shows the average breach still takes 241 days to identify and contain, the lowest figure in nine years but still eight months of undetected intrusion.
The typical Canadian SMB in 2026 has a real security stack. Next-generation firewall at the perimeter. Endpoint Detection and Response (EDR) on every managed laptop and server. Microsoft 365 hardened with conditional access and MFA. Immutable backups tested quarterly. An annual penetration test to satisfy the cyber insurance questionnaire. This isn’t the 2015 posture of “we have antivirus and hope for the best.” The stack itself’s often fine.
What the stack can’t do on its own is act. Each layer generates telemetry: login events, file-access patterns, process trees, email metadata, network flows. The telemetry only becomes a response when a human reads it, decides whether it matters, and takes action. Between 6pm Friday and 9am Monday, most SMBs have nobody in that seat. Attackers have known this for years. Ransomware operators schedule payloads for statutory holidays because the math works in their favour.
IBM’s 2025 number quantifies what that absence looks like in practice. Mean time to identify and contain a breach was 241 days across the 600 breached organizations IBM studied. Breaches initiated with stolen credentials took even longer, at 246 days. The improvement over the 2021 peak (287 days) is real. Tooling’s genuinely gotten better. But the absolute number is still catastrophic. For a Canadian SMB, eight months of undetected intrusion isn’t an incident. It’s a business continuity event.
The dashboard isn’t lying when it says green. It’s reporting on the tools’ health, not on whether anyone’s reading the alerts. There’s a word for tools producing alerts that nobody reads. The word is logs.
Why 24/7 SOC coverage doesn’t pencil out for SMBs
True 24/7 security operations center coverage requires roughly five full-time analysts per seat, because three shifts plus PTO coverage plus burnout rotation do not fit into one or two people. At Canadian salary rates, one security analyst runs $300,000 fully loaded, which puts real around-the-clock coverage at over $1 million per year. For any business under 500 employees, the math simply does not work.
The obvious response to the watching gap is to hire somebody. Every cybersecurity consultant who’s ever sat in a Canadian SMB boardroom has heard the follow-up question: “What if we hired a security analyst?” The answer is that one person isn’t 24/7.
A single full-time employee covers roughly 40 hours of the 168 hours in a week. Round-the-clock SOC coverage needs three shifts, plus coverage for vacation, sick days, training, and burnout turnover. The conventional staffing ratio in security operations is closer to five FTEs per seat, sometimes four if the provider accepts gaps. On top of the shift analysts, a functioning SOC needs a SOC manager, at least one detection engineer to tune rules, and usually a threat hunter who works outside the alert queue. The minimum viable team’s six to eight people.
At Canadian salary rates in 2026, a mid-level security analyst fully loaded (salary, benefits, training budget, certifications, tooling seats) runs roughly $300,000 per year. Senior analysts and detection engineers run higher. Six to eight of them is between $1.8 million and $2.5 million in annual run-rate before anyone’s bought a SIEM license. For an organization with 50 employees and perhaps $10 million in annual revenue, this isn’t a build decision. It’s a fantasy.
The more interesting observation is that the tools aren’t the bottleneck. The EDR a Canadian SMB bought in 2024 is correctly identifying lateral movement. The SIEM’s correlating the events. The firewall’s logging the outbound connections. The alerts being generated are largely the right ones. What’s missing is someone on shift to act on them. That’s why the IBM 241-day number plateaus rather than collapses. Tools can only compress the part of the breach lifecycle that they govern. The human response window stays stubbornly wide.
Put differently: the industry has solved the sensor problem and hasn’t solved the watching problem. Buying another sensor doesn’t help. Hiring one analyst doesn’t help. The problem’s the shape of the workload, not the shape of the budget.
Not sure where your monitoring gaps are? Book a free cybersecurity assessment →
What managed detection and response actually is
Managed detection and response (MDR) is a cybersecurity operating model where a third-party security operations center monitors a client’s existing security tools around the clock, investigates alerts, and takes documented response action on confirmed threats. MDR is not a new product or tool. It is the human team layered on top of the tools a business already owns, sold as a subscription service.
The confusion in this category’s almost entirely linguistic. Most of the “what is MDR” content online treats MDR as if it were another product category alongside antivirus, EDR, and firewall. It isn’t. MDR is who watches, not what’s installed. That single reframe makes the rest of the security-tool conversation easier to navigate.
“MDR services provide customers with remotely delivered security operations center functions that allow organizations to perform rapid detection, analysis, investigation and response through threat disruption and containment.”
Gartner, Market Guide for Managed Detection and Response (2025)
In practical terms, when a business buys MDR, they’re buying a subscription to a pooled SOC. The SOC monitors the telemetry their existing tools produce (EDR, XDR, SIEM, cloud audit logs, identity signals), triages the alerts using a combination of automation and analyst review, and takes response actions under authority the client’s pre-documented. The pooling’s what makes the math work. One SOC covers many clients, so each client pays a fraction of the true 24/7 team cost they could never justify building themselves.
Typical scope inside an MDR subscription includes 24/7 monitoring of covered telemetry, alert triage, threat hunting, incident response, forensic artifacts (timeline, indicators of compromise, containment report), and detection tuning. What’s NOT typically inside MDR scope: patching, user awareness training, identity and access management, backup testing, vulnerability scanning, compliance assessments. The boundary varies between providers and is the single most important thing to confirm in writing before signing. “MDR” on one provider’s brochure is a different service than “MDR” on another’s.
MDR vs EDR vs XDR vs SIEM: who watches what
EDR, XDR, SIEM, and MDR are not four alternatives to the same problem. EDR and XDR are what produce security telemetry (endpoint-only or cross-domain). SIEM is where logs are stored and correlated. MDR is the service model that watches all of them and responds. Most Canadian SMBs need at least one telemetry layer, optional SIEM, and MDR over the top.
The comparison question that reliably derails procurement conversations is “MDR vs EDR.” It’s a category error. EDR’s a tool. MDR’s a service that can run EDR on the client’s behalf. A business can have EDR without MDR (their own team watches the EDR console). A business can have MDR without EDR (the MDR provider watches other telemetry, typically SIEM or cloud logs). Most mid-market security postures end up with both.
Endpoint Detection and Response (EDR) is software that lives on endpoints (laptops, servers, mobile devices). It captures process execution, file operations, network connections, and behavioral signals, and supports response actions like isolating the endpoint from the network. EDR produces telemetry and enables response. It doesn’t watch itself.
Extended Detection and Response (XDR) takes the same pattern and extends it across endpoint plus email, identity, cloud workloads, and sometimes network. The product category emerged because endpoint-only visibility misses cloud-native and identity-based attacks. XDR’s broader telemetry. It still needs somebody to watch it.
Security Information and Event Management (SIEM) is the log layer. A SIEM ingests logs from everything in the environment, correlates them with detection rules, stores them for compliance retention, and generates alerts when rules fire. SIEM’s excellent for compliance reporting and for long-range hunting across historical data. It’s also the most expensive tool to run without a team, because detection rules require engineers to write, tune, and decommission as the environment changes.
Managed Security Service Provider (MSSP) is the legacy label for outsourced security, often alert-forwarding focused (“we saw this alert, you handle it”) rather than active response. Most 2026 vendors using the MSSP label have effectively become MDRs or are positioning to. The difference between modern MSSP and MDR is the depth of response authority, not the acronym on the brochure.
Managed Detection and Response (MDR) is the service layer on top. An MDR provider can manage EDR, XDR, SIEM, or some combination, on behalf of the client. The tool choice below is orthogonal to the MDR decision. A Canadian SMB choosing between SentinelOne (EDR), Microsoft Defender XDR, and a self-hosted SIEM is making a telemetry decision. Layering MDR over the top is a separate decision and largely independent of which tool wins the telemetry bake-off.
| Layer | What it is | What you buy | Who watches |
|---|---|---|---|
| EDR | Endpoint telemetry and local response | Software per endpoint | You (unless MDR covers it) |
| XDR | Cross-domain telemetry | Software platform | You (unless MDR covers it) |
| SIEM | Log aggregation and correlation | Software plus storage | You (unless MDR covers it) |
| MDR | 24/7 SOC, triage, and response | Service subscription | Provider |
| MSSP | Legacy outsourced security | Service subscription | Provider (often alert-forward only) |
For a comparison with the legacy MSSP model specifically, see what an MSSP is and how the category is converging toward MDR in 2026.
How MDR works: the 5-step workflow
MDR works as a five-step cycle: collect telemetry from existing security tools, detect anomalies using correlation and threat intelligence, triage alerts through human analyst review, respond with documented containment actions, and report forensic artifacts back to the client. The cycle runs continuously, with the output of step five feeding tuning back into step two.
Return to the 3am scene from earlier. An EDR agent flags unusual service-account activity on a laptop in the finance department. Here’s how that alert moves through a working MDR service.
Step 1. Collect. The EDR alert is one data point. The MDR provider’s pipeline also has the client’s identity logs (Entra ID sign-in events), email metadata (Defender for Office 365 or comparable), and network flows. Within seconds, the alert’s enriched with the service account’s recent login history, the laptop’s known-good behavioral baseline, and any email-based precursors in the last 72 hours.
Step 2. Detect. Correlation rules flag the alert as high-severity because three signals align: service account used interactively (unusual), laptop never previously accessed this file share (unusual), and process tree includes PowerShell invoking encoded commands (high-risk pattern). Threat intelligence matches the encoded command to a known ransomware staging technique. This isn’t a tuning noise alert. It’s active intrusion.
Step 3. Triage. An analyst on shift reviews the enriched alert within minutes. Gartner reviews of leading MDR providers consistently show human analysts close 90 percent or more of alerts inside the SOC without escalation, which is what makes the 24/7 coverage feasible. This alert isn’t one of them. The analyst confirms active intrusion and moves to response.
Step 4. Respond. Under pre-documented response authority signed off by the client during onboarding, the MDR provider isolates the laptop from the network, disables the service account in Entra ID, blocks the specific process hash across all endpoints, and begins reverse lookups on any outbound connections the laptop established in the last hour. The attacker’s staging activity stops within the triage window, not after 9am Tuesday.
Step 5. Report. The client’s named contact gets an incident notification with the timeline, the actions taken, and the evidence. Over the following 24 to 72 hours, the MDR provider produces a full forensic artifact: indicators of compromise, containment summary, root-cause analysis, recommended remediation. Detection rules are tuned to flag the same pattern faster next time. That artifact feeds directly into cyber insurance claims, PIPEDA breach assessments, and internal reporting.
Automation accelerates steps 1, 2, and parts of 3. It compresses routine triage and surfaces the high-severity signals. IBM’s 2025 Cost of a Data Breach Report found organizations using high levels of security AI and automation reduced their breach lifecycle by 108 days compared to those without, a substantial lift. The lift’s conditional: automation still needs a human at the other end to close the loop on anything material. The five-step workflow’s what gets that human into the loop fast enough to matter.
Why 2026 made MDR non-optional for Canadian SMBs
Three forces converged in 2026 to make MDR functionally mandatory for Canadian SMBs: cyber insurance renewals now require documented monitored response as evidence, not just EDR purchase; PIPEDA breach-notification timing is incompatible with the 241-day average dwell time; and attacker breakout time has fallen to a median of 29 minutes, versus days for human-only response. Any one of the three is a forcing function.
For most of the past decade, MDR was a best-practice purchase. Prudent. Recommended. Not required. In 2026 that shifted. Three separate forces, each independent, each pointing the same direction, moved MDR from nice-to-have to default.
Cyber insurance is now the biggest MDR buyer
Canadian cyber insurance underwriters spent 2023 through 2025 repricing the category after the ransomware-era loss ratios. By 2026, renewal questionnaires aren’t questionnaires anymore. They’re evidence-based audits. Insurers ask for logs, screenshots of SIEM configurations, backup test results, documented incident response procedures, and artifacts showing monitored response in action. “We have EDR deployed” is no longer an answer. The relevant artifact’s the MDR provider’s monthly report showing investigations run and containment actions taken. Businesses that can’t produce that artifact are seeing either declined coverage or premium increases that make self-insurance math more attractive.
PIPEDA timing doesn’t survive 241-day dwell
Canada’s federal privacy law requires breach notification to the Office of the Privacy Commissioner and to affected individuals “as soon as feasible” after a real risk of significant harm is determined. The clock starts when the breach is discovered. The problem’s that the exposure window is the full dwell time. Boards and insurers are increasingly asking Canadian SMBs how they’d meet PIPEDA timing obligations if discovery happened eight months after compromise. There isn’t a good answer without active monitoring. For organizations on Bill C-27 pathways or handling regulated data under provincial statutes (Quebec’s Law 25, BC’s PIPA), the notification exposure multiplies. MDR’s the cheapest way to compress the discovery window into something that survives regulatory scrutiny.
Attacker breakout time is now 29 minutes
CrowdStrike’s 2025 Global Threat Report put the median attacker breakout time, meaning the time from initial compromise to lateral movement inside the target environment, at 29 minutes. The fastest recorded intrusions moved laterally in under seven minutes. A human-only response measured in hours or days is outside that window by two to three orders of magnitude. The only response models that operate on attacker timelines are ones with an analyst already watching at the moment the alert fires. That’s the MDR model, and it’s why SLA commitments have compressed below 20 minutes median for best-in-class providers.
“By 2026, 60 percent of organizations will be using MDR services for 24/7 threat monitoring, detection, and containment, up from 30 percent in 2023. By 2028, 50 percent of findings from managed detection and response providers will be focused on, or include detail on, threat exposures, up from 20 percent today.”
Gartner, Market Guide for Managed Detection and Response (2025)
The adoption curve is not driven by fashion. It is driven by the three forcing functions above, stacked. Any one of them would move adoption. All three moving at once is what turned the curve from linear to steep.
For the Canadian SMB-specific compliance view, see PIPEDA compliance requirements and the cyber insurance coverage checklist that summarizes what underwriters are asking for in 2026.
See How Your Stack Compares to the 2026 Baseline
How to evaluate an MDR provider: an 8-point checklist
Evaluate an MDR provider on eight criteria: documented response-time SLA, human-in-loop analyst coverage, integration with your existing stack, Canadian data residency, included forensic artifacts, written response authority, reporting cadence, and off-boarding terms. Pricing for a 25 to 100 endpoint Canadian SMB ranges from $2,500 to $5,000 per month fully loaded, with per-endpoint rates varying 10x between tiers.
“MDR” on the brochure isn’t a standard specification. Two providers selling products called MDR can differ by a factor of five in scope, response authority, and price. The checklist below is the minimum due diligence before signing. It works against Fusion, and it works against every other provider a Canadian SMB is likely to evaluate.
1. Documented response-time SLA. Ask for the SLA in writing, by severity class. Targets worth paying for: under 60 minutes for high severity, under 15 minutes for critical. Sophos publishes a 60-minute SLA commitment for 90 percent of high-severity cases. Acronis publishes 15-minute targets for critical incidents. Expel reports a median MTTR of 14 minutes across all severities. Without a contractual SLA, “fast response” is marketing copy.
2. Human-in-loop analyst coverage, not just automation. Confirm alerts are triaged by human analysts before escalating to the client. Ask what percentage of alerts close inside the SOC without touching the client’s team. Providers with real 24/7 coverage close 85 to 95 percent of alerts in-SOC. If the number’s lower, the client’s doing the MDR’s job.
3. Integration with your existing stack. Before signing, confirm the MDR can ingest telemetry from what’s already deployed. Microsoft 365 and Defender, SentinelOne, Fortinet, Cisco, CrowdStrike. Providers that insist on rip-and-replace are selling tooling, not MDR. Providers that integrate natively are selling the service.
4. Canadian data residency. For PIPEDA-regulated data and for most Quebec Law 25 obligations, where alerts and forensic artifacts are stored matters. Ask where the provider’s SOC operates, where the log storage physically lives, and who has access. US-hosted MDR’s acceptable for some data classes and a liability for others.
5. Forensic artifacts included. Every incident response should produce a timeline, indicators of compromise, root-cause summary, containment report, and recommended remediation. These artifacts are what the client hands to counsel, to insurers, and to the OPC. Confirm they’re included in the subscription, not billed separately as incident response retainers.
6. Written response authority. The fastest MDRs have pre-documented authority for specific actions: isolate a host, disable an account, block an IP, quarantine a file. Without that authority, the SOC has to wake someone up to ask permission, which breaks the response time SLA. Get it in the onboarding document.
7. Reporting cadence and tuning loop. Monthly reports should show alerts by severity, investigations closed, response actions taken, and detection rule changes. A static rule set after 90 days is a tell. The environment evolves; detection should too.
8. Off-boarding terms. Data portability, detection-rule ownership, notice period, and the handover package. Cyber insurance renewals sometimes force a provider change, and off-boarding that takes six months is its own risk.
Pricing bands in 2026 vary roughly 10x for what gets labelled MDR. Per-endpoint rates run $5 to $15 per month in budget bundles (typically delivered by MSPs using Huntress or similar platforms), $15 to $35 per month in the mid-market tier, and $35 to $50+ per month at the enterprise end. For a 25 to 100 endpoint SMB, expect fully loaded subscriptions between $2,500 and $5,000 per month. The checklist above is where the price differences actually live.
How Fusion’s MDR stack works
Fusion Computing’s MDR stack pairs Huntress (24/7 SOC and managed EDR, rated 9.4 out of 10 on PeerSpot) with SentinelOne on endpoint, Fortinet on network, and Microsoft Defender across M365 and identity. The service is CISSP-led, stores forensic artifacts in Canadian data centers, and integrates into Fusion’s managed IT service tiers rather than being sold as an upsell.
I run Fusion’s MDR practice against the same 8-point checklist. Huntress provides the 24/7 SOC backbone and managed EDR layer; their partner-first model and 9.4-out-of-10 PeerSpot rating across predominantly SMB deployments was the single biggest factor in my picking them. SentinelOne handles deep endpoint telemetry and local response actions. Fortinet gives network-layer visibility across the perimeter. Microsoft Defender covers M365, identity, and cloud signals natively, which matters because most Canadian SMB intrusions I’ve seen in 2026 start with identity, not endpoint.
The response authority’s pre-documented during onboarding: Huntress can isolate endpoints, disable compromised accounts, and block specific process hashes without waking anyone up. Forensic artifacts live in Canadian-hosted storage. Monthly reports feed directly into cyber insurance renewal evidence. The service is integrated into Fusion’s managed IT service tiers so clients get monitoring and response as part of the engagement, not as a line-item negotiation. The full service description, including pricing ranges and included scope, lives on the managed cybersecurity services page.
Fusion Computing helps Canadian businesses deploy and run managed detection and response across Toronto and the GTA, Hamilton, and Metro Vancouver.
Related Resources
- PIPEDA Compliance Requirements for Canadian Businesses
- Cyber Insurance Coverage Checklist (2026)
- Incident Response Plan Template for Canadian SMBs
- Zero Trust Security: A Practical Guide
- Network Penetration Testing Explained
- Cybersecurity Awareness Training
- What Is an MSSP?
Book Your Free Cybersecurity Assessment
Frequently Asked Questions
What is the difference between MDR and EDR?
EDR is endpoint-detection software that produces telemetry and supports local response actions. MDR is a 24/7 service run by a third-party SOC that watches EDR output and takes response action on confirmed threats. Most Canadian SMBs need both: EDR as the telemetry layer, MDR as the watching layer.
Is MDR the same as managed SIEM?
No. SIEM is a log-aggregation and correlation layer. Managed SIEM is a service that operates the SIEM on the client’s behalf. MDR is broader: it operates whatever telemetry layer the client has (EDR, XDR, SIEM) with active threat hunting and documented response authority. Many organizations run both MDR and managed SIEM, because each serves a different function.
Do businesses still need antivirus if they have MDR?
Yes. MDR sits on top of endpoint tooling (modern endpoint protection or EDR), not instead of it. The tools produce the telemetry and block known-bad signatures; MDR watches and responds to the behavioral signals the tools surface. Removing endpoint protection to save money on MDR leaves the MDR blind.
How much does MDR cost for a Canadian 50-person business?
Typically $2,500 to $5,000 per month fully loaded, or roughly $30,000 to $60,000 per year. Per-endpoint pricing ranges from $5 to $50 per month depending on tier, with most SMB bundles in the $15 to $35 per endpoint per month range. Scope and SLA differences drive most of the variance.
What happens when MDR detects a threat at 3am?
The SOC triages the alert within minutes, contains the threat (typically by isolating the affected endpoint or disabling the compromised account under pre-documented authority), notifies the client’s on-call contact, and documents the incident with forensic artifacts. The response completes inside the attacker’s 29-minute breakout window rather than waiting until 9am.
How long does MDR deployment take?
Typical deployment is one to three weeks for endpoint agents and initial telemetry ingestion. Full detection-rule tuning takes 30 to 60 days as the SOC learns the client’s environment baseline. Most providers offer a graduated service-level ramp during tuning, with full contractual SLA engaging after tuning completes.
Can MDR replace existing cybersecurity tools?
No. MDR augments existing tools by adding human analysis and response. It does not replace firewalls, backups, identity controls, endpoint protection, or user training. Providers that frame MDR as a replacement for the underlying tools are usually selling a bundled tooling contract, not MDR.
Does MDR help with cyber insurance renewal?
Yes. Most 2026 Canadian cyber insurance underwriters require documented EDR or XDR plus monitored response as a renewal condition. MDR provides both the monitored response and the monthly reporting evidence that underwriters demand. The MDR provider’s monthly report becomes a core artifact in the renewal submission.
