MDR vs SOC vs SIEM vs EDR vs XDR:
Which Do You Actually Need?
SIEM and EDR are technology platforms. XDR is next-generation EDR. SOC is a team. MDR is an outsourced service. Most UK mid-market organisations buy a platform (EDR) plus a service (Managed SOC or MDR), priced from £900 per month. The right combination depends on whether you need broad estate coverage (SOC), endpoint-first defence (MDR), or both.
Five overlapping acronyms covering the same broad outcome: detect and respond to threats. The differences matter when you are buying. SIEM and EDR are platforms. XDR is a next-generation platform. SOC is a team. MDR is an outsourced service. Most UK mid-market organisations need a specific combination, not all five.
What each one actually is
Five categories. Three are software, one is a team, one is a service. The boundaries blur in vendor marketing. Here is the technically precise version. For the canonical industry definitions, see NCSC's board toolkit and the Gartner MDR market guide.
SIEM
Security Information and Event Management
A platform that collects, aggregates, and analyses log data from across your IT environment. It generates alerts when correlation rules identify suspicious patterns. Examples: Microsoft Sentinel, Splunk, Elastic, IBM QRadar.
What it does
Centralises logs, correlates events, generates alerts.
What it does not
Investigate alerts, respond to incidents, contain threats. That requires humans.
EDR
Endpoint Detection and Response
Agent-based software installed on endpoints (laptops, servers) that detects malicious behaviour and enables response actions like isolation. Examples: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne Singularity.
What it does
Detects endpoint-level threats, supports response actions on the endpoint itself.
What it does not
Monitor network or cloud telemetry. Triage its own alerts at scale.
XDR
Extended Detection and Response
A unified platform that extends EDR to ingest endpoint, identity, email, cloud, and sometimes network telemetry into one detection layer. Examples: Microsoft Defender XDR, CrowdStrike Falcon XDR, Palo Alto Cortex XDR.
What it does
Correlates threats across multiple data planes (endpoint + identity + email + cloud).
What it does not
Replace 24/7 human triage. Operate itself.
SOC
Security Operations Centre
A team of security analysts using SIEM, EDR, threat intelligence, and SOAR to monitor and respond to threats across an organisation, 24/7. Can be in-house or outsourced (managed SOC).
What it does
Continuous monitoring, alert triage, threat hunting, incident response, compliance reporting.
What it does not
Replace prevention controls (firewalls, MFA, patch management).
MDR
Managed Detection and Response
An outsourced service combining detection technology (usually EDR or XDR) with 24/7 human analyst response. Narrower scope than a full managed SOC, faster to deploy, lower entry cost.
What it does
Endpoint and identity threat detection, automated and human-led containment, post-incident reporting.
What it does not
Typically does not include the same depth of network log analysis, SaaS audit log monitoring, or custom compliance reporting that a full managed SOC delivers.
The full comparison matrix
Eight dimensions across all five categories. Use this as a procurement reference.
| Dimension | SIEM | EDR | XDR | SOC | MDR |
|---|---|---|---|---|---|
| Type | Technology platform | Software product | Software platform | Team + capability | Outsourced service |
| Scope | All log sources | Endpoints only | Endpoint + identity + cloud + email | Entire IT estate | Endpoint + identity (typically) |
| Humans included | No | No | No | Yes | Yes |
| 24/7 monitoring | Tool runs 24/7, you triage | Tool runs 24/7, you triage | Tool runs 24/7, you triage | Yes, by analysts | Yes, by analysts |
| Active response | No (alert only) | Yes (endpoint isolation) | Yes (cross-plane response) | Yes (full incident response) | Yes (endpoint + identity actions) |
| Typical UK entry cost | £15,000 to £50,000+/year (licence) | £8 to £30 per endpoint/month | £15 to £50 per endpoint/month | From £900 to £12,000/month | From £900/month |
| Compliance evidence | Raw log retention only | Endpoint event logs | Cross-plane event logs | Full audit-ready reporting | Endpoint and identity audit trail |
| Best for | Organisations with in-house SOC | Endpoint-focused defence | Mature security programmes | Full estate coverage | Endpoint-first outsourcing |
Which do you actually need?
Six common starting scenarios. Find yours, see the recommended combination.
I have nothing today and need to start somewhere
Lowest cost entry into managed detection. Endpoints are the most common attack surface. MDR delivers human response on top of EDR alerts without requiring a full SIEM deployment.
I have CrowdStrike, Defender, or SentinelOne already
Keep your existing EDR licence; add a managed service layer for 24/7 triage and response. No platform replacement, faster deployment, lower total cost.
I need compliance evidence (ISO 27001, NIS2, DORA, PCI DSS)
Compliance frameworks expect audit-ready log retention, monitoring records, and incident reporting that span the whole estate. A managed SOC produces this evidence; MDR alone usually does not.
I have an in-house IT team but no security specialists
Co-managed gives your IT team visibility through a shared platform; managed SOC takes the security operations burden completely off them. Both options include compliance reporting.
I am SaaS-heavy with significant cloud workloads
EDR alone does not see SaaS audit logs, Entra ID sign-in anomalies, or cloud configuration drift. A managed SOC ingesting Microsoft 365, AWS, Azure, GCP, and identity provider logs covers this gap.
I run a mature security programme and want unified detection
XDR is a platform, not a separate service category. Precursor operates XDR-capable platforms (Microsoft Defender XDR, SentinelOne Singularity) within our Managed SOC and MDR services rather than selling XDR standalone.
Your scenario isn't listed here?
A 30-minute scoping call surfaces the right combination for your estate, compliance position, and budget. Written recommendation within 24 hours.
In-house SOC vs Managed SOC
The most common comparison once you have decided you need a SOC: build it internally or buy it as a service. For UK mid-market organisations the economics rarely work in-house.
| Dimension | In-House SOC | Managed SOC |
|---|---|---|
| Setup cost | £150,000+ for SIEM, tooling, hardware | £0 (included in service) |
| Annual run cost | £500,000+ (5 analysts + tooling + management) | From £10,800/year (£900/month) |
| Headcount required | 5 analysts minimum for 24/7 cover | 0 internal hires |
| Time to operational | 6 to 12 months | 2 to 3 weeks |
| Coverage hours | Limited by team availability | 24/7/365 from physical UK SOC |
| Compliance evidence | Build your own audit trail and reporting | ISO 27001 A.8.16, NIS2 Art 21, DORA Art 17 included |
| Best for | Large enterprises with strategic SOC programmes (£500k+ annual security budget) | Mid-market organisations (50 to 2,500 users) needing enterprise-grade detection without enterprise headcount |
Internal SOC capability makes economic sense above approximately £500,000 of annual security spend. Below that threshold, outsourcing delivers stronger detection coverage per pound spent, faster time to operational, and built-in resilience against analyst turnover.
What UK organisations actually buy
Three combinations cover ~80% of UK mid-market security stacks in 2026. Sized by organisation profile.
Defender + Managed SOC on Sentinel
50–500 users, Microsoft 365, Defender for Business or Defender for Endpoint already licensed.
- EDR: Microsoft Defender for Endpoint
- SIEM: Microsoft Sentinel
- SOC layer: Outsourced Managed SOC
- Cost: £900–£3,500/month
Most cost-effective stack for Microsoft-shop organisations. Sentinel pay-as-you-go pricing scales linearly with log volume.
CrowdStrike + Managed SOC + Threat Hunting
500–2,500 users, FCA/DORA/ISO 27001 obligations, multi-cloud estate.
- EDR: CrowdStrike Falcon (or SentinelOne)
- SIEM: Microsoft Sentinel or Elastic
- SOC layer: Managed SOC + threat hunting
- Cost: £4,000–£8,000/month
Standard for regulated UK firms. Delivers DORA Article 17, ISO 27001 Annex A.8.16, and NIS2 monitoring evidence.
XDR + Co-managed SOC
2,500+ users, internal security team, complex multi-cloud, strategic 24/7 SOC.
- XDR platform: CrowdStrike Falcon XDR or Microsoft Defender XDR
- SIEM: Splunk, Sentinel, or Elastic at scale
- SOC layer: Co-managed (internal + outsourced 24/7)
- Cost: £8,000–£25,000+/month
Internal team handles strategic security; outsourced SOC covers 24/7 detection and response. Common in financial services and central government.
How Precursor maps to these categories
We sell three things: managed SOC, MDR, and managed EDR. The platforms (SIEM, EDR, XDR) sit inside those services.
We operate Microsoft Sentinel and Elastic as SIEM platforms within our Managed SOC service. We do not sell SIEM as a standalone product.
We deploy and operate EDR on your behalf, or operate your existing CrowdStrike, Microsoft Defender, or SentinelOne licence.
XDR functions are delivered within our Managed SOC and MDR services using XDR-capable platforms (Defender XDR, SentinelOne Singularity). Not sold standalone.
Full Security Operations Centre operated from our physical facility in Newcastle. 24/7 UK-based analysts, ISO 27001 A.8.16 compliance evidence, full estate coverage.
Endpoint and identity-focused detection and response with 24/7 analyst coverage. Faster to deploy than full SOC, lower entry cost.
Still not sure which you need?
A 30-minute scoping call surfaces exactly which combination fits your estate, compliance obligations, and budget. No obligation, no pressure, written recommendation in 24 hours.
Common questions
The exact questions UK buyers ask when comparing managed security services.
A SOC (Security Operations Centre) is the broader capability: a team of analysts using SIEM, EDR, and threat intelligence to monitor and respond to threats across your entire estate. MDR (Managed Detection and Response) is a specific outsourced service that typically focuses on endpoint and identity-layer threat detection, often delivered via a managed EDR platform with 24/7 analyst response. A SOC ingests logs from everywhere; MDR focuses on endpoint telemetry with response action included. In practice, most managed SOC services include MDR functions and most MDR services include broader log monitoring, so the line has blurred since 2022.
An MSSP (Managed Security Service Provider) sells a broad portfolio: firewall management, vulnerability scanning, patch management, anti-malware, and sometimes SOC services. MDR is a focused outcome-based service: continuous detection and active response to threats. Traditional MSSPs alert you to issues; MDR providers contain and respond. If a managed service provider tells you a critical alert is happening, that is MSSP behaviour. If they tell you they have already isolated the affected endpoint and revoked the compromised user session, that is MDR behaviour.
SIEM (Security Information and Event Management) is a technology platform. It collects, aggregates, and analyses log data from across your environment, then generates alerts based on correlation rules. MDR is a service: human analysts who triage those alerts, investigate, and take response action. You can have a SIEM with no MDR (you are responsible for triage) or MDR with no SIEM (the provider runs everything on their platform). The most common UK mid-market setup uses Microsoft Sentinel as the SIEM and a managed SOC or MDR provider as the response layer.
EDR (Endpoint Detection and Response) is a software product installed on endpoints to detect malicious behaviour and enable response actions. MDR is the service layer on top of EDR (or sometimes SIEM): humans operating the platform 24/7, triaging the alerts the EDR generates, and taking response action. Buying EDR without MDR gives you visibility but no operational coverage. Most UK organisations buying EDR for the first time also need either an in-house SOC or an outsourced MDR provider to operate it.
XDR (Extended Detection and Response) is the next-generation EDR: a unified platform that ingests endpoint, identity, email, cloud workload, and network telemetry into a single detection layer. MDR is the human service that operates a detection platform (EDR, SIEM, or XDR) 24/7 on your behalf. Increasingly the two converge: 'managed XDR' is MDR delivered on an XDR platform rather than EDR. CrowdStrike Falcon Complete, SentinelOne Singularity Complete, and Microsoft Defender XDR + managed services are examples of this convergence.
Not usually. A managed SOC typically includes MDR functions: 24/7 monitoring, threat hunting, endpoint detection, and incident response. MDR is a subset of what a full SOC delivers. The decision is not 'both' but 'which scope': if your primary risk is endpoint compromise (ransomware, malware, insider abuse), MDR is sufficient. If your risk extends to network anomalies, cloud configuration drift, identity attacks, and SaaS account compromise, a managed SOC's broader log ingestion is necessary.
SOAR (Security Orchestration, Automation, and Response) is the workflow layer that sits between detection (SIEM/EDR/XDR) and response. It automates the playbooks an analyst would run manually: isolating an endpoint when a high-severity alert fires, disabling a user account on confirmed compromise, raising tickets, escalating to on-call. SOAR is usually invisible to the buyer of a managed SOC or MDR service: the provider runs it internally to make their analysts faster. You rarely buy SOAR standalone unless you are building your own in-house SOC.
The standard UK mid-market stack in 2026 is: EDR product (Microsoft Defender for Endpoint, CrowdStrike Falcon, or SentinelOne) + managed SOC operating on Microsoft Sentinel or Elastic SIEM, with MDR-style response built into the SOC service. This delivers endpoint coverage, broader log monitoring, and 24/7 human response from a single provider. Pricing typically runs £900 to £5,000 per month depending on endpoint count and log volume.
Precursor delivers managed SOC (broader coverage, all log sources, ISO 27001 / NIS2 / DORA compliance evidence), MDR (endpoint and identity-focused, faster deployment), and managed EDR (operates your existing CrowdStrike, Defender, or SentinelOne licence). We operate Microsoft Sentinel and Elastic as SIEM platforms within these services. We do not sell XDR as a standalone product; XDR functions are delivered as part of our SOC and MDR services using the platforms we operate.