Managed Detection & Response (MDR)

We start from an assume-breach, threat-driven model. Using our Threat Intelligence Platform (TIP), we map relevant threat actors → TTPs → tools → controls → data sources → detection coverage for your environment.

On top of native detections (e.g. Defender, Entra, M365, Azure), we run 300+ TTP-driven detections with strong focus on:

• lateral movement and credential abuse
• stealthy persistence and abuse of built-in tooling
• command-and-control and data-exfiltration patterns

Because we keep 12 months of hot, directly searchable telemetry, our SOC and IR teams can reconstruct the full kill chain, not just the initial alert that happened to fire.

Yes. Our SOC is staffed 24/7, not just “on-call”.

• During nights and weekends, analysts continue to monitor, triage and respond within agreed SLAs.
• Confirmed or highly likely incidents are contained remotely by default (endpoint isolation, account disable, token revocation, IP/domain blocking, etc.), following a pre-agreed response mandate per asset type.
• For high-severity cases, our IR team can be engaged immediately; on-site presence is available under our paid IR Retainer tiers.

We built our own ingest optimiser specifically for this problem. In practice, we typically:

• reduce ingest volume by 50–80%,
• while keeping the fields and event types needed for detection, forensics and hunting.

We do this by:

• de-duplicating noisy and repetitive events,
• stripping irrelevant or low-value fields,
• applying threat-led filtering: keep what matters for your attack paths, drop what doesn’t.

On top of that, we continuously monitor ingest patterns and adjust pipelines as your environment and threats evolve, so you keep 12 months of hot telemetry without runaway SIEM ingestion costs.

Ingest and retention assumptions are explicit in our commercial model, so you don’t get unpleasant surprises after go-live.

Most customers already have significant investments in Microsoft security. We don’t show up and tell you to rip that out. In practice we usually unlock more telemetry than before, not less:

• We keep Microsoft Defender, Entra ID / Azure AD, on-prem Active Directory and M365 as core sensors.
• Together we decide what role Sentinel should keep: stay as-is, be slimmed down, or be phased out once our data lake and pipelines take over the heavy lifting.

The goal is always the same:

• keep the value of your Microsoft investment,
• avoid paying twice for the same telemetry, and
• get deeper detection, hunting and IR than “Sentinel-only” MDR typically provides.

Included in the MDR fee:

• MDR operations & 24/7 monitoring within the agreed scope.
• Ingest up to the commercially agreed volume.
• TTP-based detection logic & response playbooks (our full global library, tuned to your environment).
• Standard reporting & insights: dashboards, portal/app access and weekly/monthly/quarterly MDR summaries.
• Baseline Incident Response Retainer (Tier 3) for remote containment and best-effort IR support.
• Governance & collaboration: the standard onboarding model, operational check-ins, tactical reviews and strategic sessions as agreed.
• Ad-hoc advice & sounding board: day-to-day questions, design choices and “what do you think of this?” discussions are part of the service, not separate projects.

Potential extras (always scoped and agreed in advance):

• Security Program Gap Assessment (SPGA): aligning prevention, detection and response controls with your threat landscape and risk appetite, and translating this into a future-proof roadmap.
• Extended scope: additional locations, OT/ICS environments or extra data sources beyond the initial agreement.
• Higher ingest / longer hot retention: if you want more telemetry or more than 12 months hot data.
• Paid IR Retainer tiers (Tier 1/2): stricter SLAs, larger prepaid hour blocks and guaranteed on-site response in the EU.
• Breach & Attack Simulation (BAS): validating security controls and MDR coverage in production.
• Bespoke projects: for example complex custom integrations, deep audit/compliance reporting or additional assessments.

European supervisors now expect continuous monitoring, forensic-ready logging and fast, structured incident reporting, not just a stack of tools and a policy binder. Our MDR is engineered to help you meet those expectations in practice, with evidence you can stand behind in conversations with regulators, auditors and counsel.

Concretely, we help you with:

• Log retention & forensic readiness: We keep 12 months of hot, directly searchable telemetry across your critical identities, endpoints, cloud and networks — so you can reconstruct what happened without ad-hoc log hunting, and support investigations, audits and insurance discussions with hard data instead of assumptions.
• Incident reporting timelines: Our IR-led MDR and DFIR lab help you gather and structure the information needed for initial notifications within 24 hours, structured updates around 72 hours, and a substantiated final report within 1 month — for both NIS2-class incidents and the equivalent staged reporting cycles under DORA.
• Risk-based controls & roadmaps: Through our Security Program Gap Assessment (SPGA) and Breach & Attack Simulation (BAS) we map your threat landscape, attack paths and control gaps, link them to DORA and NIS2 requirements, and translate this into a practical, threat-aligned improvement roadmap.
• Data protection & European sovereignty: Hunt & Hackett is a private Dutch company operating under EU law, NIS2 and GDPR. Our SOC, processes and MDR platform are designed with EU data residency as the default and a clear path towards more sovereign, Europe-anchored security — while remaining fully compatible with major platforms like Microsoft, AWS and GCP.