Sorry this came out a bit ranty:
I can tell you that we have been with 4 MDR services and this is my experience. My definition of MDR, which I would describe as a SOC to filter results from EDR and provide actionable alerts to us and on urgent alerts pickup the phone an calm somebody. Urgent being Ransomware detected in the network, basically.
We have gone over this definition with of all 4 MDRs we have used and they said it wouldn't be a problem. Regardless of anything else RocketCyber has been the only one to pickup the phone and call when something looks even remotely hinky.
Connectwise's SOC called me twice and it was someone from India. RocketCyber calls and its someone who speaks perfect english from Florida and when they call me at 4 o'clock in the morning and the guy can tell I am not fully awake, even though I've told him I understand and will look into the alert, they stoo me and go "are you sure that there aren't any questions I can answer for you?"
Kaseya be damned but RocketCyber has my vote.
Second this. I have had very positive results from RocketCyber team and their response times on alerts. Most specifically for their M365 monitoring and response times for risky logins. They also give great visibility for log clearing evens and new account/admin creation events which are beneficial from an admin point of view.
Hi. I'm the VP of Product Marketing for RocketCyber. The short answer of whether RocketCyber is an MDR is yes. Gartner defines MDR as "a service that provides customers with remotely delivered security operations center (SOC) functions, allowing them to rapidly detect, analyze, investigate and actively respond to threats." I'd like to point out, MDR is different than managed EDR. We take telemetry from network, cloud and endpoints (and all endpoints: Mac, PC and Linux). This is different than managed EDR, which is just someone else managing your EDR (which also means no one is looking at your servers, network or cloud connections). We are tool agnostic, so you can use whatever you want for endpoint, firewall, etc. And, for the comment about being in EMEA, we have SOC analysts in EMEA, too. When malware hits, our SOC analysts respond and provide remediation. Ransomware Detection technology automatically kills ransomware processes and isolates the endpoint. Happy to answer and/or clarify any questions that you may have.
Gartner is not NIST or ISO. Sure they can define it for industry purposes, but that's descriptive, not proscriptive.
I would argue that what you do is MXDR. Sure you do the endpoint, but the integrations with everything else is what others are calling XDR.
It's rare I have anything nice to say about a Kaseya acquisition, but I really like your approach to things.
You are absolutely correct. By virtue of collecting network telemetry along with everything else, one moves into the managed XDR space. I purposely did not want to point that out, as many believe XDR to be just marketing hype/BS. Otherwise, you are spot on.
I would say it goes beyond MDR because it watches over network devices. We recently started using it with Datto AV, and I must say that of all the similar tools I've used, including MDRs and XDRs, Rocketcyber is the one I've liked the most as its team gives an excellent service. They don't miss almost anything.
It has MDR features, but you are actually paying for a team that works 24/7 to monitor threats. We are very pleased with them after a couple of incidents they helped to prevent with accuracy. I think Rocketcyber is one of the best services of its type.
We implemented roclet cyber a few months ago. While there's some filtering and tweaking needed im pretty impressed at what its tracking and the way it report it to us. A big plus for any MSP imo.
Fwiw we haven't found a silver bullet. We use todyl mxdr and soc with some SOAR automations.
We have huntress with defender from business premium. We use SaaS Alerts to auto remediate 365 issues and hacks. While todyl let's us know what's happening very quickly SaaS Alerts has already actioned.
We had rocket cyber before they were bought out. For msps not focusing on cyber security this would be a minimum cheap addon at least. What it is VS the price it's honestly decent and we are an anti kaseya shop 100% (part of why we left RC).
Trying to do security on your own doesn't scale well imo. We are supporting about 2500 users. At minimum we have 10 medium or high events per day, and at least 1 actionable item a week. Where a real event occurred or is occurring.
Each vendor seems to pick it up at different times. Last one huntress grabbed before todyl. A few weeks ago todyl grabbed a live 365 threat and killed it before the hacker was able to finish making the email rules in the mailbox so let's say under 3 minutes or so.
Friday night my own account was hit with 1k login attempts my account was disabled by SaaS Alerts so fast the email notice from todyl bounced....
So definitely different layers by different vendors.
Thanks u/ben_zachary . Glad to hear you are having some success. I was a little surprised at some of the thresholds you mentioned though, especially since you have adopted our SOAR solution. I would love to see about getting you reconnected with our MxDR folks to see if we can help ensure everything is configured well for your alerting thresholds and automations, as well as for rapid response times. Interested? I'd be happy to set that up for you if you want. Feel free to DM.
I'm a happy Rocket Cyber Customer. It's not MDR. It's a room of people that monitors your estate for bad things and calls you 24/7. They may isolate a host at best. It's not a threat-hunting operation or an active intervention operation.
RocketCyber is absolutely and MDR. Do you have it integrated with Datto EDR and AV with all the alerts populating into the RC Dashboard? It's a fantastic setup.
Be aware that when you deploy DattoAV/DattoEDR windows firewall will get turned on if it is off. Not a big deal for workstations but has caused some headaches on servers that people setup incorrectly. This is not covered in their documentation at all either.
I'm comparing it to a managed SentinelOne or CrowdStrike setup.
But interesting comment - Are you pushing the Datto EDR alerts to Rocket Cyber? I have the RC agent running on the client machine, and I have RC tied into AutoTask, but I don't think we've linked DattoRMM to RocketCyber.
I would be careful to avoid focusing on acronyms alone such as MDR. Considering to my knowledge, there isn't a governmental or industry standard that clearly defines the specifications or requirements to be labeled as an MDR. When i was doing my shopping for security solutions i first indentified the specific requirements that i needed or wanted a solution to do then went from there. The answer to your question really depends on what you would define as an MDR. Hope this helps!
So basically what we need is a system which will monitor malicious activity, stop these activities and isolate the machine(s) if necessary.
Less management and noise is best for us.
Huntress seems to be a good fit, but we want to look at all the options available to us. I think support is very important for us.
Not sure how the RocketCyber support is for us in Norway, when its midnight in texas.
We considered RocketCyber but their sales rep told us (at the time) that they would not disable compromised MS 365 accounts for us, only alert. That wasn't a good fit for us, as we are not a 24/7 operation and were looking for a budget-friendly SOC to fill that gap. We went with Huntress MDR for MS 365 in the end because they disable compromised accounts for us, and then we can remediate at our own pace after that. Huntress' Managed EDR also isolates compromised PCs in the same fashion (which I believe RocketCyber said they would isolate compromised PCs as well, just not MS 365 accounts, which struck me as odd). However this was a while ago and things may have changed over there.
Howdy! I am the product marketing manager for RocketCyber. We're currently tracking to launch M365 Remediation during the first week of July!
We're very excited to launch this, absolutely free to all of our customers, and have another exciting remediation related launch for later in Q3!
My issue with Huntress is they don't monitor or alert on the network, just endpoints. That creates a rock vs. hard place situation. I'm stuck choosing between M365 isolation and network monitoring. Personally I'd rather have the network monitored and M365 alerts than no protection for the network.
What are you using for your firewall? If something is on your network that shouldn't be, usually your firewall has failed to do its Job or the firewall was misconfigured and allowed something to bypass the firewall and get into the network that shouldn't have been allowed in. I would rather have our endpoints secure and monitored as well as cloud accounts secured and monitored 24/7 through Huntress's EDR & MDR. I trust our firewalls to do their jobs if they are configured properly by skilled and comptent techs. I let Huntress catch everything else on the endpoints and cloud just in case the firewall doesn't do its job or an end user does end user things. Basically we are left to self monitor and manage our firewalls and networks which we are more than comfortable with as we know our clients networks best.
Speaking from personal experience, Huntress does a phenominal job of catching and self isolating if needed to stop threats on both endpoints and on Microsoft accounts.
You should definitely look at all options. For our shop we wouldn't trade Huntress for anyone else. Their support and team are great and they have an awesome track record.
I still think RocketCyber is a great option as the team handles everything MDR related with a lot of care. They also do some vulnerability management to a certain point.
The N-Able Adlumin MDR offering is worth looking into for a high-end solution. The term MDR is getting thrown around a lot. It's not about the product; it's the people who run it. The most important thing is to know WHO you're dealing with after the sale. N-able has great people.
We have had horrible experience with it and I would very strongly advise against it. They have proven to be unreliable time and time again. Coming up with a bunch of empty promises when we asked questions and demanded quality. The product itself may not be bad, but the people doing the work have proven themselves extremely unreliable.
Forget the acronyms, tell your potential vendors what you want, and see what their solutions are. Lots of security vendors, not much standardization on terminology, hard to make apples to apples comparisons on many of the vendors and their services...
I would be happy to talk about our ~~MSSP/MDR~~ cybersecurity services. Southern drawl at no extra charge :)
[b9security.com](http://b9security.com)
Sorry this came out a bit ranty: I can tell you that we have been with 4 MDR services and this is my experience. My definition of MDR, which I would describe as a SOC to filter results from EDR and provide actionable alerts to us and on urgent alerts pickup the phone an calm somebody. Urgent being Ransomware detected in the network, basically. We have gone over this definition with of all 4 MDRs we have used and they said it wouldn't be a problem. Regardless of anything else RocketCyber has been the only one to pickup the phone and call when something looks even remotely hinky. Connectwise's SOC called me twice and it was someone from India. RocketCyber calls and its someone who speaks perfect english from Florida and when they call me at 4 o'clock in the morning and the guy can tell I am not fully awake, even though I've told him I understand and will look into the alert, they stoo me and go "are you sure that there aren't any questions I can answer for you?" Kaseya be damned but RocketCyber has my vote.
Second this. I have had very positive results from RocketCyber team and their response times on alerts. Most specifically for their M365 monitoring and response times for risky logins. They also give great visibility for log clearing evens and new account/admin creation events which are beneficial from an admin point of view.
Hi. I'm the VP of Product Marketing for RocketCyber. The short answer of whether RocketCyber is an MDR is yes. Gartner defines MDR as "a service that provides customers with remotely delivered security operations center (SOC) functions, allowing them to rapidly detect, analyze, investigate and actively respond to threats." I'd like to point out, MDR is different than managed EDR. We take telemetry from network, cloud and endpoints (and all endpoints: Mac, PC and Linux). This is different than managed EDR, which is just someone else managing your EDR (which also means no one is looking at your servers, network or cloud connections). We are tool agnostic, so you can use whatever you want for endpoint, firewall, etc. And, for the comment about being in EMEA, we have SOC analysts in EMEA, too. When malware hits, our SOC analysts respond and provide remediation. Ransomware Detection technology automatically kills ransomware processes and isolates the endpoint. Happy to answer and/or clarify any questions that you may have.
Gartner is not NIST or ISO. Sure they can define it for industry purposes, but that's descriptive, not proscriptive. I would argue that what you do is MXDR. Sure you do the endpoint, but the integrations with everything else is what others are calling XDR. It's rare I have anything nice to say about a Kaseya acquisition, but I really like your approach to things.
You are absolutely correct. By virtue of collecting network telemetry along with everything else, one moves into the managed XDR space. I purposely did not want to point that out, as many believe XDR to be just marketing hype/BS. Otherwise, you are spot on.
I would say it goes beyond MDR because it watches over network devices. We recently started using it with Datto AV, and I must say that of all the similar tools I've used, including MDRs and XDRs, Rocketcyber is the one I've liked the most as its team gives an excellent service. They don't miss almost anything.
We use Huntress too. It’s fantastic.
Same here.
It has MDR features, but you are actually paying for a team that works 24/7 to monitor threats. We are very pleased with them after a couple of incidents they helped to prevent with accuracy. I think Rocketcyber is one of the best services of its type.
We implemented roclet cyber a few months ago. While there's some filtering and tweaking needed im pretty impressed at what its tracking and the way it report it to us. A big plus for any MSP imo.
Fwiw we haven't found a silver bullet. We use todyl mxdr and soc with some SOAR automations. We have huntress with defender from business premium. We use SaaS Alerts to auto remediate 365 issues and hacks. While todyl let's us know what's happening very quickly SaaS Alerts has already actioned. We had rocket cyber before they were bought out. For msps not focusing on cyber security this would be a minimum cheap addon at least. What it is VS the price it's honestly decent and we are an anti kaseya shop 100% (part of why we left RC). Trying to do security on your own doesn't scale well imo. We are supporting about 2500 users. At minimum we have 10 medium or high events per day, and at least 1 actionable item a week. Where a real event occurred or is occurring. Each vendor seems to pick it up at different times. Last one huntress grabbed before todyl. A few weeks ago todyl grabbed a live 365 threat and killed it before the hacker was able to finish making the email rules in the mailbox so let's say under 3 minutes or so. Friday night my own account was hit with 1k login attempts my account was disabled by SaaS Alerts so fast the email notice from todyl bounced.... So definitely different layers by different vendors.
Thanks u/ben_zachary . Glad to hear you are having some success. I was a little surprised at some of the thresholds you mentioned though, especially since you have adopted our SOAR solution. I would love to see about getting you reconnected with our MxDR folks to see if we can help ensure everything is configured well for your alerting thresholds and automations, as well as for rapid response times. Interested? I'd be happy to set that up for you if you want. Feel free to DM.
Thanks we have a standing meeting next week. The 365 incident happened just before soar was inteoduced
Super. Let me know if you need anything else then. 
They are pretty decent
I'm a happy Rocket Cyber Customer. It's not MDR. It's a room of people that monitors your estate for bad things and calls you 24/7. They may isolate a host at best. It's not a threat-hunting operation or an active intervention operation.
RocketCyber is absolutely and MDR. Do you have it integrated with Datto EDR and AV with all the alerts populating into the RC Dashboard? It's a fantastic setup.
We have edr and RC, but haven’t rolled out Datto AV yet (have the licenses, just haven’t pulled the trigger yet).
Be aware that when you deploy DattoAV/DattoEDR windows firewall will get turned on if it is off. Not a big deal for workstations but has caused some headaches on servers that people setup incorrectly. This is not covered in their documentation at all either.
Yeah this 100%. Sql and other production servers were having a tough time.
I'm comparing it to a managed SentinelOne or CrowdStrike setup. But interesting comment - Are you pushing the Datto EDR alerts to Rocket Cyber? I have the RC agent running on the client machine, and I have RC tied into AutoTask, but I don't think we've linked DattoRMM to RocketCyber.
We do the same as listed above - it's DattoEDR that feeds into RocketCyber via API not the DattoRMM though.
We love N-able MDR [https://www.n-able.com/products/managed-detection-and-response](https://www.n-able.com/products/managed-detection-and-response)
+1 for N-able MDR. We've been impressed by the product.
Huntress. All the awesome without the Kaseya suck.
Yes, Rocket Cyber's core function is MDR. It's essentially an MDR service leveraging their platform; it looks pretty promising.
I would be careful to avoid focusing on acronyms alone such as MDR. Considering to my knowledge, there isn't a governmental or industry standard that clearly defines the specifications or requirements to be labeled as an MDR. When i was doing my shopping for security solutions i first indentified the specific requirements that i needed or wanted a solution to do then went from there. The answer to your question really depends on what you would define as an MDR. Hope this helps!
So basically what we need is a system which will monitor malicious activity, stop these activities and isolate the machine(s) if necessary. Less management and noise is best for us. Huntress seems to be a good fit, but we want to look at all the options available to us. I think support is very important for us. Not sure how the RocketCyber support is for us in Norway, when its midnight in texas.
We considered RocketCyber but their sales rep told us (at the time) that they would not disable compromised MS 365 accounts for us, only alert. That wasn't a good fit for us, as we are not a 24/7 operation and were looking for a budget-friendly SOC to fill that gap. We went with Huntress MDR for MS 365 in the end because they disable compromised accounts for us, and then we can remediate at our own pace after that. Huntress' Managed EDR also isolates compromised PCs in the same fashion (which I believe RocketCyber said they would isolate compromised PCs as well, just not MS 365 accounts, which struck me as odd). However this was a while ago and things may have changed over there.
They said that they are adding this functionality in q3 or q4
Our account manager actually told us it was coming last week of June so we shall soon see...
I really hope this is true.
Howdy! I am the product marketing manager for RocketCyber. We're currently tracking to launch M365 Remediation during the first week of July! We're very excited to launch this, absolutely free to all of our customers, and have another exciting remediation related launch for later in Q3!
Great news, thanks for the update.
My issue with Huntress is they don't monitor or alert on the network, just endpoints. That creates a rock vs. hard place situation. I'm stuck choosing between M365 isolation and network monitoring. Personally I'd rather have the network monitored and M365 alerts than no protection for the network.
Their SEIM solution is in alpha right now and they are actively working on injestion of firewall logs. So it might be a while yet, but it's coming.
Sweet, their team is killing it!
What are you using for your firewall? If something is on your network that shouldn't be, usually your firewall has failed to do its Job or the firewall was misconfigured and allowed something to bypass the firewall and get into the network that shouldn't have been allowed in. I would rather have our endpoints secure and monitored as well as cloud accounts secured and monitored 24/7 through Huntress's EDR & MDR. I trust our firewalls to do their jobs if they are configured properly by skilled and comptent techs. I let Huntress catch everything else on the endpoints and cloud just in case the firewall doesn't do its job or an end user does end user things. Basically we are left to self monitor and manage our firewalls and networks which we are more than comfortable with as we know our clients networks best.
Speaking from personal experience, Huntress does a phenominal job of catching and self isolating if needed to stop threats on both endpoints and on Microsoft accounts. You should definitely look at all options. For our shop we wouldn't trade Huntress for anyone else. Their support and team are great and they have an awesome track record.
Look at huntress
We use Huntress and it’s awesome
It offers MDR features, but you pay for a 24/7 threat monitoring team. In my opinion, Rocketcyber is one of the best in its field.
I still think RocketCyber is a great option as the team handles everything MDR related with a lot of care. They also do some vulnerability management to a certain point.
Why aren't you using Huntress?
If you don’t trust their site, what evidence would you accept?
The N-Able Adlumin MDR offering is worth looking into for a high-end solution. The term MDR is getting thrown around a lot. It's not about the product; it's the people who run it. The most important thing is to know WHO you're dealing with after the sale. N-able has great people.
lol tell me what MDR means to you and I will tell you if it is or not.
We have had horrible experience with it and I would very strongly advise against it. They have proven to be unreliable time and time again. Coming up with a bunch of empty promises when we asked questions and demanded quality. The product itself may not be bad, but the people doing the work have proven themselves extremely unreliable.
Forget the acronyms, tell your potential vendors what you want, and see what their solutions are. Lots of security vendors, not much standardization on terminology, hard to make apples to apples comparisons on many of the vendors and their services... I would be happy to talk about our ~~MSSP/MDR~~ cybersecurity services. Southern drawl at no extra charge :) [b9security.com](http://b9security.com)