The cybersecurity market has a naming problem. "Managed" has been appended to so many products — managed antivirus, managed firewall, managed detection and response, managed SOC, managed XDR — that the term no longer reliably indicates what a product does or what capability it actually delivers. For small business owners trying to understand what protection they need, this creates genuine confusion.
This guide cuts through the terminology to explain what each category of product actually does, where the meaningful differences lie, and how to evaluate what you're being sold.
What Managed Antivirus Does
Traditional antivirus software works by comparing files and processes on a device against a database of known malicious signatures. When something matches a known signature, it's blocked or quarantined. "Managed" antivirus means that the antivirus software is deployed, updated, and monitored centrally — usually by an IT provider — rather than relying on individual users to keep it current.
This is a meaningful capability. Unmanaged antivirus that's out of date or disabled is significantly less effective than a centrally managed deployment where updates are enforced and alerts are reviewed. For basic protection against commodity malware, managed antivirus is a genuine control.
However, traditional antivirus has well-documented limitations:
- It only detects known threats that match its signature database. Novel malware, zero-day exploits, and techniques that use legitimate tools for malicious purposes are not detected.
- It operates at the device level. It has no visibility into network behaviour, lateral movement, or activity that occurs between devices.
- It generates alerts, but typically doesn't provide meaningful investigation or response capability. An alert that nobody reviews is not protection.
- It's widely known and understood by sophisticated attackers, who design their tools specifically to evade signature-based detection.
What Endpoint Detection and Response (EDR) Does
EDR is the successor to traditional antivirus for endpoint protection. Instead of — or in addition to — signature matching, EDR tools monitor the behaviour of processes and files on a device continuously, looking for patterns of activity that indicate malicious intent regardless of whether the specific malware has been seen before.
An EDR tool that observes a Word document spawning a PowerShell process that then makes an outbound connection to an unknown external server will flag this as suspicious — not because it matches a known malware signature, but because this is not normal behaviour for a word processor. This behavioural approach catches a much wider range of threats than signature-based detection alone.
EDR also provides response capability: the ability to isolate a compromised endpoint from the network, terminate malicious processes, collect forensic artefacts, and roll back malicious changes in some cases.
What Managed Detection and Response (MDR) Does
MDR adds the human layer to EDR and broader telemetry. It combines technology — typically EDR on endpoints, network traffic analysis, cloud service monitoring, and threat intelligence feeds — with a team of analysts who review alerts, investigate incidents, and take response actions.
The key distinction between MDR and managed antivirus is the analyst: MDR delivers human judgement, applied continuously, to the outputs of detection technology. An MDR service can tell you not just that an alert fired, but what it means, whether it's a genuine threat, what the attacker's likely objective is, and what you should do about it.
A Security Operations Centre providing MDR capability goes further still: it adds proactive threat hunting, vulnerability management, threat intelligence analysis, and the depth of contextual knowledge that comes from an analyst assigned specifically to your environment.
The Questions That Reveal What You're Actually Buying
When evaluating a managed security product, these questions will reveal whether you're buying genuine MDR/SOC capability or a managed antivirus with better marketing:
- "What happens when an alert fires at 3am on a Sunday?" If the answer is anything other than "a qualified analyst reviews it and contacts you if it's genuine", you're buying monitoring, not response.
- "Who investigates alerts before they escalate to us?" If the answer is "automated systems" or involves a significant human review delay, you're buying automated alerting, not managed detection.
- "Do we get a named analyst?" If the answer is no — if your alerts go to a shared queue — the analyst reviewing your incident has no prior knowledge of your environment.
- "Does your detection cover network traffic, not just endpoints?" Endpoint-only detection misses lateral movement, command-and-control traffic, and exfiltration that occurs at the network level.
- "Can you show me the detection rule set?" A provider with genuine detection engineering capability can answer this. A reseller of a third-party product cannot.
What Small Businesses Should Actually Buy
The answer depends on your threat model and your compliance requirements. For organisations that handle personal data, operate in regulated sectors, bid for contracts that require security evidence, or simply cannot afford the cost of a breach response — the case for genuine MDR capability is straightforward.
The traditional argument that MDR is only for enterprises has been undermined by the pre-configured sensor model that makes 24/7 analyst monitoring economically viable for organisations with 25 or more assets. The per-asset, per-day cost of a genuine MDR service is now comparable to — and in many cases lower than — the cost of the collection of point tools it replaces.
Further Reading
Genuine MDR. Not Managed Antivirus.
SOC in a Box is built on SOC365 — our own detection and response platform. Same correlation engine, same threat intelligence, same analyst team as our enterprise clients. Not a white-labelled antivirus product with a portal. Ask us the hard questions on your scoping call.
Book your scoping call