Table of Contents
When you’re evaluating managed detection and response (MDR) providers, one of the most critical questions to ask is: Will you actually fix security issues, or just tell me about them? This distinction separates true MDR from basic monitoring services that leave your team scrambling to respond after getting notified about threats.
The answer isn’t always straightforward because MDR providers offer different levels of remediation capabilities. Some focus primarily on detection and alert you to threats for your team to handle. Others provide guided remediation with step-by-step instructions. The most comprehensive services take direct action to contain and eliminate threats on your behalf—automatically, in seconds, without requiring your team to lift a finger.
Understanding the remediation spectrum helps you choose an MDR provider who matches your organization’s needs, resources, and risk tolerance. Let’s break down exactly what MDR can do when it comes to actually fixing security issues.
Does MDR remediate threats?
The short answer: it depends on the MDR provider and service model you choose. Most modern MDR services offer some level of remediation capability, but the scope varies significantly between providers.
At one end of the spectrum, basic MDR services detect threats and notify your team, providing recommendations for remediation but leaving execution entirely to you. In the middle, guided remediation services provide detailed, step-by-step instructions and support while your team executes the response actions. At the other end, fully managed MDR services take direct action to contain and remediate threats on your behalf.
Auto remediation is a cybersecurity capability that automatically executes predefined response actions to address security incidents, vulnerabilities, and compliance violations without manual intervention. This capability combines advanced detection technologies with programmatic response workflows to neutralize threats at machine speed.
The business impact of these different approaches is significant. According to IBM research, the average time to identify and contain a data breach is 277 days, with the average cost per incident reaching $4.45 million. Automated remediation addresses this critical gap by enabling organizations to respond to threats within minutes rather than hours or days.
Most MDR services offer remediation capabilities along a spectrum of automation and human involvement:
Detection-only MDR: Identifies threats and sends alerts to your team for action. Your security staff handles all response and remediation steps.
Guided remediation MDR: Detects threats, investigates them, and provides detailed remediation playbooks and recommendations. Your team executes the actions with expert support from the MDR provider.
Managed remediation MDR: Takes approved containment actions automatically (like isolating infected endpoints) while providing recommendations for additional remediation steps you should take.
Fully automated MDR: Executes comprehensive response actions—containment, eradication, and initial recovery—automatically based on predefined parameters you establish during onboarding.
MDR response vs. detection only
What’s the difference between detection and response? This distinction is crucial because it determines whether your MDR provider is a true partner in security operations or just an expensive alerting system.
Detection means identifying a threat that exists in your environment. Detection capabilities include monitoring security tools for suspicious activity, correlating events across multiple systems, filtering false positives from real threats, and alerting security teams when malicious activity is confirmed.
Response means taking action to stop the threat and prevent damage. Response capabilities include isolating compromised systems from the network, terminating malicious processes, blocking attacker infrastructure, disabling compromised accounts, removing malware, and preventing lateral movement.
The “R” in MDR stands for response—but not all response capabilities are created equal. Historically, the cybersecurity industry distinguished between “little r” and “big R” providers. Little r MDR providers would identify threats and suggest response actions customers should implement themselves. In contrast, big R providers would execute response actions directly within customer environments.
This distinction matters operationally. Detection-only services might identify a ransomware infection and notify you, but by the time your team logs in, reviews the alert, and begins response procedures, the ransomware could have encrypted critical files. A response-enabled MDR service would immediately isolate the infected endpoint, terminate the encryption process, and contain the threat within minutes—often before you even see the alert.
According to external MDR experts, MDR provides actionable advice for containing and mitigating threats. The goal is to eliminate threats and recover from attacks. Most importantly, guided response ensures organizations can act proactively during a security event.
What actions can MDR take?
When MDR providers offer response and remediation capabilities, what specific actions can they actually take in your environment? Understanding these capabilities helps you evaluate which MDR service model fits your needs.
Containment actions
Containment represents the first critical response step—stopping threats from spreading while investigation continues. MDR providers can execute various containment actions:
Host isolation: Isolate hosts from your network and sever all communication with other business applications. This prevents compromised endpoints from being used for lateral movement or data exfiltration.
Network blocking: Block malicious IP addresses and domains at your firewall or network security tools, preventing communication with command-and-control servers or malicious infrastructure.
Process termination: Terminate malicious processes across endpoints before they make trouble. For example, killing a ransomware encryption process before it can encrypt critical files.
Account disabling: Disable compromised user accounts to prevent attackers from using stolen credentials to access your systems and data.
Eradication support
After containing threats, eradication removes the attacker’s presence from your environment. These can be manual, or done via auto remediation.
Malware removal: Permanently delete confirmed malicious threat artifacts—no trace left behind. This includes removing malicious files, scripts, and executables.
Hash blocking: Block potentially malicious processes and files based on their hash values to prevent known malware from executing anywhere in your environment.
Registry cleanup: Remove malicious persistence entries from Windows Registry attackers use to maintain access even after reboots.
Credential reset: When Expel’s platform detects potentially compromised credentials, our highly skilled SOC team can now automatically reset the credentials in seconds, nullifying the threat and giving teams time to investigate and build resilience.
Session termination: In addition to resetting credentials, all active sessions for compromised accounts are terminated, ensuring threat actors are cut off from further access to your environment.
Recovery guidance
Even with automated containment and eradication, some recovery steps require your involvement. Quality MDR providers deliver recovery guidance including:
- Detailed findings reports explaining what happened and what was done to fix it
- Recommendations for restoring affected systems from backups
- Guidance on verifying threats have been completely removed
- Suggestions for preventing similar incidents in the future
Resilience recommendations: We can’t control when attackers will show up. If they don’t, that’s a good thing. But we feel it’s still our responsibility to provide value. Resilience recommendations are how we do that. You’ll get recommendations based on your environment and past trends to help you fix the root cause of recurring events or prevent them from happening in the first place.
MDR remediation capabilities
Understanding what remediation capabilities your MDR provider offers helps you set realistic expectations and choose the right service level for your organization.
Automated response
The most advanced MDR services offer automated response capabilities that execute immediately upon threat confirmation. Auto remediation enables Expel to automate specific response capabilities within your systems so attacks can be rapidly contained without requiring intervention from you.
However, there’s a crucial distinction in how quality providers implement automation. Our analysts create and assign all remediation actions in Workbench, but the actions themselves are carried out within your specific vendor technologies. We automate the remediation action itself, but not the decision to remediate.
This approach maintains human expertise for threat assessment while leveraging automation for rapid execution. When a security analyst confirms a threat and determines the appropriate response, automated workflows execute those actions in seconds across your security tools.
Manual intervention
Not all threats are straightforward enough for automated response. Complex incidents often require manual intervention where MDR analysts work with your team to:
- Investigate unusual activity that doesn’t fit standard threat patterns
- Coordinate response for incidents affecting critical business systems
- Develop custom remediation approaches for sophisticated attacks
- Provide forensic analysis to understand full attack scope
Automated systems excel in specific areas while requiring human guidance in others. Auto remediate systems demonstrate exceptional capability in executing predefined response actions quickly and consistently. However, they cannot independently assess the broader implications of security incidents or make strategic decisions about investigation priorities.
Customer approval workflows
Even with automated capabilities, you maintain control over what actions MDR providers can take. Our response is tailored to your environment. You decide what, when, and how actions get taken based on your tech stack, risk tolerance, policies, processes, and comfort level.
During onboarding, you configure which remediation actions can happen automatically and which require your explicit approval before execution. For example:
Typically auto-approved: Isolating non-critical endpoints, blocking known malware hashes, killing malicious processes on workstations.
Typically requires approval: Disabling executive accounts, taking production servers offline, making network-wide configuration changes.
Isolation procedures
Endpoint isolation represents one of the most common and effective remediation actions. When MDR detects a compromised endpoint, isolation prevents the attacker from using that system as a foothold for lateral movement.
The isolation process works through integration with your endpoint detection and response (EDR) platform. Using CrowdStrike’s APIs, it took our analysts 5.5 minutes to progress from the alert hitting the queue to containing the host and stopping the ransomware. When the stakes are high, there’s no time to waste in remediating.
Remediation playbooks
For threats requiring multi-step remediation or customer involvement, MDR providers deliver detailed remediation playbooks. These step-by-step guides explain:
- What needs to be done and why
- The order of operations for remediation steps
- Commands or configurations to apply
- Verification steps to confirm successful remediation
- Follow-up actions to prevent recurrence
At Expel specifically, you’ll get specific actions for each incident. You’ll also get a detailed findings report, written in plain English, so anyone can understand what happened and what was done to fix it.
Can MDR block threats?
Absolutely—blocking threats is a core capability of response-enabled MDR services. The question is what types of threats can be blocked and how quickly.
Proactive blocking
MDR providers can proactively block known threats before they cause damage:
Malicious infrastructure: Block IP addresses, domains, and URLs associated with command-and-control servers, phishing sites, or malware distribution networks.
Known malware: Block potentially malicious processes and files based on their hash values. When analysts identify malicious files during investigations, those hashes get added to block lists across your entire environment.
Compromised credentials: Prevent compromised identities from authenticating, with lockdown tighter than maximum security. This stops attackers from using stolen passwords even if they have the correct credentials.
Reactive blocking
When threats are actively executing, MDR can implement immediate blocks:
Active processes: Killing malicious processes stops ongoing attacks like ransomware encryption or data exfiltration in progress.
Network traffic: Blocking outbound connections prevents compromised systems from communicating with attacker infrastructure or exfiltrating stolen data.
API access: Deactivate specific cloud access keys suspected of compromise to prevent unauthorized access to cloud resources.
Email threats: Hunt down and purge confirmed malicious emails from inboxes to prevent users from clicking malicious links or opening weaponized attachments.
Speed of response
The blocking happens at machine speed when automated. For a real-world example, consider ransomware detection. The Expel security operations center (SOC) discovers a malicious process actively encrypting files on an endpoint, consistent with indicators of a ransomware attack. With your pre-approval, Expel’s SOC team will automatically terminate the process the instant it’s validated, neutralizing the threat and preventing further file encryption.
According to external MDR providers, guided response and managed remediation restore endpoints to a known good status in the event of a threat, ensuring systems return to their pre-attack state through removal of malware, cleaning of registries, and elimination of persistence mechanisms.
Integration requirements
Blocking capabilities depend on integration with your security tools. Expel supports automated security remediation for customers who have CrowdStrike, Microsoft Defender for Endpoint, SentinelOne Singularity Complete, VMware Carbon Black Cloud, VMware Carbon Black EDR, Palo Alto Cortex XDR Pro, Elastic Endpoint Security, and Cybereason, and more.
For identity-based blocking, integrations include options like Microsoft Entra Identity, Azure Cloud Direct, Duo Cloud, GitHub, Google Workspace, and Okta for automated account disabling and credential resets.
Key takeaways
MDR absolutely can fix security issues, not just detect them—but the extent of remediation capabilities varies significantly between providers and service models. The most comprehensive MDR services offer automated responses that contain and eliminate threats within seconds of detection, guided remediation with detailed playbooks for complex incidents, and continuous recommendations to improve your security posture and prevent future incidents.
You maintain control over which actions MDR can take automatically and which require your approval. During onboarding, you configure these parameters based on your risk tolerance, compliance requirements, and operational needs. Common automated actions include endpoint isolation, process termination, malware blocking, and account disabling, while significant actions like taking production systems offline typically require customer authorization.
The remediation spectrum ranges from detection-only services alerting you to threats, through guided remediation providing expert instructions, to fully managed services executing response actions on your behalf. Your choice should align with your internal resources—organizations with limited security staff benefit most from automated remediation, while those with mature security teams might prefer guided remediation that keeps their analysts in control.
When evaluating MDR providers, ask specific questions about remediation capabilities. What actions can they take automatically? How quickly can they respond? What requires customer approval? Do they just recommend fixes or actually implement them? The answers determine whether you’re getting true managed detection and response or just managed detection with response homework.