The Forrester Wave™: Managed Detection And Response Services In Europe, Q3 2025 is live. It’s our second evaluation of the managed detection and response (MDR) space focused on the European market. It looks a bit different from our 2023 Wave as European customers place a greater emphasis on sovereignty, localization, speed, automation and resilience. While some MDR providers have adapted their frameworks and service delivery models to embed these, others offer only superficial adjustments. Buyers should cut through the marketing by asking vendors to demonstrate data processing, storage and access controls.

This research used 26 different criteria to evaluate 11 vendors: Accenture, CrowdStrike, ESET, EY, eSentire, Kudelski Security, NCC Group, Obrela, Orange Cyberdefense, Sophos, and WithSecure.

What You Should Look For

Beyond standard needs like faster detection and response, European CISOs also lean on their MDR providers to tackle tripartite pressures: complex regulation, economic volatility, and agile threat actors. The market has moved beyond one where extended detection and response was once considered a differentiator. European security leaders today now also expect their MDR providers to enable operational resilience, as they lack the internal capability to deal with today’s region-specific advanced persistent threats, and coordinating cross border response efforts. As you compile a shortlist or consider a renewal:

  • Ensure your provider can meet ALL your sovereignty needs. Having data centers in the EU is hardly sufficient in today’s regulatory and geopolitical climate. Firms in regulated industries — such as healthcare, finance, and the public sector — with strict sovereignty and localization requirements need to be especially vigilant. Avoid regulatory exposure by choosing an MDR provider that can demonstrate where data is processed, data pathways and access mechanisms, analyst locations and language capabilities, and how cross border containment actions are carried out.
  • Carefully evaluate vendors’ claims of AI as the panacea for all MDR problems. MDR vendors have positioned AI as the panacea for all that ails security, and while their use of AI does shorten incident timelines, there are nuances to be considered when evaluating an MDR vendor’s AI capabilities. Use our evaluation to determine what exactly a provider does with AI and how that’s relevant (or not) to your organization’s needs. Favor vendors that can demonstrate how AI enables containment actions and configuration updates with appropriate human oversight.
  • See and test how detection, response, and forensics are integrated. Choose providers that are able to weave endpoint coverage data, threat intelligence, and other telemetry into a useful tapestry of insights that inform your security strategy and reduce delays in containment and response. Test a provider’s ability to meet these objectives by asking them to walk you through a real incident, demonstrating how telemetry was collected, how quickly containment was executed, and whether forensics required a separate handoff.

Forrester security and risk clients who have questions about the European MDR market can schedule a guidance session with me here.