In a move that was widely telegraphed and expected, Microsoft officially launched its own set of managed detection and response (MDR) services, with more to come in the future. In this blog, we break down what security leaders need to know about Microsoft’s MDR launch, the impact on the cybersecurity market, and what will change as a result.

Per press reports, Microsoft was in the running to buy Mandiant, but Alphabet snagged the vendor. Missing out on Mandiant cost Microsoft the “head start” an acquisition gives, which leaves it to take a slower and steadier approach to building its services capabilities. Around the same time the Mandiant news broke, Microsoft hired Kelly Bissell, who most recently led Accenture’s cybersecurity services practice — a strong signal that Microsoft wants to keep cybersecurity services in its bull’s-eye.

What Matters For CISOs

As we’ve discussed multiple times, Microsoft’s path to market begins with IT and relies on bundling. In addition to bundling security capabilities in Azure, it can now couple those with security services. For security leaders fighting with IT to avoid a rip-and-replace move to Microsoft bundles, keep in mind that this announcement is another piece of ammunition for the IT team. They will likely take advantage of this opportunity by:

  • Weaponizing their ability to reduce the number of security vendors that security teams rely on. CISOs raised the issue of too many vendors and too many tools in recent years, and Microsoft will now use that to justify the advantages of going even deeper into its platforms. While they have led with this strategy the past few years, now they can add yet another piece: services.
  • Solving the competence gap via services. A rip and replace requires training current practitioners on the new technologies they will need to use. But bundling products and services together reduces some of the need for training since the product is run for you as part of the service.
  • Offering steep discounts for bundling. As-a-service models provide enough margin that partners only offering services can’t compete with the discounts. Microsoft’s bundling and discounting strategy will present many CISOs and IT teams with an offer they can’t refuse.
  • Delivering the service makes the technologies better. The Security Services Flywheel shows that owning the intellectual property on which a service is delivered gives vendors an advantage. By working — directly — with the users of your service-delivered products, you receive feedback that is much harder to collect consistently and clearly from product users. Every new customer that buys the bundle of tech plus product creates a new opportunity for your services team to engage, which leads to better feedback from the day-to-day users of your technology. This practitioner-sourced feedback loop partly led us to create AX (analyst experience).


CISOs who want to push back against too much Microsoft should look to their other trusted security product and service vendors — especially if they need to justify point solutions — and ask for help creating business cases, total economic impact statements, and outcome-focused case studies from customers in the same segment.

What It Means For The Market

In 2002, Joel Spolsky wrote “Strategy Letter V” about commoditizing your complements, and the essay still perfectly captures and predicts Microsoft’s strategy. Security services vendors should take a long look at other Microsoft partners as a preview of what will come next. When it launched, Defender was an innocuous antivirus alternative. In 2022, it’s a fully capable, leading enterprise endpoint detection and response tool that now serves as the basis for Microsoft’s own services delivery teams and partner ecosystem. At the same time, Sentinel and Defender for Endpoint allowed services partners to reap rewards in recent years when running those technologies for customers.

Big is a strategy. Microsoft is a platform company, and platform lock-in allows Microsoft to hold its security, IT, and reseller partners hostage. After all, those partners can’t simply choose not to work with Microsoft products when the customers they serve live in the tech vendors ecosystem. This leaves partners dependent on — and concerned about — what comes next. There are several areas where those partners will find enabling Microsoft versus competing with the company is an effective strategy which includes:

  • Navigating licensing complexity. Trying to identify what you get when buying one of the E3/E5 license variants is akin to practicing advanced mathematics or the occult — or both at the same time. Security leaders will find partners can help them navigate what they bought, what they need, and what to snag as an add-on.
  • Needing more “touch.” Microsoft is a platform company that’s not well known for its customer support. The platform comes first, not the service. For companies that want a higher touch and a more collaborative vendor, partners can step in and fill that void. Microsoft might be who you buy it from and how the service is delivered, but partners make it work.
  • Dealing with complexity. Yes, platform vendors like Microsoft make it easier via cloud and as-a-service approaches and help reduce the number of vendors you work with. But once you activate these services, they enter your world of departments, business units, politics, processes, and competing priorities. Microsoft will deliver a standardized service; customizing and adapting that service to fit your organization falls to you — or one of your services partners — to tweak it until it works best for you.
  • Addressing the small and medium-size business (SMB) market. Part of “big as a strategy” is recognizing that Microsoft will focus services resources the same way they do sales, customer support, and product resources: on the big customers. The SMB market will likely remain underserved by Microsoft. This leaves an opportunity for competing service providers.

The Cybersecurity Market Will Pit Industry Heavyweights Against Each Other

Microsoft will need to cultivate and integrate a whole new set of partners as it expands security services like incident response. Microsoft can throw its weight around in technology and IT, but it’s also going to come up against another set of companies unafraid to throw their power around: the insurance industry and cyber insurance providers. Many competitors — like the aforementioned Mandiant and its new owner Google Cloud — are more than two years ahead of Microsoft in these areas.

Making a mark in this segment will require Microsoft to juggle its relationships with insurers, law firms, and communications agencies to work effectively with litigation-aware clients. The Redmond, Washington-headquartered vendor’s ability to meet the demands of the dominant players in this new incident response ecosystem, where it’s unable to exert control, is worth following.