Managed security services (MSSs) are defined as remote monitoring or management of IT security functions delivered from remote security operations centers via shared services, not by on-site personnel. Therefore, it does not include staff augmentation, consulting, or services for development and integration. MSSs include firewalls monitored/managed or intrusion prevention/detection systems; managed multifunction firewalls; centralized vulnerability management technology; managed email or Network traffic compliance gateways; security analysis and reporting of events captured from infrastructure logs. Furthermore, these services include reporting associated with monitored/managed devices and incident response; managed network, server, database or application vulnerability scanning; distributed denial of service protection; monitoring/management of customer-deployed security information, event management technologies; and monitoring/management of advanced threat defense technologies.

Managed security services (MSSs) – Gartner magic quadrants

Gartner describes Managed Security (MSS) systems that provide:

  • Remote 24/7 security event monitoring and data sources related to security
  • IT security technology governance and management
  • Security operating capabilities through shared services from remote security operations centers (SOCs), not through on-site personnel or remote services delivered to a single customer on a one-to-one basis

The descriptions of some of the best MSSs tools are as follows:


In addition to infrastructure management, risk assessment and control, threat analysis, controlled detection and response, incident response (via retainer), and advisory services; Secureworks offers a variety of security event tracking and response services. A center of excellence in Romania supports the SOCs. MSS delivery is through the proprietary Counter Threat Platform (CTP) of Secureworks which provides data collection and management, analysis, and portal. Secureworks also has premises-based physical and virtual equipment that enable aggregation/transmission of logs and track network security. The Secureworks Customer Portal gives clients access to services. Secureworks offers the option of fully managed services to customers seeking EDR services using the Red Cloak agent, or EDR monitored for Carbon Black and CrowdStrike. An additional innovative threat hunting program is available at an hourly rate or by Specialized Endpoint Threat Identification Elite with Active Threat Hunting, for customers using the Red Cloak agent. There is an addon module offered in collaboration with Lastline for malware detection. The research and engineering department of the Secureworks Counter Threat Unit (CTU) offers security analysis to support a range of MSS solutions, as well as stand-alone security intelligence services. Pricing for MSS is dependent on the number and type of causes of incidents in the control or management field. Secureworks has recently introduced additional service bundle pricing models, such as its MDR service bundle, which is priced by the number of employees in the buyer’s company.


Trustwave offers conventional managed security tools such as detection and vulnerability management of security events 24/7. In addition, for the Endpoints system, Trustwave Managed Detection and Response (MDR) provides managed Carbon Black and Cybereason EDR, as well as Darktrace for network monitoring and response. Managed threat hunting is also an option within the services set of the MDR. Trustwave has made efforts to align the MDR program with its more developed business areas, both in terms of functionality and providing value for money to customers. The MDR service can address response actions via EDR, which can be handled remotely with a certified digital forensics and incident response handler in less than four hours. Trustwave provides consulting services via its SpiderLabs Automated Forensics and Incident Management Team for on-site incident response through the retainer. The SpiderLabs team within Trustwave also has an in-house threat analysis platform that the organization leverages for threat detection; however, it does not market this to consumers as a stand-alone feed. Trustwave has several proprietary products that can handle for customers (such as WAF, UTM, IDS), and it also provides several third-party control and management technologies.

Symantec (Broadcom)

Symantec, headquartered in Mountain View, California, is a security technology organization that also as part of its Cyber Protection Services market provides a range of security event monitoring services and solutions. Symantec has offices across the globe, at the regional and country level. It runs a regional SOCs network with national coverage 24/7. Symantec provides a globally standardized approach to how its SOCs, including their processes and procedures, operate. Core capabilities of Symantec’s Information Protection Services address security events monitoring and response systems. hey also provide threat intelligence, incident response, and maintenance services. Symantec also uses Symantec’s own technologies to offer Managed EDR, Managed Network Forensics and Controlled Cloud Defense. Also available by product collaborations and Symantec’s own products are a controlled intrusion detection and prevention (IDP) service, and a security management program for OT and IoT applications. The delivery platform of Symantec has been migrated to AWS from an on-site data center and includes its log collection and management portal, analytics and customer portal.


Verizon offers a variety of MSS and Defense Advisory services leveraging a national SOC network. It also has a SOC in Luxembourg, dedicated to customers with specific requirements for data sovereignty. Verizon’s Unified Security Platform (USP) offers users with single-portal connectivity to all platforms and services. Verizon’s MSS platform includes log management capabilities that allow clients to search for stored logs for 90 days. Verizon’s MSS delivery platform incorporates open-source, patented, and commercial tools including Splunk Security Data Analytics, Local Event Collector (LEC) and Verizon’s patented correlation engine. Pricing of MSS is based on the volume of log data ingested daily, with distinct pricing for advanced detection. For endpoint detection and response products based services, pricing is per endpoint; and for network analytics, it is by the number of flows ingested. Verizon also offers additional services such as a retainer for incident response, Autonomous Threat Hunting (via the acquisition of Niddel), and the Verizon Risk Report (VRR).


IBM, with its headquarters in Armonk, New York, is both a security technology and a service provider providing a variety of managed security and other related services across a 24/7 regional SOC network. IBM’s MSS offers focus on tracking security events by leveraging its QRadar SIEM platform which provides centralized customer base monitoring. Customer-accessible QRadar form factors include mutual multitenant (the default), on-site, SaaS SIEM, or a combination of both. You can also support other SIEM platforms (e.g., Splunk or ArcSight) as desired. As part of the Unified IBM X-Force Incident Response and Intelligence Services (IRIS), IBM ‘s complementary MSSs provide vulnerability assessment and vulnerability management through the IBM X-Force Red team, and incident response retainers, incident management and threat intelligence services. IBM recently introduced its X-Force Threat Management (XFTM) service, which provides an integrated threat monitoring, detection and response service that leverages SIEM (mainly QRadar, but others are supported as needed), SOAR (via IBM Resilient) and EDR tools from third parties. Support for requirements for data residency may be addressed using the form factors mentioned.