What is the difference between MDR, SOC, EDR, and SIEM, and which one does cyber insurance actually want?

Read the complete guide: How do you make your IT cyber-insurance defensible? A 2026 guide for commercial businesses.

What is MDR vs SOC vs EDR vs SIEM?

EDR records what happens on endpoints. SIEM aggregates logs across the whole environment. SOC is the staffed team of humans who investigate alerts. MDR is a productized service that bundles EDR (or equivalent telemetry) with a 24/7 SOC delivered as a managed offering. Cyber insurance carriers in 2026 ask whether you have 24/7 monitored detection and response, which is the MDR-shaped answer rather than the "we have EDR deployed" answer.

What does cyber insurance actually want to see?

The carrier requirement is shifting from "deployed" to "monitored" to "responded." The 2025 NAIC Cybersecurity Insurance Report and downstream carrier applications focus less on which products you bought and more on whether the products are operationally effective: are alerts triaged within minutes, are incidents responded to 24/7, is there evidence of investigation outcomes (NAIC, 2025 Cybersecurity Insurance Report). Coalition's 2025 claims reporting reinforces the same direction: outcomes track with monitoring quality more than tool selection (Coalition, 2025 Cyber Claims Report).

That shift is a response to attacker dwell time. The 2025 Verizon DBIR documented ransomware in 44% of breaches reviewed, with small and medium businesses experiencing ransomware in 88% of breach cases (Verizon, 2025 DBIR Executive Summary). The same DBIR found that 22% of breaches involved compromised credentials and that 88% of attacks against basic web applications used stolen credentials. Carriers now treat undetected dwell time as the primary loss driver. A monitored stack with a 24/7 SOC compresses dwell time from days to minutes; an alert-only stack does not.

Where does antivirus fit (and why it does not count)?

Legacy antivirus uses signatures to block known-bad files. EDR uses behavioral analytics to detect attacker tradecraft, including techniques mapped against the MITRE ATT&CK framework, regardless of whether the file is known. The mapping matters because attackers have largely abandoned malware-on-disk in favor of living-off-the-land techniques (legitimate Windows tools used maliciously) that signature-based antivirus cannot detect (MITRE ATT&CK).

For underwriting purposes, antivirus alone is no longer treated as a meaningful detection control. The renewal questionnaire question "do you have endpoint protection" is increasingly worded as "do you have EDR or XDR with 24/7 monitoring." A "yes" that quietly means "yes we have antivirus" is the kind of attestation that fails forensic review. Public Gartner-tracked discussions of MDR services consistently emphasize the gap between alert-generation platforms and human-staffed response, which is the same distinction underwriters now ask about (Gartner, Managed Detection and Response Services Glossary).

How does the stack work together?

The defensible architecture for a 10-25 person commercial business is layered, not duplicated:

1. EDR on every endpoint. Records and detects on the endpoint itself. Sends telemetry up.
2. SIEM aggregates. Correlates EDR telemetry with identity events (Microsoft Entra sign-ins), firewall logs, cloud admin events, and application logs.
3. SOC analysts investigate. 24/7 humans review alerts, eliminate false positives, and escalate genuine incidents.
4. MDR responds. The same provider that delivered the SOC takes containment and remediation actions per a documented playbook.

That layered architecture is what carriers ask about as a single bundled question. An MSP-delivered MDR offering compresses the stack into one accountable service line, which is easier for an underwriter to evaluate than "we bought four products from four vendors and stitched them together."

Run a concrete example. A finance team member at a 25-person engineering firm clicks a phishing link and enters credentials into a fake Microsoft 365 login page on a Tuesday afternoon. The attacker logs in from an unusual geography 14 minutes later. EDR on the user's laptop sees nothing, because the attacker is on their own machine. The Microsoft Entra sign-in event flows into the SIEM, which correlates the unusual geography with the legitimate user's normal sign-in pattern and raises an anomaly. The SOC analyst sees the alert, calls the user, confirms the phishing event, and the MDR provider revokes the active session, forces password reset, and initiates a tenant-wide token revocation. Total elapsed time: 22 minutes. Without the SOC layer, the alert would have sat unacknowledged in a queue while the attacker exfiltrated mailbox data. The difference between "MDR" and "EDR with no humans" is precisely those 22 minutes.

What does "managed" actually mean in MDR?

The most important word in MDR is "managed," and it is the most abused. A "managed" detection product is not the same as a managed service. The carrier-defensible test for "managed" is roughly:

• 24/7 staffed SOC, not 9-to-5 with on-call after hours
• Defined alert triage SLA (most reputable MDR providers respond within minutes for high-severity alerts)
• Documented response actions taken on the customer's behalf, not just notifications sent
• Threat hunting cadence (proactive searches across the environment, not just reactive alert handling)
• Retained evidence: investigation notes, incident timelines, after-action reports

If the offering is "we send you an email when our platform fires an alert," that is a notification service rather than a managed service. Underwriters and forensics teams have learned to ask the difference. CISA's #StopRansomware guidance reinforces the case for active monitoring and rapid response, not just deployment (CISA, #StopRansomware Guide).

For the broader MFA control that pairs with this detection-and-response stack, read What MFA does cyber insurance require in 2026? For the top denial mechanics where detection-and-response gaps are most visible after the fact, read Why do cyber insurance claims get denied?

Frequently asked questions

Is antivirus the same as EDR?

No. Antivirus blocks known malicious files based on signatures. Endpoint Detection and Response (EDR) records process activity, file changes, network connections, and user behavior on every endpoint and detects suspicious patterns based on behavior rather than signatures. Carriers in 2026 ask specifically about EDR coverage, not antivirus.

Do I need MDR if I have EDR?

Yes for cyber insurance defensibility purposes. EDR generates alerts, but only humans investigate them and respond. Managed Detection and Response (MDR) adds the 24/7 staffed Security Operations Center (SOC) that investigates EDR alerts, hunts threats across your environment, and responds. Most current carrier applications ask whether monitoring is staffed 24/7, not just whether software is deployed.

What does SIEM do that EDR does not?

SIEM (Security Information and Event Management) aggregates logs from across your environment (endpoints, identity providers, firewalls, cloud services, applications) into a central system that retains them and correlates events across sources. EDR sees one endpoint at a time. SIEM sees the whole environment over time. Both matter, and they answer different questions.