Generic managed services providers sell “cybersecurity protection” as a checkbox: an EDR agent on each endpoint, a phishing simulation every quarter, a generic compliance dashboard that everybody gets and nobody reads. That is a starting point, not a security practice. Detection and response at 4th Octet is run with the assumption that signature-based tooling will miss things, that compliance dashboards are a byproduct not a goal, and that the difference between an incident and a breach is usually thirty minutes of decision-making by a competent engineer.
We do that work with a deliberately layered stack: open-source SIEM where engineering depth pays off, Microsoft-native SIEM where identity and email are the attack surface, and a tuning practice that treats the detection ruleset as living code, not vendor-stock content.
What you get
Detection and response as a continuous practice, not an annual audit:
- Dual SIEM coverage: Wazuh for infrastructure, file-integrity monitoring, vulnerability detection, and CIS compliance; Microsoft Sentinel for M365, Entra ID, Defender, and cloud workload signals. The two tiers correlate; the same incident gets seen from both sides.
- Suricata IDS at network egress points where it is operationally feasible, with rules tuned to the actual traffic profile of your environment instead of generic Emerging Threats sets that fire on noise.
- Sigma rule library as the canonical detection format. Vendor-neutral, version-controlled in git, peer-reviewed before promotion. New CISA advisories or vendor-disclosed CVEs get converted into Sigma rules and deployed across both SIEMs through the same pipeline.
- EDR through Microsoft Defender for Endpoint P2 as the Core baseline, with SentinelOne or ThreatLocker available as add-ons for environments that need the additional ring of behavioral containment.
- Email security through Microsoft Defender for Office 365, layered with Ironscales for AI-assisted phishing detection and security awareness training that does not feel like a punishment.
- Alert routing through n8n workflows that deduplicate noise, enrich alerts with context from the asset inventory and identity store, and route by severity into the right channel: HaloPSA for ticketed work, Teams for collaboration on active incidents, direct page to on-call for P1s.
- Incident response playbooks documented and exercised before they are needed. We do tabletop exercises during onboarding so the first time we run the playbook together is not the first time it actually matters.
- Compliance-mapped quarterly reporting that ties detections, response actions, and posture metrics back to PCI-DSS, HIPAA, NIST 800-53, CIS Controls v8, or SOC 2 Common Criteria depending on what your business is held to.
How we engage
The Core managed services package includes detection-and-response as a baseline: Wazuh agents, Sentinel pipeline, Defender for Endpoint P2 for endpoints covered under M365 Business Premium or higher, Ironscales for email and SAT, alert routing through our on-call. The Core monthly fee covers all of that.
Several add-ons extend the practice for organizations with deeper exposure:
- Security+ Bundle: SentinelOne plus ThreatLocker for behavioral EDR and application-allow-listing on a defined endpoint set.
- E5 Security Upgrade: full Microsoft Defender P2 + Sentinel + Entra ID P2 stack, consolidating tools we would otherwise have to license separately.
- Expanded vulnerability management: monthly Greenbone scans against your external perimeter, with compliance-mapped reporting and remediation tracking.
- vCISO retainer: see our security and architecture advisory practice for the ongoing strategic version of this work.
Detection-and-response is also available as a standalone engagement for organizations that already have an MSP they like but want a dedicated security practice. Pricing on that path runs through /quote/ because scope varies materially by environment size and existing tooling.
The stack, named
| Layer | Tool | Why this one |
|---|---|---|
| Infrastructure SIEM | Wazuh | Open-source, self-hosted, mature; deep FIM and vulnerability-detection capabilities; ships with compliance rule mappings |
| Cloud + identity SIEM | Microsoft Sentinel | Native integration with M365, Entra ID, Defender; KQL is the right query language for that data |
| Network IDS | Suricata | Open-source, mature, signature- and protocol-aware; we tune the rulesets rather than running stock ET |
| Detection format | Sigma | Vendor-neutral, version-controlled, peer-reviewed; converts to Splunk, Sentinel KQL, and Elastic DSL as needed |
| Endpoint baseline | Microsoft Defender P2 | Included via M365 Business Premium; integrates natively with Sentinel and Entra |
| Endpoint premium | SentinelOne | Behavioral detection where Defender P2 is not enough; offered as an add-on |
| Application control | ThreatLocker | Zero-trust app allow-listing where the compliance posture demands it |
| Email security | Microsoft Defender for O365 + Ironscales | Native ATP plus AI-assisted phishing detection layered on top |
| Awareness training | Ironscales | Phishing simulation and training as one product, with metrics that map to risk reduction |
| Vulnerability scanning | Greenbone Community Edition | Open-source, capable, no per-asset licensing |
| Alert orchestration | n8n | Deduplication, enrichment, severity-based routing |
Where this fits
Detection and response is the practice where our self-hosted, dual-layered approach pays off the most clearly. Most providers in our market segment resell one SaaS SIEM and call it good. The dual-tier approach with Wazuh and Sentinel costs us more engineering hours to operate, but the coverage difference is meaningful: infrastructure signals that never reach a cloud-only SIEM, identity signals that never reach a self-hosted-only SIEM, and correlation between the two when both fire.
The detection-and-response practice is also where the observability and platform practice becomes load-bearing. Our SIEM tier is dashboarded in the same Grafana your operations team uses. The alerting pipeline is the same n8n pipeline that handles the rest of your environment. If you ever want to see how a detection actually fired and what happened next, the trail is visible to you, in your tenant, without us in the room.
If you want a real review of your current detection posture, start a conversation.
Frequently asked
- Is this MDR (24/7 SOC-as-a-service) or MSP-led detection?
- MSP-led detection with engineer-grade tuning, not a 24/7 SOC. Alerts route into our on-call rotation with severity-based escalation. For organizations that need true round-the-clock human eyes on a SOC console, we partner with vetted MDR providers and act as the integration layer. We are honest about what 2-person on-call coverage looks like; we do not market it as a SOC.
- We already have a SIEM (Splunk, Microsoft Sentinel, Sumo Logic). Will you work with it?
- Yes. We can read from existing SIEMs, write detections in their query languages, and operate the tuning practice without forcing a migration. The Wazuh layer is our default for clients with no SIEM in place; it is not a requirement.
- How fast do you respond to high-severity alerts?
- P1 alerts (active intrusion indicators, confirmed credential compromise, ransomware indicators) page our on-call directly with no business-hours filter. Typical commitments are acknowledgement within 15 minutes and active engineer response within 30, with the specific numbers nailed down in your MSA. Lower severities follow business-hours routing with documented SLAs in the same MSA. The 24/7 detection pipeline runs whether or not we are awake; the question the SLA answers is how fast we engage after it fires.
- Which compliance frameworks does the practice map to?
- We map detections and reporting templates to PCI-DSS, HIPAA, NIST 800-53, CIS Controls v8, and SOC 2 Common Criteria. Wazuh ships with the underlying rule mappings; we extend them with client-specific rules where the standard mappings have gaps. For regulated clients we deliver framework-specific quarterly reports.