Although cyber security companies have been trying to automate their managed detection and response (MDR) services to increase efficiency and reduce time-to-respond, there are downsides to taking control away from people completely.  

Gartner’s new Market Guide for Managed Detection and Response – which names Quorum Cyber as an MDR service vendor and mentions its acquisition of Difenda – explains why human-led MDR is the future of cyber security. 

The market analyst defines MDR services as “those that provide customers with remotely delivered security operations centre (SOC) functions”.  

Gartner recommends buyers to: 

• Leverage MDR services to gain 24/7, remotely delivered, human-led security operations – especially if the organisation lacks an internal SOC team. MDR is also valuable for accelerating or enhancing existing security operations capabilities. 

• Evaluate MDR providers against business-driven requirements through request for proposals (RFPs) and proofs of concept (POCs). Confirm that they meet critical needs such as data residency, and ensure they deliver actionable insights – not just raw technical alerts with no added context. 

• Assess the provider’s containment and incident-reporting approach to ensure seamless integration with the organisation’s processes. Define what actions the provider can take, aligning with business objectives, compliance obligations, and regulatory requirements. 

• Maximise MDR value by preparing incident response workflows in advance and integrating ticketing or case-management systems. This alignment enables a coordinated, outcome-focused response that supports business resilience. 

According to Gartner, today 20% of findings from MDR providers focus on, or cover details on, threat exposures. It predicts this will rise to 50% by 2028. Quorum Cyber’s range of MDR services are already threat-led and include both global threat hunting and, should a cyber incident occur, containment – by our experienced Incident Response team – as standard. 

The value of human-led MDR in the age of AI and automation

Modern human-led MDR services are built around context-rich, human-validated outputs. Every alert or finding is investigated and assessed by skilled analysts in the Security Operations Centre (SOC) team who understand not just the technology, but the potential impact of each threat on the business. By understanding the organisation’s operations and its systems, and what is business-as-usual, human-led MDR services bring together the contextual information needed to improve and validate threat detection. 

Behind the scenes, MDR providers invest heavily in detection engineering – developing custom analytics, content, and rulesets – and applying threat intelligence from both internal research and trusted third-party sources. The result is a service that continuously adapts to new attack patterns and evolving threat actors. Quorum Cyber leads the way with this threat-led approach and shares a wealth of actionable information through its Threat Intelligence Community Group. 

In its Market Guide, Gartner explains how successful MDR providers differentiate themselves through high-fidelity detection, rapid investigation, and decisive response, all underpinned by clear, human-interpretable reporting. The goal isn’t just to surface alerts, but to help organisations understand what matters most and how each incident relates to their unique business risks. 

Gartner explains that as the market evolves, new entrants are positioning themselves as “AI-driven MDR” solutions. While automation and AI certainly enhance efficiency and scalability, the report maintains that true MDR remains human-led – powered by analysts who engage daily with real-world customer data and apply professional expertise in threat monitoring and incident response. 

Human interpretation and judgement remain unrivalled 

Automation can accelerate workflows and eliminate repetitive tasks, but it cannot yet replicate human judgment – the creativity, intuition, and contextual understanding that security teams rely on to stay ahead of sophisticated adversaries. As Gartner notes, “There will never be an autonomous SOC.” Instead, emerging AI capabilities should be viewed as an enhancement, not a replacement, for human-led detection and response. 

Organisations should understand exactly what parts of an MDR service are machine-driven versus analyst-led, ensuring they get meaningful insights rather than automated noise. As technology continues to advance, MDR providers that fail to evolve their detection and exposure management capabilities may quickly fall behind more adaptive, technology-enabled competitors. 

Ultimately, the balance between machine intelligence and human intelligence will define the future of MDR. Automation and AI will extend the reach and efficiency of analysts – but it is human expertise that will continue to interpret complex threat landscapes, answer critical questions like “What does this mean for our risk posture?”, and guide effective, business-aligned responses. 

The future of MDR isn’t autonomous – it’s augmented. Human insight, enhanced by intelligent automation, will remain the cornerstone of truly effective cyber defence. 

Delve deeper into Gartner report 

Visit our landing page to download Gartner’s Market Guide for Managed Detection and Response.