24/7 Managed Defender SOC - detect, contain, recover.
We monitor and respond to real threats across endpoints, email, identity and cloud - with rapid containment and monthly hardening that drives risk down over time.
Who our Managed Defender SOC services are built for
- CEO/COO: Reduce disruption from real incidents – with a service that treats containment like an operational priority.
- CIO/IT Director: 24/7 monitoring and response without building a SOC – and with reporting that proves progress.
- Security lead: Threat hunting, triage and response – matched to the Microsoft estate you actually run.
Most organisations don’t fail on tools. They fail on execution.
Most teams already own Microsoft security capabilities. The difference between “we have Defender” and “we’re protected” is execution: 24/7 monitoring, consistent triage, and fast containment when an incident is real.
That execution has three parts:
1. Always‑on detection + response (not dashboards).
We manage Microsoft 365 Defender as a service – monitoring, investigating, and responding to incidents generated across the platform, with clear escalation and a consistent operating model.
2. Containment that stops spread.
When risk is high, containment actions (like isolating affected endpoints or disabling compromised access) are used to prevent wider impact while investigation continues.
3. Joined‑up visibility across the Microsoft estate (the piece most organisations lack).
Single‑source alerts miss the chain. Microsoft 365 Defender correlates signals across endpoints, identity, email and cloud apps – and Microsoft Sentinel extends that visibility when you need wider log sources and deeper correlation.
What’s included
A managed security operations centre (SOC) service that spots threats early, investigates fast, and helps you recover with minimal disruption. We combine Microsoft’s unified security stack (Defender XDR + Sentinel) with Wanstor’s analysts, triage, threat hunting and incident response to contain incidents before they become business-stopping events.
SOC L1 - Endpoint MDR (Microsoft Defender for Endpoint)
Continuous endpoint monitoring with rapid, human-led triage of Defender for Endpoint alerts.
SOC L2 - Business Premium MDR (Microsoft Defender for Endpoint + M365)
Monitoring extended to Microsoft 365 (email, OneDrive, SharePoint, Teams) alongside endpoint coverage.
SC L3 - Full XDR (Email + Identity + Cloud Apps)
Unified detection across endpoints, Microsoft 365, identities and cloud apps through Defender XDR.
SOC L4 - Sentinel SIEM + XDR (Enterprise)
24/7 monitoring of all Microsoft XDR components plus external log sources through Microsoft Sentinel.
Our SOC tiers explained
| Component | SOC L1 (EDR) | SOC L2 (EDR + Business Premium) | SOC L3 (XDR) | SOC L4 (Sentinel) |
|---|---|---|---|---|
| Pick this if | You want 24/7 endpoint protection using existing Microsoft Defender licences. |
You need integrated visibility across devices and Microsoft 365 without building an internal SOC. |
You have E5 licences and want end-to-end visibility across the Microsoft estate. |
You need comprehensive coverage across Microsoft and non-Microsoft systems with advanced analytics. |
| Platforms covered | Microsoft Defender for Endpoint | + Microsoft Defender for Office 365 | + Identity & Cloud Apps | + Sentinel + 3rd‑party logs |
| Inheritance | Includes L1 | Includes L2 | Includes L1-L3 | |
| Endpoint hygiene | Endpoint health review | |||
| Email security review | Email policy review | |||
| Identity baseline | Identity baseline review | |||
| Cloud Apps (CASB) | Risk & policy review | |||
| Sentinel operations | Analytics & tuning | |||
| High severity response (24/7) | Endpoint | Endpoint + email | XDR sources | All + Sentinel |
| Medium severity response (BH) | Endpoint | Endpoint + email | XDR sources | All + Sentinel |
| Automated deep scan | ||||
| User verification | ||||
| Containment – isolate device | ||||
| Containment – disable user | ||||
| Reporting (Power BI) | Incident & MTTR | |||
| Dependencies | Defender access | Defender access | Defender access | Azure + Sentinel |
| Onboarding caveat | Configured services only | Configured services only | Configured services only | Configured services only |
| Exclusions | Licences excluded | Licences excluded | Licences excluded | Sentinel usage excluded |
| Licensing requirement | Microsoft Defender for Endpoint P1 | Microsoft Defender for Business | Microsoft M365 E5/E5 Security | Microsoft M365 E5 + Sentinel |
How we start
Choose the service tier that matches your Microsoft estate and licensing (SOC L1 EDR → SOC L2 EDR+ → SOC L3 XDR → SOC L4 Sentinel), then we onboard and run it continuously through monitoring, triage, and response.
1. Confirm scope + tier fit
We agree what you want protected (endpoints, servers, Microsoft 365, identity, cloud apps and/or Sentinel log sources) and confirm the right SOC tier based on your current licensing.
2. Set up access + prerequisites
We establish the required delegated access to your Microsoft 365 Defender portal (and Azure/Sentinel where applicable) so we can configure and manage the service correctly.
3. Onboard + configure monitoring
We onboard in-scope devices and configure Defender so alerts and incidents are handled through an agreed, consistent operating process.
4. Go‑live: triage + containment
High‑severity incidents are handled as Priority 1 with rapid triage and investigation; larger‑scale incidents are escalated immediately and follow P1 communication (hourly updates) until resolved. Medium‑severity incidents are logged and handled during business hours.
5. Improve continuously (monthly service rhythm)
Each month we review endpoint health (agent/engine status), address devices with missing/outdated protection, make recommendations to reduce exposure score, review security recommendations, and tune Attack Surface Reduction (ASR) rules and exclusions as needed – with reporting to show trends and progress.