The Forrester Wave™: Managed Detection And Response Services In Europe, Q3 2025 is live. It is our second evaluation of the MDR space focused on the European market, and looks a bit different from our 2023 wave as European customers place a greater emphasis on sovereignty, localization, speed, automation and resilience. While some MDR providers have adapted their frameworks and service delivery models to embed these, others offer only superficial adjustments. Buyers should cut through the marketing by asking vendors to demonstrate data processing, storage and access controls.
This research used 26 different criteria to evaluate 11 vendors: CrowdStrike, eSentire, NCC Group, ESET, WithSecure, Orange Cyberdefense, EY, Sophos, Accenture, Kudelski Security and Obrela.
What You Should Look For
Beyond standard needs such as faster detection and response, European CISOs also lean on their MDR providers to tackle tripartite pressures: complex regulation, economic volatility and agile threat actors. The market has moved beyond one where XDR was once considered a differentiator. European security leaders today now also expect their MDR providers to enable operational resilience, as they lack the internal capability to deal with today’s region specific APTs, and coordinating cross border response efforts. A s you compile a shortlist or consider a renewal:
Ensure your provider can meet ALL your sovereignty needs. Having data centers in the EU is hardly sufficient in today’s regulatory and geopolitical climate. Firms in regulated industries such as healthcare, finance and the public sector with strict sovereignty and localization requirements need to be especially vigilant. Avoid regulatory exposure by choosing an MDR provider that can demonstrate where data is processed, data pathways and access mechanisms, analyst locations and language capabilities, and how cross border containment actions are carried out.
Carefully evaluate vendor AI claims as the panacea for all MDR problems. MDR vendors have positioned AI as the panacea for all that ails security, and while their use of AI does shorten incident timelines, there are nuances to be considered when evaluating an MDR vendor’s AI capabilities. Use our evaluation to determine what exactly a provider does with AI and how that is relevant (or not) to your organization’s needs. Favor vendors that can demonstrate how AI enables containment actions and configuration updates with appropriate human oversight.
See and test how detection, response, and forensics are integrated. Choose providers that are able to weave endpoint coverage data, threat intelligence and other telemetry into a useful tapestry of insights that inform your security strategy ,and reduce delays in containment and response. Test a provider’s ability to meet these objectives by asking them to walk you through a real incident, demonstrating how telemetry was collected, how quickly containment was executed and whether forensics required a separate handoff.
Forrester security and risk clients who have questions about the European MDR market can schedule a guidance session with me here
