Mandiant / Google Security Operations
The gold standard for incident response — now backed by Google-scale security analytics
- Service
- MDR
- Response
- Contain threats
Best for
Enterprises facing advanced persistent threats and nation-state adversariesUsually replaces
IR retainer-only relationship with no proactive monitoringCheck first
Premium pricing makes it inaccessible for SMBs and most mid-market organizationsCoverage
Covers
- Detection rules authored by analysts conducting 1,000+ incident response engagements annually
- Google Security Operations (Chronicle) SIEM with petabyte-scale analytics and sub-second search
- M-Trends annual threat intelligence report informing detection priorities
Pros and limits
Works well
- Unmatched incident response pedigree — the team that investigated SolarWinds, Colonial Pipeline, and countless nation-state campaigns
- Detection rules are continuously updated based on real-world breach investigations, not just threat feeds
- Google Security Operations (Chronicle) provides petabyte-scale data retention and sub-second search
Watch out for
- Onboarding takes 30-60 days, significantly longer than competitors offering sub-7-day deployment
- The Google acquisition has created some complexity around product naming and service boundaries
- Full value requires Google Security Operations (Chronicle) as the SIEM, which may not suit all environments
Pricing
- Billing model
- Custom
- Minimum contract
- 12 months
- Proof of concept
- Available
- Onboarding
- 30-60 days
Enterprise custom pricing based on environment size, data ingestion volume, and service tier. Mandiant MDR is premium-positioned reflecting the depth of threat intelligence and IR expertise included.
Connects with
- SIEM
- Google Security Operations (Chronicle)
- EDR / Endpoint
- CrowdStrike Falcon, SentinelOne, Microsoft Defender
- Cloud
- GCP, AWS, Azure
- Other
- Palo Alto Networks, Okta, Forescout, Gigamon
Questions
What is the difference between Mandiant MDR and Google Security Operations?
Google Security Operations (formerly Chronicle) is the cloud-native SIEM platform that provides log ingestion, correlation, and analytics at Google scale. Mandiant MDR is the managed detection and response service where Mandiant analysts monitor, investigate, and respond to threats 24/7 using Google Security Operations as the analytics backbone. Organizations can use Google Security Operations as a self-managed SIEM or add Mandiant MDR for the fully managed experience.
Does Mandiant MDR require replacing your existing EDR?
No. Mandiant MDR supports multi-vendor environments and integrates with CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint. Mandiant analysts can investigate and take response actions through your existing EDR agent without requiring a platform swap.
How much does Mandiant MDR cost?
Mandiant MDR uses custom enterprise pricing based on environment size, data ingestion volume, and service tier. It is premium-positioned and typically costs $20K-$50K/month for mid-market and $50K-$200K/month for large enterprises. Contact Mandiant for a specific quote.