Name: Global Partner Webinar: MDR for MSFT
Uploaded: 2026-02-05T15:56:04.222Z
Duration: 40 min 8 s
Description: Global Partner Webinar: MDR for MSFT

Transcript for "Global Partner Webinar: MDR for MSFT": Welcome to Rapid7's latest Global Partner Webinar. Today, we're going to be talking about MDR for Microsoft. My name is Connor Goldstein, and I'm joined by my colleague, Ryan Brady. In this session, we will be focusing on providing you the information you need to confidently tell our MDR for Microsoft story in the market and in the channel. And the best way is to apply this market and or this offer in the the market and the channel. So very excited. Really quickly before we jump in, I'll just quickly introduce myself. Again, my name is Connor Goldstein. I'm on the product marketing team here at Rapid7, focused specifically on our Managed Detection and Response service. And I will let my colleague, Ryan Brady, quickly introduce himself. Hi, everyone. My name is Ryan Brady, Senior Product Manager of Managed Services, focusing on MDR for Microsoft, as well as our threat hunting capabilities. Super. Thanks, Ryan. So, in terms of what we're going to talk about today, as I mentioned, we're gonna provide a good healthy overview of MDR for Microsoft. What it is, what it isn't, ensure that you all have the clarity and the confidence you need to talk about it. We're gonna talk about some of the key capabilities that we are releasing in tandem with this MDR for Microsoft launch. I'm gonna talk through the value proposition and messaging and really see talk about how we connect this offer to the outcomes that our customers are seeking in today's market. And then we're gonna talk about resources and how we're gonna help you all as our channel partners grow this offer in the marketplace as well. So without further ado, really excited to announce MDR for Microsoft. We officially launched this on January 21. So just a couple of weeks ago, we had made an initial announcement to the market towards the end of last quarter, indicating our partnership with Microsoft in bringing this to market. So really excited about that. One really high level takeaway, just as we intro this we'll get further into it, is that MBR for Microsoft is delivered through Rapid7's existing managed detection response services. So the offers that many of you may already be familiar with and be selling to some of your customers, Not a lot here is changing, but what we are enabling you to do is to more effectively position those offers and those services for your customers who are Microsoft centric or Microsoft first. So really helping our customers and your customers build unified expert led detection and response outcomes. Really quick, just as a level set, and I know many of you will be well familiar with the Microsoft ecosystem, perhaps well more than I am, but why don't we just do a level set of what we mean when we talk about Microsoft in the context of MDR at Rapid7. So, first thing to note here is that the Rapid7 Insight Agent, which is deployed as part of Rapid7's MDR service, is deployed to over 11,000,000 Windows devices. And that represents a very, very significant portion of our customer base, but that's also reflective of the broader global customer base, both ours, yours, and and just generally across global and enterprise ecosystems. That is to say, Microsoft is the backbone of productivity and security for a lot of organizations. The next key takeaway here is that a lot of these organizations are procuring that technology, their Microsoft security tooling, either through an E3 over an E5 license. So again, many of you will be familiar with these licenses. There are other options that are relevant here as well, but these are the primary ones that we really talk about in the context of MDR for Microsoft. And at a really high level, what E3 is, is it offers customers Microsoft's productivity tooling. So the tools that we all are familiar with and love, Outlook and Word and PowerPoint, you know, some of the more basic security functionalities. And then E5 is really an upgrade on this. Right? So it brings up productivity tooling, but it also brings some of those advanced security capabilities that Microsoft is well known for. So we can think of like Microsoft Defender for Endpoint P2, and Microsoft Defender for Entra ID, or Identity, or Cloud. And there's a handful of other Defender tools in there as well. But all of these are included in the E5 license, so that's really where we'll start to talk about what this offer does for those types of customers. We've got an image off on the right here again, given a quick compare and contrast of E3 versus E5. I'll invite you all to check out Microsoft licensing websites on your own time. But that for us is what's really relevant here. And the next thing that's really relevant here is that these E3 and E5 tools, Microsoft Defender and the tools that come with it, are responsible for generating a lot of security event data. Right? Attackers are really prominently looking at the endpoint, at identity, at openings in customers' cloud instances. And all these represent opportunities for attackers to capitalize on. And so the Defender data that comes out of these tools is really important to operationalize and build effective security operations around, because otherwise these threat actors and these malicious actors have an opportunity to capitalize on those factors and of course, perform things that we do not want them to do. So our goal in essence here, and the goal of the launch of MDR for Microsoft, is to help these customers of e three and e five better operationalize that Microsoft Defender data and to provide expert SOC coverage of their Microsoft environments. So, in terms of the challenges that customers are facing, and some of these are Microsoft specific, many of them are not. The other thing that I would say about these is that they're not all new, right? Some of them have grown or become more prominent in the past couple of years, but I'm gonna talk through just six quick problems that customers are facing today, that I know folks on this call will hear about quite regularly and that we hear about from customers as well. So, first is the shortage of expertise and resources. So it's very difficult for a security operations team to have the resources allocated to hire new headcount, or to bring in the skill sets that are necessary to build an effective detection and response program. Second, and exacerbated by that lack of expertise, is the number of missed alerts and fatigue that are coming from high volume signals. So, I mentioned those Defender tools are generating a lot of security event data. It's very difficult for shorthanded teams to effectively respond to that alert data and to triage it, investigate it, and build response outcomes. Next is the growing pressure for security leaders to demonstrate security outcomes. So we know that security leaders are being asked to do more with less. Boards, executive teams, the C suite are all looking to CISOs to understand how their investments are building resilience, how they're building outcomes for the organization and for the security operations team. Next big challenge here that we're aiming to solve in 2026 is limited visibility and proactive risk management. So a lot of MDR services and security operations teams have difficulty understanding where the most prominent and most likely attack paths exist. And so there's a big gap for customers in identifying where those risks exist in their specific environment. And so at Rapid7, and we'll talk a little bit more about this, we do a lot to help customers better understand their attack surface so that they can start to root out threats before they actually happen. And then these last two are a little bit more specific to Microsoft, at least for the purposes of this presentation, but are reflective of security operations struggles across the board, is the underutilization of that E5 secondurity data. So customer may have purchased E5, but not really had the chance or not have the resources or the time to build a DNR program around that data. And so effectively, starts to become a little bit of shelfware, which is something that we're really aiming to help solve for customers. And then lastly, the unpredictable cost and operational complexity that can come with turning your security event data into an effective DNR program. And I say this particularly in the lens of SIEM technology, which, you know, a lot of third party SIM providers have usage based pricing models, which means that on a particularly busy month, either within your organization or outside of it, your data ingestion costs could balloon up and cause customers' budgets to really be unpredictable and hard to plan for. And so that's another big challenge that as customers are looking to build their security operations team and bring in or tune a SIEM technology, they need to be very cognizant of those costs. That's just some of the challenges that customers are facing in 2026 that we're going to help them alleviate. So what is MDR for Microsoft? The first thing that I really want to emphasize when we talk about MDR for Microsoft, and I mentioned this earlier on, is that it is a solution that is delivered through our existing MDR or Managed Threat Complete service. So again, many of you may be familiar with how our Managed Threat Complete service works, but I'll quickly talk through how this kind of architecture slide actually plays out for customers. So, first and foremost is the bottom third of the slide, where we see that there's Microsoft telemetry, there's Rapid7's native telemetry, and then there's third party telemetry. All of these data sources can be brought into the Rapid7 SIEM InsightIDR on an unlimited basis. And so what that means is a customer who is Microsoft first or Microsoft centric, they can bring their Microsoft Defender data to us. We can ingest it into our SIEM on an unlimited basis. No concerns about costs. And we can collect and correlate it alongside Rapid7's native telemetry, and if applicable to this specific customer, their third party telemetry. So what that really helps do is give customers and our detection and response service a really comprehensive view of the customer attack surface. So again, for Microsoft first or Microsoft centric, this is really great, but we're not missing out on those other sources of data. We're actually collecting and correlating all of them. And then in the middle layer of the slide, we can see from a technology perspective and from a SIEM perspective, what we're capable of offering customers. Again, this is reflective of our existing service. So it comes with thirteen months data retention standard. It comes with unlimited SOAR, which enables our response workflows for rapid containment. Enterprise VRM, I talked about, you know, proactivity and risk awareness earlier. Rapid7 is a leader in the exposure management space, and we fold some of that capability into the service here. So our SOC is more risk aware and able to preempt attacks in customer environments. Velociraptor DFIR for, you know, our best in class open source digital forensics tooling that is available and used by RSOC, but also available to customers to use for their own endpoint analysis. Our AI SOC capabilities for enhanced alert triage and for pre investigative context gathering. And then ransomware prevention for stronger endpoint protection in business continuity for protecting from those ransomware threats. And then on top of this, is all the Rapid7 MDR experience that we deliver to customers today through our Matters Threat Complete offering. So our 24 by seven SOC distributed across five international locations unlimited instant response, which means our team does not sleep until incidents are fully resolved in customer environments Expert Cybersecurity Advisor, which means that our customers get regular touch points with an expert technical guide to help them strategically grow their security program. Proactive Threat Hunting, which is rooted in what we see from customer environments, but also what we see from a Rapid7 research perspective and an emergent threat response perspective. So folding all of those capabilities in to go into customer environments and proactively threat hunt. Active response and remediation for stopping attacks in their tracks. And then Breach Protection Warranty for real skin in the game. So, you know, no real strings attached here, but offering customers that financial backstop in the worst case scenario. So, really, all the things that we deliver through our Managed Threat Complete service, we're now positioning them to to more effectively speak to a Microsoft first from Microsoft centric customer. The other thing that I wanna highlight here in terms of what MDAR for Microsoft is not, is that it's not a separate service, it's not a separate package, it's not a separate SKU, and it does not have dedicated pricing. And so what that means is, if you are already selling Rapid7 MDR and Manage Threat Complete today, you can still sell this the same way that you do. Right? There's no difference in how it's transacted. We're still selling entitlements to those third party tools in the same way, and there's no new pricing to learn or educate yourself on. So that's really great. The other thing I wanna call out in terms of what MDR for Microsoft is not, is that it is not management of Microsoft tooling on customers behalf. So the Rapid7 MDR service is delivered through our own proprietary technology on our own SIM technology. There's no tuning of Sentinel. There is no going into the Defender console from the Rapid7 perspective. All of it is managed from the Rapid7 toolset, which is a strong differentiator that we're really excited about. So with that all being said, I want to be conscious of time and pass it over to Ryan. Talk to us a little bit about how we're applying some really cool technical enhancements to this to help strengthen the story and bring this forward. Absolutely, Conor. Thank you so much. So, we're going to be going through first introducing our bi directional sync, which this is a core element of MDR from Microsoft. It's a sync between your Defender platform and Rapid7 SOC and SIEM. At Rapid7, we're trying to solve those customer problems that Conor so eloquently mentioned a few slides ago, but we strive to be true collaborative partners with our customers, increasing flexibility and reducing friction. We do this by building experiences that maximize investments apart from Rapid7 that make up customer security programs. In this case, we've started with Microsoft. Customers that have invested in Microsoft productivity, and more importantly, security tools, can stay in the Defender platform by enabling the bi directional sync. A major focus of ours is to reduce the complexity of needing to learn another platform, especially after investing in one already in training your staff. As MDR customers with Defender for Endpoint, you can enjoy having the visibility and transparency of our SOX actions without having to pivot outside of your Defender platform. So this will be enabled through partly through MDR, IDR SIM configuration, as you can see in the screenshot here on the slide, as well as some level of configuration in your Defender platform as well with supporting technical documentation is available in the near future. So going with it, it's not just the bidirectional syncing. As we ingest through a new method of Microsoft Defender sources, we want to bring the ability for additional evidence, empowering our analysts. This is evidence that allows analysts a fuller picture from the third party alert context. This also comes with a new additional evidence experience in our SIEM for our analysts, which enables more effective alert triage and investigations. Some of the things that will come from the MDE and the additional evidence from our MDE integration through the bidirectional syncing allows us to pull in process tree, impacted user agent info at time of alert, enrich your evidence in raw CIRCLE JSON format, providing that fuller picture, allowing our analysts to do their job effectively, as well as ensuring you have full visibility into our actions while staying conveniently in Defender platform. That is where we are. Cool. Thanks, Ryan. So I want to talk a little bit about what value is this driving for customers. And, you know, I think it really comes down to a couple of big things. The first and foremost is that we are driving preemptive MDR for our customers and helping do that within their Microsoft environment. And this is all circulating around the idea of helping them drive security operations excellence and resilience. And there's four key themes that we have put together here that ladder up into helping them do that. The first is helping customers preempt attacks before they start. So, by correlating their Microsoft Defender telemetry with real world vulnerability risk and Rapid7's native telemetry, our SOC surfaces the attack paths that matter most, and this helps cut dwell time, it shrinks blast radius, and it helps stop threats before they impact the business. The second is that we help customers respond with certainty. And it's not just alert handling. With our AI assisted expert led investigations, we can drive decisive containment and remediation. This is backed by the unlimited incident response that I mentioned earlier. And customers know and they get full confidence that threats will be fully eradicated and business continuity will be upheld. Third is that we help customers strengthen their resilience through true partnership. As I mentioned earlier, customers get a dedicated cybersecurity advisor and a global SOC that turn ongoing activity in their environment and across Defender technology into actual insight. And we help deliver recommendations, we help refine detections, we help harden their defenses so that over time they will build lasting security resilience. And then lastly, we help customers drive better outcomes from their Microsoft without overhead. So MDR for Microsoft helps them actually unlock more value from those investments that they have made in Microsoft Defender by helping them prioritize the real risk, by helping them drive decisive action, and helping deliver outcomes without added tooling. So now I'm just gonna talk through really quickly who MER for Microsoft is. And I think the really important thing to note here is there's a couple of different sweet spots and we'll see success in various areas. And in a couple of slides, we're also gonna talk about specifically how partners should be consuming this information, where they'll see the opportunities. But from a from a Rapid7 demographic and ICP targeting perspective, we're looking at a really global audience here. Right? As I mentioned earlier, Microsoft is the backbone of productivity and security globally. So it is quite a ubiquitous technology. But where we where we see success for Rapid7 is really in that kind of mid commercial to small enterprise space. And that is denoted here through, you know, the size of revenue and assets and team size that customers will have, as well as their security maturity. From an industry perspective, you know, in a lot of ways, we see organizations in like professional services and in manufacturing, in banking, and in retail and SLED, be very Microsoft forward. As opposed to maybe a SaaS company or a software company who might be more oriented in the Google ecosystem or the Mac ecosystem. In terms of triggers and goals, so the primary triggers that we're looking at here in order to identify a qualified buyer, The first is adoption or expansion of their Microsoft licensing. So, case in point is a customer who's on E3 today, maybe you as a partner have sold them that license, but now they're interested in E5 or you're helping them become interested in E5. That represents a ripe opportunity to attach an MDR for Microsoft offering. So we'll talk a little bit more about that in a moment. Second key trigger to call out here is escalating SIM costs. So we've talked quite a bit about how SIM, many SIMs have usage based pricing that can very quickly balloon budgets. So if a customer is starting to demonstrate friction with that model and it's becoming difficult for them to manage, that's another really big trigger here that they might be interested in MDR service that includes unlimited log injection for their Microsoft Defender tooling, as well as their other data as well. Third is for security teams overwhelmed by alert fatigue and lack of 20 fourseven coverage. So we talked about some of these challenges earlier on, so I won't go over the point too much, but for customers that we see enduring those challenges that we talked about earlier, those are really going to be the key triggers for MDR in general. And then for a Microsoft specific offer are those kind of two key points that I just mentioned a moment ago. In terms of buyer goals. So, as we know with security operations teams, buyer committees can get complicated fast. There's a lot to navigate in terms of CSO's office and CIO's office and the finance office. And and really nice here is that this offer, because of the ubiquitousness of Microsoft technology and and the role that those other teams do play in it, all have a stake in helping operationalize that Microsoft Defender security data. So from a CISO's perspective, if they've got E5 licensing in their hands and they need to find a way to build an effective detection and response program, Rapid7 represents the right opportunity for them to do that. And then, you know, the other buyer goal here that I would call out is seeking predictable MDR outcomes. So again, tying back to that challenge that we talked about earlier, being able to reduce noise, triage faster, and detect and respond incidents faster, all helps our CISO and security leaders translate their Microsoft Defender investments and the investments that their organization have made into preemptive MDR that is helping drive resilience and outcomes. So the next thing I want to touch on here is the comparison between MXCR, which is Managed Extended Detection and Response, and MDR from Microsoft. So for those familiar with Rapid7's MDR service prior to today, you'll know that we take a lot of pride in our ability to bring in third party security tooling and to provide stock monitoring of customers' environments and our third party tools, helping maximize those investments as well. And we do that through a model of third party security tool entitlements. So, say a customer comes to Rapid7 and purchases our highest subscription tier, Managed Threat Complete Ultimate, and that comes with a number of entitlements to bring their third party tools along with them. We can do that for tools across the board. So from CrowdStrike to SentinelOne to AWS GuardDuty to Okta Identity. What we're saying is different here is that instead of, you know, selling MTC Ultimate and selling entitlements to various third party tools, we're helping meet customers where they are in their Microsoft journey by saying that we know you're invested in Microsoft Defender. We have a very specialized MDR experience that would be appropriate for your environment and where you are in your security maturity journey. And the reason that this is really important to meet them where they are is buyers will have identified themselves as Microsoft first, right? So when they're just getting into the marketplace, they're coming to you as a partner to seek out a Microsoft specialized MDR service, Rapid7 comes directly into attention because there's a specialized service to meet them where they are. And so they start to view us as those specialists and you as partners will start to view us as those specialists who can deliver that MDR service that naturally attaches to your Microsoft first customers. Thirdly here is that sellers enter the conversation where the buyer already is. So again, by presenting MDR from Microsoft to your customers who are E3 or E5 centric, it allows you to better position an MDR service that's going to help meet them exactly where they are. And then lastly, mentioned this earlier, how we transact here doesn't affect how we position ourselves. So again, just because we are entitling Microsoft tools as opposed to other third party tools, the way that you transact that is exactly the same. So the moment you all have been waiting for, and that I've been eager to get to, which is what is the opportunity here for our partners? As there's three key themes here that I think are really important to highlight. The first is the ability for you as a Rapid7 partner to immediately add upsell value when you have a Microsoft centric customer. And I've mentioned this a couple times already. I think the most low hanging fruit obvious kind of example here is customer who is now on E3, either is considering or being required to move up to an E5, they're gonna get a whole lot new Defender data kind of thrown onto their plate to start to operationalize and have to build a security operations program around. And for you, as a partner, that's a really natural opportunity to say, 'Okay, you're moving up in your E5 license. We have an MDR service that can help you build the detection and response programs that we know you're responsible for delivering.' And I think what this really helps you all do as a partner and as a reseller, is not only, you know, make more money and have commercial success in doing that upsell, But it presents you as a strategic advisor to that customer. Right? It makes it clear that, you know, when they're on their Microsoft journey and they're moving through from E3 to E5 and to operational E5 and whatever comes next after that, that they see you and are working hand in hand with you to to make the most of those investments and and be there as strategic partners and advisors to them. The second here is reducing friction. So, for your customers, the service runs through the Defender tools that they're already using. So they don't need to necessarily get involved with or invest in setting up Microsoft Sentinel, which all things considered is a tremendous SIEM technology. It is extremely strong and powerful. The reality, and this ties back to why we're targeting that kind of mid commercial to small enterprise, is that it's not a realistic uptake for for a lot of security operations teams. And so what we're we're suggesting here is that we can help those customers who are moving on to Microsoft Defender and expanding their Defender footprint, operationalize it without some of the complexity and the cost that comes with with that, you know, adopting another SIEM technology. And then third, tied up to the idea of, you know, having upsell value and being a strategic advisor that's there for their Microsoft journey, is driving incremental revenue with your relationship there. So, really simple and straightforward attach motion from an E3 to E5 perspective. Likewise, for some of the triggers that I've already mentioned, in terms of SIM complexity or SIM friction around cost deployment, it's a really good opportunity for you as resellers to drive that incremental revenue. So, how can we qualify your customers? What are some of the discovery questions that we find are most useful to help do this? And, I'll talk through these quick. This is a great resource that is available to you all, that I'll talk about in the next few slides. But, you know, first and foremost, from a discovery perspective. Customer. How many active Microsoft e three e five licenses are you working with? How important generally is Microsoft to your to your security strategy? And what this will help you do is confirm the volume and their reliance on the technology. It will help you understand what the direction of travel is for their their Microsoft journey. It'll also help you identify if they're using other technology in their stack. And that's an opportunity and a kind of a sweet spot for Rapid7 MDR for Microsoft, because we still do bring in the capability of building a detection response program around their third party technology alongside their Microsoft technology. The second key question here for discovery is is how widely do you deploy Microsoft Defender across vectors? So across endpoint identity, office, which we think of as our our email vector, cloud and cloud apps. How actively are they being monitored today? In in a point, are you effectively building security operations with this with this data? Or is there is there a bridge a gap to bridge here with with a DNR program? So by helping take that telemetry and present Rapid7MVR from Microsoft as the solution to to help do that. Third discovery question to call out here is is what SIEM are you currently using? You know, don't have the exact percentage off the top of my head, but I think in most cases we'll hear Sentinel or not, as opposed to other third parties. And what this question is really intended to do is help get at how comfortable customers are with the pricing model, with the technology itself, deploying it, managing it, tuning it. Because again, as we've mentioned, that can be a very complex undertaking. And what this will do is help surface the pain that they're currently experiencing. And as we mentioned with Rapid7 and our SIEM technology, it matches really well with some of the common pain points with those SIEMs. And then lastly, in terms of discovery is, can you describe your organization in terms of size, industry, regulatory compliance requirements, and the main security points you're dealing with today? So again, you could suss out a lot from the answers to these questions, whether they're Microsoft or not. But what it can help you identify and get the muscle grown for is identifying segments of the market that are really ripe for Rapid7 MDR generally, but also those who are really focused on Microsoft. So really exciting. Thank you all. And I'll use this moment just to start to say poke your questions into the chat. We'll have folks live to help address those and ensure that you're getting all the answers that you need for anything Ryan or I may have missed. I'll say mostly that I may have missed. But really exciting here are some additional materials that are available to you all in the Rapid7 partner portal. So these are great for not only sharing with your customers and starting to engage in those conversations with customers, but also to educate yourself further on anything that I might've touched on today. And to ensure that you're feeling sharp, clear, and confident on the MDR for Microsoft story. If you have any questions about enablement or you need support, getting access, anything like that, you can chat with your account manager or you can email partnersrapid7 dot com. But again, plenty of resources available for you here in the partner portal. And then as always, want to ensure that before we go, we talk a moment to talk about the Rapid7 PACT Partner Program and all the resources that are available as part of that. Really exciting that our partner team does such a great job here And to support our partners, the Rapid7 Partner Portal has a plethora of tools and resources available to you to help you on your own packed program progression. So whether you are looking for sales and marketing tools, or you're looking to register deals, progress opportunities, check on renewals, the portal is your one stop shop for doing all of it. It also comes with access to formal partner academy training, certifications, and so on. So if you are not visiting the partner portal regularly today, I certainly encourage you all to do that because it's an excellent resource. You see some steps here to get started with that. You can go to partners.rapid7.com as a starting point. Again, won't go through all of these step by step here. I'm sure many of you are familiar, but if you are struggling to get access or get to any of the resources that we talked about, be sure to reach out to your channel account manager or check-in with partnersrapid7.com. And then lastly, so if you are looking to gain confidence, accelerate your profitability and really start to mature in your Rapid7 partner journey, there are a number of ways to help you do that. So you can get into our training certifications here. All the details on the slide that will give you access to new sales and services based revenue streams. You can get into sales and pre sales technical courses if you wanna get a better understanding of how Rapid7's offers work. And additionally, on that MDR from Microsoft, you can start to get a deeper understanding of the things we talked about today. And all the requirements below highlight how training and certifications feed into your your PAC partner tier status. So wealth wealth of resources available to you all here in terms of training and certs. And then last point on deal registration. We know that our ultimate goal here is to drive impact and business growth for everyone. As you identify opportunities for MDR for Microsoft or otherwise, do not forget to register your deals on the partner portal. It is quick, simple, easiest way to protect the deal and secure it for you and and your partner business, and is the easiest way to Gartner Gartner the the highest discounts available. Excuse me. So with that, I appreciate you all taking the time to join us today. Thank you to Ryan for joining and providing a great technical overview of some of the capabilities that we are delivering in tandem with MDR for Microsoft. You've got all the information here in order to access the things we talked about. And we will be sure to address your Q and A as soon as we possibly can. Thank you.