“What’s past is prologue”—Shakespeare’s quote from “The Tempest”—means that history can shape the future. This quote foreshadows the state of the managed detection and response (MDR) market for 2025 based upon its evolution so far.
“How’s that?” you might ask. Well, even though the modern MDR market did not exist a decade ago, efforts in the cybersecurity industry over 10 years ago signaled an evolution toward detection-based strategies. FBI Director Robert Mueller critically warned in 2012, “There are only two types of companies—those that have been hacked and those that will be.” Similarly, NSA Director Keith Alexander proclaimed in 2012 that cyber espionage constituted the “greatest transfer of wealth in history.” These leaders revealed that hackers were already regularly intruding inside networks and causing havoc, and they called for change in the approach to cybersecurity.
The transition toward detection actually emerged well before 2012. In the early 2000s, intrusion detection systems (IDS) emerged, and the Department of Homeland Security first deployed the EINSTEIN IDS in 2004. By 2008, with the White House-promoted Comprehensive National Cybersecurity Initiative (CNCI), EINSTEIN was slotted for governmentwide deployment. Hence, over a decade before today’s MDR market, detection strategies and technologies were already taking root.
One other anecdotal “what’s past is prologue” sign can be seen from the evolution of the NIST Cybersecurity Framework. Version 1.0, which was published in 2014, depicted a rather linear progression, whereas the more recent 2.0 version depicts a more continuous series of integrated steps.
The earlier version, at least visually, suggests an attack progression, with detection being a later-stage task. While the framework’s narrative dispels such a sequential approach, the comparative visuals clearly show an evolution in cybersecurity strategy whereby detection is every bit as imperative at every stage of the strategy.
If a detection harbinger from more than a decade ago can be seen as predictive of the modern MDR market, another driver for the 2025 to 2026 MDR market will likely be the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). How? Similar to Mueller’s warning about the consequences of being unprepared against cyberattacks, the answer to the question lies in the underlying premise of CIRCIA: Preparedness in the modern fight requires attacked entities to report their serious incidents. Similarly, the 2023 Disclosure Rule from the Securities Exchange Commission (SEC) requires publicly traded companies to report material cybersecurity incidents within four days. CIRCIA reporting requirements will affect a wider swath of companies. All told, detection will emerge as the critical feature in cybersecurity strategy because of the new reporting requirements.
CIRCIA directed the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security to issue regulations that compel reporting of cyberattack incidents across multiple industries. These new regulations must be published within 18 months of CISA’s notice of rulemaking, which was released April 4, 2024. Accordingly, by October 2025, a comprehensive set of reporting rules will roll out and will have a major impact upon a broader market than the current compliance landscape. Hence, what’s prologue in 2025 and beyond for the MDR market is already foreshadowed from the April rulemaking announcement.
In particular, CIRCIA only requires reporting for “substantial” cyber incidents. In general, the trigger for a CIRCIA report for covered entities necessitates that the cyberattack caused business or operational harm (although for supply chain or IT service provider incidents the reporting trigger is merely an unauthorized access). Accordingly, to minimize CIRCIA reporting when it goes into effect, businesses will have an incentive to detect and respond to remediate the attack before any harm is caused. Prompt detection and response is the very purpose for retaining an MDR service provider. Hence, CIRCIA and other aggressive incident reporting rules will be drivers of market growth in 2025 and beyond.
Just as the MDR market emerged to address the problems of large-scale attacks over a decade ago, the cybersecurity market will respond to legal requirements by which MDR vendors will improve the speed of detection and response services, as well as introduce other innovations that will improve efficiencies around CIRCIA compliance.
Finally, while demand for MDR solutions stands to grow in 2025, reticence around incident reporting cannot be downplayed, especially among chief information security officers (CISO), who already experience high job-stress from growing legal exposure. Legal innovations must accompany the tech improvements for the MDR sector to fully address CISO needs regarding cyberattack preparedness. An upcoming MDR market report will explore these concepts in greater detail.
