Service deep-dive
Managed EDR. Real-time threat detection backed by a 24/7 SOC.
Bundled in every Peace Country Cyber tier starting at $95 per seat per month. Built on Huntress — used by thousands of small businesses across North America — and watched around the clock by their security operations centre on your behalf.
What managed EDR actually does
Traditional antivirus works by recognizing known-bad files. It has a giant catalogue of malware signatures and it scans every file that touches the disk. When the file matches a signature, the AV quarantines it. This model worked well in 2010. It is not enough in 2026.
Modern attacks do not look like files. They look like a legitimate Windows process running an unusual command. A scheduled task that creates itself at 2:14 AM. A Word document that spawns PowerShell which downloads a script which dumps credentials from memory and never writes anything to disk. There is no file for antivirus to scan. There is only behaviour.
Endpoint Detection and Response (EDR) is the answer to that. Instead of looking at files, it watches what every process on a computer is actually doing — what it spawns, what it talks to, what it reads, what it writes — and flags behaviour that matches known attack patterns. It records the full process tree, so when something goes wrong you can see the chain back to patient zero.
Managed EDR adds the missing piece: a human Security Operations Centre that watches the alerts so you do not have to. EDR without a SOC produces a wall of telemetry that nobody reads. EDR with a SOC produces escalations — only the things that actually need your attention, with the investigation already done.
What it catches that antivirus misses
A non-exhaustive list of the attacker behaviours managed EDR is built to detect. Every one of them has shown up at SMBs the size of your business, in industries like yours, in the past 24 months.
Fileless attacks
Modern attackers do not always drop a file. They run code in memory, abuse PowerShell, or hijack a legitimate Windows process. There is nothing for antivirus to scan — there is no file. EDR watches behaviour, not signatures, and flags the action itself.
LOLBin abuse
“Living off the land” binaries are tools already on your computer — PowerShell, certutil, regsvr32, MSHTA, BITSAdmin. Attackers chain them to avoid dropping anything new. The SOC has rules for hundreds of these patterns and one of them almost always trips.
Ransomware pre-staging
Real ransomware does not encrypt the moment it lands. It spends hours or days mapping the network, killing backup services, disabling security tooling, and elevating privileges. EDR catches the staging — disabled services, suspicious account creation, mass enumeration — well before encryption begins.
Credential theft tooling
Mimikatz, LSASS dumping, DCSync, Kerberoasting — names you should not need to know, but exactly what attackers use to escalate from one compromised laptop to your file server. Antivirus often misses obfuscated variants. EDR detects the underlying behaviour every time.
Lateral movement
Once one machine is owned, the attacker pivots — RDP, PsExec, WMI, scheduled tasks, remote service installs. Each pivot leaves telemetry that looks normal on one endpoint and unmistakable when correlated across the fleet. The SOC sees the fleet.
The SOC behind it
A Security Operations Centre is a room of trained analysts watching telemetry from thousands of small businesses. They see attack patterns play out across the fleet — which means when a novel technique shows up at your business, they have very likely seen it somewhere else first.
Triage every alert, 24/7
Huntress analysts are watching your tenant the same way overnight in May as they are at 2:00 PM in October. There is no “business hours” window where alerts queue up unread.
Investigate before they wake you
Most EDR alerts are noise — a developer running PowerShell, a sysadmin testing something, a software update that mimics suspicious behaviour. The SOC closes those without involving you. Real incidents are escalated to us, and to you, with the investigation already done.
Isolate hosts on confirmed compromise
When the SOC confirms a host is owned, they can sever its network access in seconds — quarantine the box, preserve forensics, prevent lateral movement — before the attacker has time to react.
Produce a clear after-action report
Every escalated incident comes with a written incident report: what happened, what was contained, what we recommend you do next. The report is something you can hand to your insurance broker or your board without translation.
Deployment
Lightweight agent on every endpoint and server. Push-deployed for managed Windows fleets via Intune or our RMM, manual install with a one-line PowerShell command otherwise. No reboot required.
- Typical timeline
- 30-seat business: agents installed and verified in 1–2 business days. 5–10 seats often complete in an afternoon.
- Supported platforms
- Windows 10/11, Windows Server 2016 through 2025, macOS 12+, major Linux distributions. Servers and laptops both, no exceptions.
- Performance footprint
- Roughly 1% CPU steady-state, 80–150 MB RAM, no observable user impact. Users do not see pop-ups, alerts, or scan windows.
- Existing antivirus
- Huntress coexists with Microsoft Defender and most third-party AV. We typically run them in parallel during the first week, then retire whatever is being replaced once we are confident in coverage.
- Microsoft 365 integration
- Pairs with Conditional Access for risky sign-in detection. A confirmed host compromise can automatically revoke the user’s active M365 sessions while the SOC works the incident.
Pricing
Managed EDR is not sold standalone. It is bundled into every managed tier — because deploying EDR without M365 hardening, MFA enforcement, phishing simulation, and tested backup is a half-measure, and we are not in the half-measure business.
- Cyber Essentials — $95/seat/mo. Managed EDR plus the security baseline, MFA, phishing simulation, M365 backup, and monthly reporting. Keep your existing IT provider.
- Cyber Essentials + Managed IT — $175/seat/mo. Adds full IT helpdesk, patching, asset management, and quarterly business reviews. Most clients land here.
- Cyber Premium — $275/seat/mo. Adds BCDR appliance, 90-minute SLA, vCISO, and tabletop exercises. For larger SMBs and regulated industries.
- Per-server pricing matches per-seat. A Windows server is one “seat” in the EDR count. No surprise multipliers for protecting your file server.
Frequently asked questions
How is this different from Microsoft Defender?
Defender is the antivirus engine on every modern Windows box, and it is genuinely good at signature-based detection. Managed EDR sits on top of it (or alongside it) and adds two things Defender alone does not give a small business: a 24/7 human SOC reviewing alerts, and behavioural detection tuned by analysts who watch thousands of small businesses get attacked every month. Defender catches the file. The SOC catches the attacker.
Do users notice anything?
No. There are no pop-ups, no slow-down on logins, no “scanning” banners. The first time most users find out the agent exists is when their laptop disappears from the network because the SOC isolated it during a real incident — and at that point they are very glad it was there.
What about Macs and servers?
Both are covered. Macs are increasingly targeted — particularly browser session theft and infostealer malware — and the agent runs natively on Apple Silicon and Intel. Windows servers, Linux servers, and Hyper-V hosts are also fully supported at the same per-endpoint price as a laptop.
Can we keep our current AV during deployment?
Yes, and we usually do. Huntress is designed to coexist with Defender, SentinelOne, CrowdStrike, Webroot, and most other AV. We run them in parallel during the cutover so there is never a gap in coverage. Once we confirm the new stack is healthy, the old AV gets uninstalled cleanly.
What happens if the SOC finds something at 3 AM?
Three things happen, in this order. First, if the threat is critical, the SOC isolates the affected host immediately to stop lateral movement. Second, we get paged and start working the incident — for Cyber Premium clients there is a 90-minute SLA on critical issues. Third, you get a call. By the time you hear about it, the immediate damage is contained and we already know what we are dealing with.
See managed EDR in the tier that fits.
Three tiers, published pricing, month-to-month after the first month. Or take the free Risk Report and we will tell you which tier likely fits.