Why is managed cyber defence critical to keeping your security promise?

The traditional security operations model was built for a different era. Today, owning security tools is easy, but being protected is harder. The gap becomes real when something goes wrong outside business hours, under pressure, and there is no one clearly accountable at the moment.

When an organisation invests in security monitoring, there is an implicit expectation: "Someone is watching. If something happens, it will be caught." This reflects the core promise of modern security operations — continuous oversight and timely response. In market terms, this promise is often associated with Managed Detection and Response (MDR): a service model designed not just to detect, but to take accountable action.

That expectation is reasonable. Yet, for many organisations, it’s not being consistently met. Not because of poor intent or lack of investment, but because the traditional model of security operations was designed for a different era. It cannot keep pace with complex, modern environments, emerging technologies, and evolving threats any longer, particularly when 24/7 security monitoring and rapid response capabilities are required.

The world has changed. Threat actors operate continuously, and response time now defines the difference between contained incidents and business disruption. At Zühlke, we believe it’s time for a different approach, one built for today and adaptable to the future as requirements evolve.

Here is a question worth asking: if it’s 3 am on a Sunday morning, and an alert fires in your environment, what happens next?

For many organisations, the honest answer is that it depends. It depends on how the alert is classified, on whether it crosses a severity threshold, and on the current staffing levels and shift patterns.

This is not a criticism of individual providers. It is simply a consequence of how the industry evolved. Security operations grew out of IT operations, which grew out of business-hours support and the implicit assumption that most alerts could wait. That assumption no longer holds.

The world has changed. The question is whether security operations have changed with it.

The fire department principle in cyber defence: assuming all threats are urgent

Consider how we think about fire protection. Most businesses do not build their own fire station, and they do not expect their facilities team to fight fires. Instead, they rely on specialists who do nothing else, professionals whose main job is to respond immediately when the alarm sounds, regardless of the time of the day.

We would never accept a fire service that triages calls by priority and promises to investigate "medium-severity smoke" within 8-24 hours. The very idea seems absurd, because we recognise how quickly a small incident can become a major one, where response time determines the outcome.

Yet, this is precisely how much of today’s cyber defence services still operate. Not because providers are negligent, but because the model evolved that way. Tiered response made sense when alerts were fewer, systems were simpler, and attackers were slower. Today, that model creates a gap between detection and action, and it is in that gap that breaches tend to happen. This is where MDR-style operating models are meant to help: closing the distance between “we saw something” and “we did something” immediately.

This is not a criticism of internal teams; many do excellent work. It is simply an acknowledgment that 24/7 security operations, just like fire response, demand dedicated capability and constant readiness. For many, that level of focus is difficult to sustain internally and is often best delivered by specialists.

What effective security operations look like in a managed cyber defence model

If the traditional model has limitations, then what does an effective alternative look like? Strong security operations are not defined by the number of tools in place, but by how quickly and consistently threats are turned into informed action. In practice, effective cyber defence comes down to a small number of characteristics that can be seen, tested, and trusted:

• Response to all alerts, not just critical ones. Attackers know which alerts are routinely deprioritised. Effective security treats every alert as potentially significant until proven otherwise.
• Speed measured in minutes, not hours. If an alert appears in the middle of the night, investigation should begin within minutes, not wait until the next business day.
• Transparency you can verify. Response times, actions taken, and outcomes should be visible in real time, not inferred from monthly summary reports.
• Deep understanding of your environment. Generic playbooks lead to generic results. Effective security requires genuine knowledge of your infrastructure and business context.
• Partnership, not just service delivery. Protection works best when there   is direct communication with people who know your systems, rather than tickets disappearing into a queue. 

We believe security is a promise, and it is one that should be kept.

We believe that when the alarm fires at 3 am, someone knowledgeable should be there and react. It means recognising that so-called "medium priority" alerts are often where serious attacks begin, and that no signal should sit un-investigated while attackers move on. It means applying the fire department principle to cyber defence, providing an immediate response, every time, by specialists.

If this reflects how you believe security should work, or where you want to take it next, let’s talk.