Shortlist fit
Lean IT or security teams that want an external team to monitor, investigate and help contain threats
Provider handles
Service can take or orchestrate containment actions within the approved scope.Check before buying
Choosing the MDR bundle, Concierge tier, add-ons, warranty eligibility and retention scopeAlso fits
- Mid-market organizations that want MDR plus posture reviews and audit support in one program
- Buyers that want a named advisory team, not just a rotating alert queue
- Organizations that can connect supported endpoint, identity, email, cloud and network sources
Can replace
- After-hours alert triage across supported telemetry sources
- Some host, identity, email and network containment workflows when Active Response is configured
- Entry-level SIEM monitoring and security posture review work for lean teams
Coverage
Provider covers
- 24/7 MDR across internal and external networks, endpoints and cloud environments
- Concierge Security Team as the customer's named point of contact for MDR operations
- Active Response integrations for host containment, user disablement, email deletion and blocking actions
Your team still owns
- Maintaining the endpoint, identity, email, cloud and network tools Arctic Wolf uses for telemetry and response
- Granting and testing Active Response permissions without overexposing privileged systems
- Remediation work outside configured Active Response, Managed Containment or incident-response scope
Tradeoffs
Works well
- Strong fit for lean teams that want MDR plus recurring security guidance
- Active Response gives buyers a clearer containment path than pure alert-and-advise services
- Broad public documentation makes integrations, permissions and response boundaries easier to verify
Watch out for
- Buyers need to verify exactly which bundle, Concierge tier and add-ons are included
- Active Response depends on supported tools, licenses, API permissions and customer configuration
- Public reviews and Reddit threads mention alert volume, pricing increases, communication gaps and mixed endpoint-security experiences
Reviews
Review synthesis
Reviews are generally strong for Arctic Wolf's 24/7 monitoring, Concierge Security Team, onboarding help, compliance reporting and broad visibility. The recurring cautions are cost, renewal increases, alert volume, dashboard or reporting limits, communication quality and uncertainty around newer Aurora endpoint products.Customers like
- Buyers value having a named team that learns the environment and helps interpret alerts
- Reviews often mention easier audit documentation, NIST support and security posture reviews
- Customers like that MDR can cover endpoint, cloud, network and SaaS telemetry rather than a single control
Watch out for
- Some buyers report noisy alerts, weak investigation detail or slow communication
- Reddit renewal threads raise concerns about price increases and perceived scope changes
- Aurora Endpoint Security feedback is mixed after the Cylance acquisition, so endpoint replacement should be tested separately
Pricing
- Price
- AWS Marketplace MDR Basic: $44K/year for up to 100 users
- Billing
- Per-user, Tiered, Custom
Questions to ask
- Which bundle and Concierge tier are in the quote, and what changes between Core, Plus and Total?
- Which Active Response actions can Arctic Wolf run in our EDR, identity, email, network and cloud tools?
- Are Aurora Endpoint Security, Managed Risk, Managed Security Awareness, warranty or Incident360 included or separate?
Integrations
- SIEM
- Arctic Wolf Aurora Platform
- Arctic Wolf Unified Portal
- EDR / Endpoint
- Aurora Endpoint Defense
- CrowdStrike Falcon
- Microsoft Defender for Endpoint
- SentinelOne Singularity Endpoint
- Carbon Black Cloud
- Cisco Secure Endpoint
- Sophos Central
- Tanium
- Cloud
- Microsoft 365
- Google Workspace
- Other
- Arctic Wolf Agent
- Arctic Wolf Sensors
- Microsoft Entra ID
- Okta
- Cisco Duo
- Mimecast
- Abnormal Security
- ITSM ticketing integrations
Editorial notes
Market position
Arctic Wolf is best read as MDR plus a broader security-operations platform, not just SOC alert forwarding. The named Concierge model and security touchpoints make it stronger for lean teams that want guided security operations, but MDR remains the core service label.
Response boundary
Arctic Wolf supports Managed Containment and Active Response across host, identity, email, network and URL surfaces. These actions depend on supported integrations, customer permissions, licensing and validation with the Concierge Security Team.
Bundle boundary
Arctic Wolf's public bundle terms separate Core, Plus and Total. Core centers on MDR, Plus adds Managed Risk, and Total adds Managed Security Awareness, JumpStart Retainer and warranty eligibility. Buyers should not assume every Arctic Wolf product is included in an MDR quote.
Endpoint change
Arctic Wolf closed its acquisition of BlackBerry's Cylance endpoint security assets in February 2025 and now offers Aurora Endpoint Security. Buyers should verify whether they are keeping an existing EDR integration or buying Aurora endpoint products.
Government boundary
Arctic Wolf supports some Microsoft GCC monitoring scenarios, but MDR supplemental terms say Arctic Wolf is not FedRAMP compliant. Government and CUI buyers should verify environment restrictions before treating it as a public-sector fit.