Armis Managed Threat Service

MSSP

Armis Managed Threat Service is an analyst-assisted threat hunting and alert-investigation service for organizations already using Armis Centrix. After an alert, Armis analysts enrich findings, review suspicious activity, tune policies and advise on investigation priorities, while the buyer still owns containment actions, remediation, connected controls and business approvals.

Service
MSSP
Handles
Investigate and advise
Price
G-Cloud examples from £134,400 per asset block*
  • Investigate and advise
  • California, United States
Visit website

Shortlist fit

Security teams already using Armis Centrix for unmanaged, IoT, OT or medical-device visibility

Provider handles

Service investigates and gives response guidance. Your team owns the action.

Check before buying

Approving or executing containment actions in NAC, firewall, endpoint, identity or ITSM tools

Also fits

  • Buyers that want analyst help turning Armis alerts into investigation priorities
  • Organizations with a SOC that can execute containment and remediation in their own tools
  • Healthcare, manufacturing, energy and public-sector teams with connected-asset exposure

Can replace

  • Some internal Armis threat hunting, alert review and policy-tuning work
  • Manual prioritization of Armis suspicious-activity findings
  • Some SOC enablement work around Armis dashboards, reports and investigation context

Coverage

Provider covers

  • Continuous threat hunting and suspicious-activity review using Armis Centrix data
  • Alert enrichment, policy tuning, dashboards, reports and weekly operational reviews
  • Investigation context for managed, unmanaged, IoT, OT, IoMT and mobile-connected assets

Your team still owns

  • Patching, remediation, recovery and business-owner decisions after Armis investigation support
  • Maintaining Armis sensors, integrations, asset context and criticality data
  • Owning the broader SIEM, SOAR, SOC workflow and escalation process outside Armis scope

Tradeoffs

Works well

  • Fits buyers that already use Armis and need help operationalizing connected-asset alerts
  • Covers unmanaged, OT, IoT and medical-device environments that endpoint MDR tools can miss
  • Public procurement material gives a directional service-specific pricing signal

Watch out for

  • Not a full managed SOC and not a general MDR service for non-Armis environments
  • Containment depends on buyer-owned controls, integrations and approval rules
  • Public customer reviews mostly describe Armis Centrix, not Managed Threat Service delivery

Reviews

Review synthesis

Public review evidence is clearer for Armis Centrix than for Managed Threat Service itself. Customers repeatedly describe useful asset visibility, OT or healthcare-device context, investigation search and support, while cautions center on pricing, setup effort, integration friction, alert noise and limited remediation depth.

Customers like

  • Reviews frequently mention visibility into unmanaged, OT, IoT and medical assets
  • Customers call out investigation search, risk context and support or training help
  • G2 reviews describe Armis as useful beside SIEM, endpoint and vulnerability workflows

Watch out for

  • Managed Threat Service-specific customer reviews were not found
  • G2 reviewers mention limited remediation, clunky integrations and add-on cost concerns
  • Reddit discussion is mostly platform evaluation, pricing and enforcement skepticism

Pricing

Price
G-Cloud examples from £134,400 per asset block
Billing
Tiered, Custom

Questions to ask

  1. Which findings will Armis analysts investigate versus only enrich and route back to our SOC?
  2. Which containment actions can be pre-approved through our integrated controls and who executes them?
  3. Does the quote include MTS Foundations, policy tuning, weekly reviews, onsite resources and the required Armis platform license?

Integrations

SIEM
  • Splunk
  • Microsoft Sentinel
  • Google Chronicle
  • Google Security Operations SOAR
  • Exabeam
  • LogRhythm
  • IBM QRadar
  • Sumo Logic
EDR / Endpoint
  • CrowdStrike
  • SentinelOne
  • Microsoft Defender for Endpoint
Cloud
  • AWS
  • Azure
  • GCP
Other
  • Armis Centrix
  • ServiceNow
  • Jira
  • BMC
  • Cisco ISE
  • Palo Alto Networks

Editorial notes

Why investigate and advise

The Managed Threat Service brief supports continuous threat hunting, human analysis, suspicious-activity review, policy tuning, weekly findings and support for active investigations. It does not prove that Armis analysts normally execute containment actions for the buyer.

Platform boundary

The service is tied to Armis Centrix. Public procurement material says Armis Asset Management and Security or Armis OT Security is required, so buyers should not treat MTS as a standalone managed SOC service.

Containment boundary

Armis Centrix can trigger actions through integrated NAC, firewall, endpoint, ticketing and SOAR tools. The public profile treats those as platform or buyer-control actions unless the contract states that Armis analysts execute them.

Ownership change

ServiceNow completed its acquisition of Armis on April 20, 2026. Armis Centrix remains available as a standalone solution, with more ServiceNow platform integration expected over time.

Questions

Is Armis Managed Threat Service an MDR service?
Not in the usual endpoint MDR sense. This profile treats it as a managed threat service for Armis Centrix because the public material centers on threat hunting, suspicious-activity review, alert enrichment, policy tuning and investigation support around Armis data.
Does Armis contain threats for the buyer?
Armis Centrix can trigger actions through integrated controls such as NAC, firewall, SOAR and ticketing systems. The Managed Threat Service material does not prove that Armis analysts normally execute those actions, so buyers should confirm response authority in the contract.
Is Armis Managed Threat Service pricing public?
Armis does not publish standard website pricing. UK G-Cloud material gives service-specific examples for Managed Threat Services asset blocks, but buyers should treat those as indicative procurement references and request a current quote.