Shortlist fit
Security teams already using Armis Centrix for unmanaged, IoT, OT or medical-device visibility
Provider handles
Service investigates and gives response guidance. Your team owns the action.Check before buying
Approving or executing containment actions in NAC, firewall, endpoint, identity or ITSM toolsAlso fits
- Buyers that want analyst help turning Armis alerts into investigation priorities
- Organizations with a SOC that can execute containment and remediation in their own tools
- Healthcare, manufacturing, energy and public-sector teams with connected-asset exposure
Can replace
- Some internal Armis threat hunting, alert review and policy-tuning work
- Manual prioritization of Armis suspicious-activity findings
- Some SOC enablement work around Armis dashboards, reports and investigation context
Coverage
Provider covers
- Continuous threat hunting and suspicious-activity review using Armis Centrix data
- Alert enrichment, policy tuning, dashboards, reports and weekly operational reviews
- Investigation context for managed, unmanaged, IoT, OT, IoMT and mobile-connected assets
Your team still owns
- Patching, remediation, recovery and business-owner decisions after Armis investigation support
- Maintaining Armis sensors, integrations, asset context and criticality data
- Owning the broader SIEM, SOAR, SOC workflow and escalation process outside Armis scope
Tradeoffs
Works well
- Fits buyers that already use Armis and need help operationalizing connected-asset alerts
- Covers unmanaged, OT, IoT and medical-device environments that endpoint MDR tools can miss
- Public procurement material gives a directional service-specific pricing signal
Watch out for
- Not a full managed SOC and not a general MDR service for non-Armis environments
- Containment depends on buyer-owned controls, integrations and approval rules
- Public customer reviews mostly describe Armis Centrix, not Managed Threat Service delivery
Reviews
Review synthesis
Public review evidence is clearer for Armis Centrix than for Managed Threat Service itself. Customers repeatedly describe useful asset visibility, OT or healthcare-device context, investigation search and support, while cautions center on pricing, setup effort, integration friction, alert noise and limited remediation depth.Customers like
- Reviews frequently mention visibility into unmanaged, OT, IoT and medical assets
- Customers call out investigation search, risk context and support or training help
- G2 reviews describe Armis as useful beside SIEM, endpoint and vulnerability workflows
Watch out for
- Managed Threat Service-specific customer reviews were not found
- G2 reviewers mention limited remediation, clunky integrations and add-on cost concerns
- Reddit discussion is mostly platform evaluation, pricing and enforcement skepticism
Pricing
- Price
- G-Cloud examples from £134,400 per asset block
- Billing
- Tiered, Custom
Questions to ask
- Which findings will Armis analysts investigate versus only enrich and route back to our SOC?
- Which containment actions can be pre-approved through our integrated controls and who executes them?
- Does the quote include MTS Foundations, policy tuning, weekly reviews, onsite resources and the required Armis platform license?
Integrations
- SIEM
- Splunk
- Microsoft Sentinel
- Google Chronicle
- Google Security Operations SOAR
- Exabeam
- LogRhythm
- IBM QRadar
- Sumo Logic
- EDR / Endpoint
- CrowdStrike
- SentinelOne
- Microsoft Defender for Endpoint
- Cloud
- Other
- Armis Centrix
- ServiceNow
- Jira
- BMC
- Cisco ISE
- Palo Alto Networks
Editorial notes
Why investigate and advise
The Managed Threat Service brief supports continuous threat hunting, human analysis, suspicious-activity review, policy tuning, weekly findings and support for active investigations. It does not prove that Armis analysts normally execute containment actions for the buyer.
Platform boundary
The service is tied to Armis Centrix. Public procurement material says Armis Asset Management and Security or Armis OT Security is required, so buyers should not treat MTS as a standalone managed SOC service.
Containment boundary
Armis Centrix can trigger actions through integrated NAC, firewall, endpoint, ticketing and SOAR tools. The public profile treats those as platform or buyer-control actions unless the contract states that Armis analysts execute them.
Ownership change
ServiceNow completed its acquisition of Armis on April 20, 2026. Armis Centrix remains available as a standalone solution, with more ServiceNow platform integration expected over time.