BT Managed Sentinel review 2026 | SOC provider profile

Best for

Microsoft-aligned enterprises or public-sector buyers that want Sentinel operated by an external SOC

Usually replaces

Some tier 1 Sentinel monitoring and incident triage

Response role

Service investigates and gives response guidance. Your team owns the action.

Check first

Maintaining Azure, Microsoft Sentinel and required Microsoft licences

Coverage

Covers

Microsoft Sentinel monitoring for events from cloud and physical networks
Microsoft 365 Defender incident synchronization into Sentinel
SOC analyst triage, investigation and advice by severity

Your team still owns

Configuring log-source devices and network connectivity so logs reach the service
Taking remediation and containment actions after BT advises on the incident
Paying for extended log retention, platform usage or professional services outside the base order

Tradeoffs

Works well

Clear fit for buyers that specifically want Microsoft Sentinel managed
Public G-Cloud listing exposes a starting price, support model and offboarding process
BT documents buyer prerequisites and log-source responsibilities more clearly than many managed SIEM pages

Watch out for

Not MDR or full SOC outsourcing by default
Buyer still owns remediation and containment unless another service covers it
Microsoft licensing, ingestion, retention and professional services can add cost beyond the public starting signal

Pricing

Price signal: Public G-Cloud price from £6,275 per instance
Billing model: Flat-fee, Custom

Ask before buying

Which incidents receive analyst investigation versus alert forwarding, and what are the notification targets by severity?
Which remediation or response actions, if any, can BT execute without a separate XDR or professional-services scope?
How much of the final cost sits in Microsoft licensing, data ingestion, retention, onboarding and professional services?

Connects with

SIEM: Microsoft Sentinel
EDR / Endpoint: Microsoft 365 Defender
Microsoft Defender suite
Cloud: Azure
AWS
GCP
Other: CEF
Syslog
Microsoft 365 security incidents
Third-party data connectors

Notes

Why investigate-and-advise lane

BT's service definition says SOC analysts conduct incident investigation so they can advise the buyer on the course of action. That is more than monitoring, but public evidence does not show base-scope direct containment.

Microsoft-first boundary

The service fits buyers that want Microsoft Sentinel operated by an external SOC. Buyers without Azure, Sentinel or the required Microsoft licences should treat those prerequisites as part of the buying decision.

XDR boundary

BT sells Managed Sentinel and XDR language together in some materials. This profile keeps the label to Managed Sentinel because the core public service is Sentinel monitoring, triage, tuning and advice.

Pricing boundary

The public G-Cloud listing gives a useful starting signal, but it is not the full operating cost. Microsoft platform charges, log retention, onboarding, onsite support and professional services can change the real budget.

Questions

Is BT Managed Sentinel an MDR service?

No. This profile treats it as Managed Sentinel and Managed SIEM. BT uses XDR language in some materials, but the core public service is Microsoft Sentinel monitoring, tuning, investigation and buyer guidance.

What does BT do after a Sentinel alert?

BT SOC analysts triage, correlate and investigate in Microsoft Sentinel and Microsoft 365 Defender context, then advise the buyer on action. Buyers should confirm whether any direct response actions require a separate XDR or professional-services scope.

Is BT Managed Sentinel pricing public?

The UK G-Cloud listing shows pricing from £6,275 per instance. Buyers should still price Microsoft licensing, data ingestion, storage, onboarding, recurring service charges and professional services before comparing it with MDR or full SOC providers.