Shortlist fit
Microsoft-first security teams that want Sentinel and Defender operated with outside SOC help
Provider handles
Service shares SOC workflow with your team or MSP while you keep control.Check before buying
Buying and maintaining required Microsoft Sentinel, Log Analytics, Defender and Teams licensingAlso fits
- Mid-market and enterprise buyers that want to keep visibility and control while reducing daily alert workload
- Public-sector, education and healthcare buyers using Carahsoft or Microsoft-aligned procurement paths
- Teams that want response collaboration in Microsoft Teams instead of a separate ticket-only portal
Can replace
- Some tier 1 and tier 2 alert triage around Microsoft Sentinel and Defender
- Manual escalation and collaboration workflows for Microsoft security incidents
- Some detection engineering, threat hunting and security posture review work tied to Microsoft controls
Coverage
Provider covers
- ION platform for Microsoft Teams collaboration, dashboards, automation and Cyber Defender workbench support
- 24/7 follow-the-sun Cyber Defense Centers for investigation, containment and customer escalation
- Microsoft Sentinel and Defender-centered detection, enrichment, investigation and response workflow
Your team still owns
- Connecting and maintaining customer log sources, agents, tenants and workspaces
- Keeping escalation contacts, response rules and approval paths current
- Performing IT remediation or business-owner decisions outside approved playbooks
Tradeoffs
Works well
- Strong fit for buyers already committed to Microsoft Sentinel, Defender, Entra and Teams
- Public service documents explain customer responsibilities, required licenses, log-source handling and SLA targets
- Teams-based collaboration gives customers visibility into ownership and next actions during escalations
Watch out for
- Not a good fit for buyers that want a neutral MDR provider over a non-Microsoft primary stack
- Microsoft licensing, Sentinel ingestion and Log Analytics costs remain buyer-owned
- Custom log ingestion and difficult connector work can require consulting or billable maintenance
Reviews
Review synthesis
Gartner reviewers describe Ontinue ION MXDR as useful for Microsoft-centered operations, Teams-based interaction, automation and proactive recommendations. The main cautions are response consistency, quote clarity and the need to verify what Ontinue owns versus what the customer owns in Sentinel, Defender and IT remediation.Customers like
- Reviews highlight Teams-based event delivery and clear next-action ownership
- Customers call out automation that reduces routine incident handling
- Some reviewers describe proactive threat hunting and recommendations for SIEM and incident-response process improvement
Watch out for
- At least one visible critical theme mentions slow response or missed response elements
- Public non-Gartner review depth is limited
- Reddit discussion is mostly category-level managed SOC and Sentinel scope, not deep Ontinue customer evidence
Pricing
- Price
- Quote-based, licensed per Ontinue Unit
- Billing
- Custom
Questions to ask
- What is an Ontinue Unit for our environment, and how will Sentinel ingestion or Log Analytics costs change?
- Which response actions can ION Automate or Cyber Defenders take without waiting for our approval?
- Which Microsoft, third-party, IoT, phishing and vulnerability sources are included in the base MXDR scope?
Integrations
- SIEM
- Microsoft Sentinel
- Ontinue ION Platform
- EDR / Endpoint
- Microsoft Defender for Endpoint
- Microsoft Defender XDR
- Cloud
- Microsoft 365
- Microsoft Defender for Cloud
- Other
- Microsoft Teams
- Microsoft Entra ID
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Defender for Cloud Apps
- ASIM-supported IDS, proxy, DNS and firewall sources
Editorial notes
Why co-managed SOC
Ontinue does more than investigate and advise because its service documents support ION automation, Cyber Defender remediation, Cyber Advisors, detection engineering, threat hunting and a Teams-based collaboration workflow. It is still co-managed because customers operate their own Microsoft tenant, log sources, escalation matrix and response authority.
Containment boundary
Public sources support active response and containment through Microsoft controls, including Defender for Endpoint deployment requirements and predetermined response actions. Buyers should not assume every containment action is automatic, because the service also relies on rules of engagement and customer escalation paths.
Microsoft dependency
Ontinue is intentionally Microsoft-focused. That is useful for buyers standardizing on Sentinel, Defender, Entra and Teams, but it is a weaker fit for teams that want a vendor-neutral MDR layer over CrowdStrike, SentinelOne, Splunk or a non-Microsoft SIEM as the primary control plane.
Pricing boundary
The public service description says ION MXDR is licensed per Ontinue Unit and states that Microsoft costs are billed directly by Microsoft or the CSP. No public numeric Ontinue list price was found, so the public profile should avoid indicative dollar ranges.
Review evidence
Gartner Peer Insights has meaningful Ontinue ION MXDR review volume, but other public review surfaces and Reddit threads are thin or category-level. Public sentiment should mention Gartner themes and use Reddit only as a buying caveat about managed SOC and Microsoft Sentinel scope.