Managed cyber defence (MCD)

Do you have the ability to hunt for and rapidly contain sophisticated cyber threats across your IT estate?

Traditional investment of time and resource to sift through large volumes of log data often does little more than create additional alerts for already overloaded security operations teams.

To illuminate the real threats and harden critical systems, it is important that security teams leverage the right tools and technology to monitor their entire environment, while continuously applying specialised threat hunting techniques to detect and respond to attacks that have bypassed traditional controls.

Why now is the time to take action:

  • Attackers increasingly finding ways to breach systems and move laterally within the network to evade detection. Network and log monitoring is not enough.
  • Legal requirement to respond within 72 hours or face significant fines under GDPR with clarity now on what constitutes an ‘event’.
  • Lack of skilled security staff with the ability to retrospectively assess ‘new’ threats quickly and see if they exist in the environment.
  • Commodity services acting as ‘alert factories’, burdening security operations. Consequently, analysts are missing contextual insight into specific threats targeting systems and courses of action.

How can we help?

Our MCD service provides 24/7 advanced cyber defence against both commodity threats and sophisticated, targeted attacks by focusing around the four key stages of prevention, detection, response and hunting. We provide sophisticated defences across the IT environment (including endpoint, network and cloud) to prevent breaches, reduce cyber risk, support compliance, and help meet the strict breach detection and reporting requirements from regulations such as GDPR and NIS.


Built on Palo Alto’s Cortex XDR ecosystem and powered by our integrated threat hunting and intelligence expertise, MCD gives you a range of benefits:

  • Reduce investigation and response times down to seconds or minutes – Our ability to monitor the endpoint, network, cloud (SaaS & IaaS platforms) in near real time allows us to significantly reduce the time it takes to detect and respond to threats. 
  • Stop threats before they damage the targeted system – We include in-depth malware, ransomware and exploit prevention capabilities to block most threats in real time. This uses automated behavioural and threat analysis techniques, augmented by global threat intelligence, to block many known and unknown threats in the first seconds and minutes of an attack without requiring human intervention.
  • Sophisticated multilayered approach significantly reduces the risk of evasions and ‘silent failure’ - We combine a wide range of complimentary prevention and detection mechanisms, together with expert threat hunters, augmented by advanced machine learning analytics. With this approach we can detect subtle behavioural anomalies in petabytes of data, while drastically reducing the risk that any single layer will fail silently and allow a sophisticated attacker to evade detection. 
  • Access to the information needed for response and investigation activities – We record activity data in near real time from all monitored endpoints and store that data for at least 30 days (extendable depending on requirements). This allows you to rapidly access evidential and investigative data when notifying regulators or carrying out further analysis. 
  • Identify data at risk from external or insider threats – In-depth visibility of both endpoint and network activity, including file access tracking, to help identify data at risk from external or insider threats.
  • We won’t leave you to deal with the threat alone – We carry out pre-agreed containment actions to mitigate the malicious activity. Our global incident response team are always on standby for emergency support in a large scale incident.
  • Direct engagement with our analysts – We aim to work as an extension of your team with direct lines of communication so you can easily raise questions or request investigative support and receive answers quickly.

What’s included?


  • Multilayered malware protection – Identifies and blocks both commodity and unknown/targeted malware before it has a chance to execute.
  • Blocking of malicious files and applications – Executable files and office macros attempting to run in your environment are analysed in a secure sandbox and identified threats are blocked.
  • Exploit prevention – Stops exploitation of known, zero day and unpatched vulnerabilities and protects commonly attacked programmes such as web browsers, office applications, email clients, and document readers.
  • Ransomware protection – Block new or unknown variants of Ransomware based on behaviour before they have the chance to encrypt data and spread on the corporate network.

View more


  • Near real time detection of threat activity – Detection, investigation and root cause analysis of sophisticated threat activity at all stages of the attack lifecycle.
  • Backed by world class threat intelligence – Combined with comprehensive behavioural monitoring of over 700 unique attacker tactics, techniques and procedures.
  • Mapped to Mitre ATT&CK techniques – Our rule base is constantly updated to detect new and emerging attacker behaviours, ‘fileless’ malware and evasion techniques.
  • Reduce investigation times down to seconds or minutes – Through automated analytics and context enrichment, we can significantly reduce the time between detection and response.

View more


  • Block malicious activity with minimal business impact – Terminate and quarantine suspicious processes to prevent further damage, while still enabling collection of malware samples and forensic evidence.
  • Isolate attacker from the network – Isolating suspected or known compromised machines both on and off the corporate network to protect the rest of the estate.
  • Rapid capture of forensic evidence – Capture of malicious files and forensic evidence for further investigation, using dynamic sandbox analysis or manual reverse engineering by our dedicated threat intelligence team.

View more


  • Ongoing, proactive hunting – Contextual tagging of unusual behaviours automatically creates leads for our threat hunting teams to investigate on an ongoing basis. This is complemented with targeted hunting on relevant factors such as environmental risks, changes to threat landscape, or driven by intelligence on new attack campaigns and techniques.
  • Machine learning analytics – The critically important human context provided by our expert hunt team is augmented by advanced machine learning analytics, which can highlight subtle behavioural changes in petabytes of recorded data. Using time, entity and peer group models to baseline user, machine, process and network activity, we can quickly spot behavioural anomalies which are suggestive of highly evasive threats. This allows us to prioritise mitigation before a threat has the opportunity to turn into a breach.

View more

Why PwC?

  • Intelligence gleaned from the front lines of incident response engagements in more than 40 countries.
  • Dedicated threat hunters searching proactively for threats and other suspicious activity.
  • Rated by Forrester as ‘Leader’ in Digital Forensics and Incident Response.
  • We have a unique understanding of board expectations as business risk advisors.
  • We are business risk advisors recognised by industry accreditations for our cyber security global leader for security consulting services:
    - Certified by CREST, the industry body for technical cyber security.
    - One of just a few firms certified by the UK National Cyber Security Centre’s Cyber Incident Response (CIR) scheme.
    - Certified by the US National Security Agency.
  • Our MCD service provides rapid access to our incident response services.


Follow us

Required fields are marked with an asterisk(*)

By submitting your information, you acknowledge that we may send you business insights that we consider relevant to your interests. Please see our privacy statement for details of why and how we use personal data and your rights (including your right to object and to stop receiving marketing communications from us). To stop receiving marketing communications from us, click on the unsubscribe link in the relevant email received from us or send an email to

Contact us

Colin Slater

Colin Slater

Cyber Security Partner, PwC United Kingdom

Tel: +44 (0)7711 589065

Dave Rowell

Dave Rowell

MDR Technical Lead, PwC United Kingdom

Tel: +44 (0)7872 815 688