Managed security is experiencing a period of heightened tension. Companies are accumulating more and more tools —EDR, firewalls, identity, email, cloud— and yet the promise of “greater visibility” often turns out to be the opposite: more noise, more alerts, and more hours chasing false positives. In this context, WatchGuard Technologies has announced WatchGuard Open MDR, a expansion of its Managed Detection and Response (MDR) offering centered on a key idea: providing MSPs (Managed Service Providers) with a faster path to enterprise-grade security services, without requiring platform replacement or forcing standardization on heterogeneous environments.
The company presents Open MDR as an extension of its 24/7 MDR, incorporating detection and response also on third-party tools, in addition to WatchGuard’s own technologies. The stated goal is for MSPs to deliver a “full-stack” service to clients with mixed ecosystems —a common scenario in the real market— without turning each renewal or onboarding into a disruptive migration project.
Unify operation in a single “pane of glass” for hybrid environments
The announcement emphasizes a well-known challenge for the channel: the diversity of tools in clients —due to historical decisions, acquisitions, or sector-specific needs— complicates service standardization. WatchGuard asserts that Open MDR integrates native and third-party environments into a single operational view, enabling faster onboarding, reducing friction during renewals, and making service delivery more repeatable across portfolios with high variability.
Practically, Open MDR revolves around three promises addressing the daily pain points of a managed SOC:
- Less noise and more control, prioritizing relevant signals over “alert fatigue”.
- AI/ML-supported response to reduce noise, validate threats, and initiate containment actions in less than 6 minutes, with an aim of fewer than 1 false positive per month.
- Enterprise-level capabilities for MSPs of various sizes, without the cost of building an in-house SOC from scratch.
The company describes the outcome as “enterprise MDR results without enterprise complexity”: a marketing phrase, yes, but one that focuses on a sensitive point: the difference between “having tools” and “operating them as a security function”.
Expanded coverage: endpoint, identity, network, cloud, and productivity suites
WatchGuard details that Open MDR aims to deliver unified visibility across endpoints, identity, network, cloud, and productivity tools to “standardize” security delivery. The service relies on a 24/7 SOC that monitors, validates, and coordinates responses, with actions such as device isolation to prevent propagation and early containment before an incident escalates.
Regarding integrations, the company mentions cross-coverage over its own ecosystem —including Firebox, AuthPoint, and EPDR— and compatibility with widely used third-party tools: Microsoft Defender, CrowdStrike Falcon, Okta Workforce Identity, Microsoft 365, AWS, and Google, as well as third-party firewalls (e.g., via syslog). This openness seeks to address a recurring friction point: MSPs often inherit existing deployments, and “rip-and-replace” approaches can lead to account loss.
The role of the SOC: operating through the channel without breaking the client relationship
Another important aspect for the MSP market is the operational model. WatchGuard emphasizes that partners maintain client relationships while the company works “behind the scenes” as their SOC. To support this, they add support with Technical Account Managers (TAMs) focused on escalations, root cause analysis, and ongoing security guidance.
From a channel perspective, this approach is significant: MSPs need to deliver measurable results —reducing alerts, response times, improving posture— but often lack the resources for 24/7 operations with senior analysts. Open MDR aims to fill that operational gap by providing an additional layer, while also ensuring the client does not feel like they are “changing providers” every time their stack updates.
Strategic continuity: from Total MDR to ActZero and now “Open”
This move is part of a broader evolution in WatchGuard’s portfolio. In 2025, the company launched Total MDR, designed to unify endpoint, firewall, identity, network, and cloud security into a single portal. Earlier that year, it announced the acquisition of ActZero, a MDR provider specializing in rapid, automated response and AI-driven analysis, in a deal closed in December 2024.
Overall, the message is consistent: initially unifying capabilities within its own stack (Total MDR), then strengthening MDR muscle (ActZero), and now extending monitoring and response to already-deployed client tools (Open MDR).
What this means for the market: less migration, more interoperability… and new demands
For tech media, the key news is not just the launch of a new brand. It confirms a trend: MDRs are moving towards “open” models operable across mixed environments, because actual deployments are rarely homogeneous and full consolidation is slow. This trend also raises expectations for noise and response time metrics, as well as the quality of integrations: the value of an “open” MDR lies not in branding but in its ability to correlate signals and execute containment without cascading false positives.
WatchGuard states that Open MDR is now available worldwide through its MSP network. The overall goal is to turn managed security into a repeatable, profitable service, without forcing clients to replace half their stack to achieve it.
Frequently Asked Questions
What is WatchGuard Open MDR, and how does it differ from traditional MDR?
It is an MSP-oriented MDR extension that adds 24/7 monitoring and response capabilities for third-party tools, in addition to WatchGuard’s ecosystem, enabling operation over mixed environments without mandatory migrations.
Which third-party tools does Open MDR support?
WatchGuard mentions integrations with Microsoft Defender, CrowdStrike Falcon, Okta Workforce Identity, Microsoft 365, AWS, and Google, as well as signal collection from third-party firewalls (e.g., via syslog).
What does WatchGuard promise regarding response times and false positives?
The company claims its AI/ML reduces noise, verifies threats, and initiates response actions in under 6 minutes, targeting fewer than 1 false positive per month.
Which types of MSP clients is Open MDR best suited for?
Especially for portfolios with heterogeneous environments (existing tools already deployed) where “rip-and-replace” migrations could hinder onboarding, increase renewal costs, or threaten client relationships.
via: watchguard