Active Response: How Field Effect MDR balances risk & business continuity

When attacks happen—whether at 2am or 2pm—a timely response is essential to avoiding major disruption. Every minute, even every second, makes a difference in how far an attacker advances their goals. But having staff to respond 24/7 is a luxury that’s not always available to businesses.

That’s where Field Effect MDR’s Active Response comes in.

Field Effect MDR will act on your behalf to:

• Neutralize attacks with flexible response options
• Thoroughly investigate behind the scenes to ensure the attack is contained
• Share step-by-step remediation instructions so you can resolve the threat

So, you can have peace of mind knowing that no matter when an attack strikes, you’re secure.

Balancing risk and business continuity

While a rapid response is crucial to stopping threats, it also carries the potential to disrupt business operations. Locking down endpoints or locking accounts can halt an attack—but it can also lock out legitimate users and interrupt critical business workflows.

What qualifies as “acceptable risk” varies between companies, users, and devices. Some businesses prioritize full containment at any cost, while others wish to avoid downtime unless a threat is proven and severe. However, many security solutions treat them all the same.

Field Effect MDR takes a different approach, so you don’t have to choose between mitigating cyber risk and preserving business continuity. With a range of flexible response policies, Field Effect MDR lets you tailor threat responses to match your specific risk tolerance. 

For example, you may choose from the following policies:

Off

This policy is ideal for mission-critical assets that must never be isolated—even in the presence of an active threat. By choosing this option, you’ll receive alerts only.

Limited

For high-value assets where minimizing disruption is critical, this option ensures actions are only taken once malicious activity is confirmed or there is a high degree of confidence—even if that means delaying a response to the initial signs of attack.

Balanced

Balanced is Field Effect’s default Active Response setting and ideal for most assets. This policy prioritizes both security and continuity, triggering action when strong indicators of compromise appear.

Aggressive

For high-sensitivity assets—such as executive accounts—where minimizing risk takes priority, action is taken proactively to contain any potentially malicious behavior, even if it means interrupting legitimate activity.

These policies can be applied organization-wide or down to the endpoint and user. This flexibility ensures you have full control without sacrificing productivity or protection.

What active response looks like in action

Suppose Field Effect MDR detects a login from a new location that’s unusual for both the user and the organization. Here’s how we’d respond based on your chosen policy:

• Off: We issue an ARO (Action, Recommendation, and Observation). If further indicators of compromise are detected, we escalate using alternate channels, such as a phone call.
• Limited: We issue an ARO. If additional high-confidence indicators of compromise are detected (such as a login from an unfamiliar device), we lock the account and revoke sessions to minimize the spread of the confirmed threat.
• Balanced: We issue an ARO. If additional indicators of compromise are detected (such as impossible travel or a combination of multiple indicators), we lock the account and revoke active sessions of the accounts we believe would be compromised.
• Aggressive: We issue an ARO, lock the account, and revoke active sessions for accounts that have shown suspicious indicators of compromise.

Learn more about AROs here.

What this means for your cybersecurity

Cybersecurity is not just about blocking threats—it's about responding with precision, speed, and flexibility. With Field Effect MDR, you can:

• Act quickly to identify threats
• Tailor the response to fit your need
• Have peace of mind you’re protected 24/7

Whether you're protecting mission-critical infrastructure, executive accounts, or everyday endpoints, you can ensure your response levels match your unique risk tolerance and business requirements.

If you’d like to see Field Effect in action, book a demo here.