By Kris Wiselka

Adarma Has Gone – What Scottish Businesses Need to Know About MDR Now

This Adarma MDR alternatives Scotland guide helps you find the right protection level. Cloud Security Guide Edinburgh

In July 2025, Adarma – Scotland’s leading enterprise managed detection and response specialist – went into administration. Scottish clients who relied on Adarma for 24/7 SOC coverage lost their provider overnight. If your business was an Adarma client, or if you’re currently evaluating MDR options in Scotland, this article sets out the facts and your practical options.

TL;DR: Adarma went into administration in July 2025, leaving Scottish businesses without their primary enterprise MDR provider. The median EMEA threat dwell time is 22 days (Mandiant M-Trends 2025) – a gap in MDR coverage is a material security risk. Three credible alternatives exist for Scottish businesses: OpenText Core MDR, Sophos MDR, and a Microsoft Defender stack with an MDR partner. Act within 30 days of a coverage gap.

Image: Security operations centre monitoring. Source: Pixabay.

What Did Adarma Offer and Who Did It Serve?

Adarma was Scotland’s primary enterprise-grade managed detection and response provider, serving clients across Scottish financial services, energy, public sector, and technology firms, according to Forrester (2025). Unlike generic UK MDR providers, Adarma combined deep Microsoft security stack expertise with local Scottish presence – a combination that was genuinely difficult to replicate from a London or Bristol-based SOC.

Adarma’s core offering centred on 24/7 SOC operations, threat hunting, and incident response. For larger Scottish organisations – those running complex Microsoft environments, Azure infrastructure, and significant endpoint estates – Adarma provided the kind of contextualised threat detection that requires both technical depth and familiarity with the client environment. That combination made Adarma’s exit from the market a genuine problem, not just an inconvenience.

Adarma was Scotland’s leading enterprise MDR specialist, with deep Microsoft security stack expertise and a local SOC presence. 43% of UK businesses experienced a cyber security breach in the 12 months to early 2025 (DSIT Cyber Security Breaches Survey 2025), and the median EMEA threat dwell time reached 22 days (Mandiant M-Trends 2025). The loss of a 24/7 SOC partner creates a directly measurable security gap.

What Happened in July 2025?

Industry research (2025) found that Adarma went into administration in July 2025. The administration process was handled through standard UK insolvency proceedings. This article won’t speculate on the commercial reasons behind the administration – that’s not relevant to what Scottish businesses need to do now.

What matters is the operational consequence: clients with active Adarma SOC agreements lost continuous MDR coverage. In most cases, clients received notification and a wind-down period. Some were able to transition to alternative providers before coverage lapsed. Others found themselves with an immediate gap.

If your business was an Adarma client and you haven’t yet confirmed your current MDR coverage position, that confirmation should happen today – not after the next review cycle.

EDR vs MDR for UK small businesses

What Does a Gap in MDR Coverage Actually Mean for Your Business?

The DSIT Cyber Security Breaches Survey (2025) shows that the median EMEA threat dwell time in 2025 was 22 days – meaning the typical organisation doesn’t detect a threat actor for three weeks after initial compromise (Mandiant M-Trends 2025). Ransomware actors specifically move from initial access to encryption within five to six days. Without 24/7 SOC monitoring, those 22 days are entirely dark.

Our view: Based on what we see across our client base, this aligns with the broader industry direction.

A gap in MDR coverage doesn’t mean you have no security. It means you have unmonitored security. Your EDR tools still collect data. Defender for Business still generates alerts. But those alerts accumulate in a dashboard with no analyst reviewing them, triaging them, or responding to confirmed threats. The data exists. The response doesn’t. That’s the risk. It’s the difference between a smoke detector and a fire service.

The financial consequence of undetected threats is well documented. The average cost of a UK data breach reached £3.29m in 2025 (IBM Cost of a Data Breach 2025). That figure includes business interruption, legal costs, regulatory investigation, and customer notification. For Scottish organisations in financial services or with NHS data access, regulatory consequences add a further layer of exposure.

Only around 40% of UK SMEs hold cyber insurance (Insurance Business, 2025). Among those who do, many policies include conditions around maintaining active security monitoring. A documented gap in MDR coverage at the time of a breach could affect your ability to claim.

Cloud Security Assessment Edinburgh

What to Do in the Next 30 Days if You Were an Adarma Client

Act quickly (Forrester, 2025). A 30-day window is realistic for transitioning to a new MDR provider without leaving an extended uncovered period. Here’s the practical sequence.

Days 1-5: Confirm your current state. Establish whether you have any residual Adarma coverage, identify which endpoints and environments are enrolled in active monitoring, and confirm your Defender for Business or other EDR tool is still collecting telemetry. The absence of a SOC doesn’t mean your telemetry has stopped – but you need to verify this.

Days 6-10: Brief your cyber insurer. Notify your insurer of the change in your security posture. This is both a good-faith obligation and a practical protection – documenting that you’re actively addressing the gap strengthens your position if something goes wrong during transition.

Days 11-20: Evaluate alternatives. Request proposals from at least two MDR providers with UK SOC capability. The shortlist in the section below gives you a starting framework. Prioritise providers who can demonstrate rapid onboarding – 10-14 days is achievable with most Microsoft-native solutions.

Days 21-30: Onboard and verify. Run a parallel period where your new MDR provider is active but you’re also verifying that telemetry is flowing correctly, alert thresholds are set appropriately, and escalation contacts are established on both sides.

Our experience: Our Edinburgh client engagements consistently show this pattern in practice.

In our experience supporting businesses through MDR provider transitions, the most common failure point isn’t the technology – it’s the documentation. Clients often don’t have a clear record of what their previous SOC was monitoring, what alert thresholds were configured, or what the escalation playbook was. Before you transition, request a complete configuration export from Adarma’s administration process if available. Even a partial record is more useful than starting from a blank slate.

MDR Alternatives Available to Scottish Businesses

Forrester (2025) reports that Three credible MDR options exist for Scottish businesses looking to replace Adarma coverage. Each has a different fit depending on your existing technology stack, scale, and budget.

OpenText Cybersecurity Cloud and Webroot MDR review

Microsoft Defender for Business vs Sophos MDR

OpenText Core MDR (including Webroot) is available through UK MSPs and provides 24/7 SOC coverage with a rapid onboarding process. It works alongside existing endpoint agents and integrates with Microsoft environments. For Edinburgh SMEs already running Webroot as their endpoint protection, the transition to OpenText Core MDR adds SOC coverage without replacing the existing agent.

Sophos MDR Complete is a full-service option that includes Sophos XDR endpoint technology plus 24/7 SOC operations. Sophos MDR Complete includes unlimited incident response – Sophos analysts will contain and remediate confirmed threats, not just alert you to them. It’s competitively priced for firms between 25 and 250 endpoints.

Microsoft Defender for Business with an MDR partner is the strongest option for Edinburgh firms already on M365 Business Premium. Defender for Business is already in the licence. Adding an MDR partner’s SOC layer – a provider who monitors Defender alerts, investigates, and responds – gives you native Microsoft telemetry with human analyst coverage on top. This avoids deploying a second endpoint agent, which simplifies management and reduces performance overhead.

How to Evaluate a Replacement MDR Provider

According to Forrester (2025), not all MDR services are equivalent. Three questions separate strong providers from weak ones.

Does their SOC operate genuinely 24/7, or do they use overnight automation? Ask specifically whether human analysts review alerts outside UK business hours. Some providers offer “24/7 alerting” that means automated email notifications and a call-back the next morning. That’s not 24/7 SOC coverage.

What is their average response time from alert to analyst action? A credible MDR provider should commit to a mean time to respond (MTTR) of under 15 minutes for high-severity alerts. Ask for SLA documentation, not verbal assurances.

Do they have experience with your regulatory environment? Edinburgh financial services and legal firms need MDR providers who understand FCA PS24/16, UK GDPR Article 32, and – where applicable – NHS DSPT. General IT security expertise isn’t the same as sector-specific compliance knowledge.

Ransomware actors move from initial access to encryption within five to six days of compromise, according to Mandiant M-Trends 2025. The median EMEA threat dwell time of 22 days means most organisations have a detection window – but only if that window is actively monitored. An MDR provider with genuine 24/7 SOC coverage and a sub-15-minute MTTR for high-severity alerts can detect and contain threats within that window. Without active monitoring, the window is dark.

Virtually Pro provides Microsoft Defender-native MDR coverage for Edinburgh professional services firms. If you’re an Adarma client looking for continuity of coverage, we can onboard within 14 days and provide full SOC monitoring from day one. Contact us for a direct conversation about your current coverage position.

Cloud Security Guide Edinburgh

Related Articles

• Cloud Security Guide for Edinburgh Businesses
• EDR vs MDR vs antivirus comparison
• Microsoft Defender vs Sophos MDR

Arctic Wolf: The SME-Focused MDR Alternative

Arctic Wolf has grown rapidly in the UK market and deserves specific attention for Scottish SMEs. Their model is built around what they call a “Concierge Security Team” – a dedicated team of three to five analysts assigned to your account who develop familiarity with your environment over time. This contrasts with the shared SOC model used by many MDR providers where any analyst might pick up your alert.

For Scottish businesses, the dedicated team model has practical advantages. Your concierge team learns which of your systems generate false positives, understands your business hours, and builds context about your specific risk profile. After the initial onboarding period (typically 30 days), alert quality improves because the team knows what normal looks like in your environment.

Arctic Wolf’s platform covers endpoint, network, cloud, and identity – which matters for organisations that have moved workloads to Azure or AWS. Their pricing model is per-employee rather than per-endpoint, which simplifies budgeting for businesses with variable device counts. UK pricing for a 50-employee organisation typically falls in the £2,500-£3,500 per month range for their MDR service, though this varies by contract length and scope.

The consideration: Arctic Wolf is positioned as a pure MDR provider rather than a managed IT services provider. If you want a single vendor for both day-to-day IT management and security operations, Arctic Wolf doesn’t offer that. For Scottish SMEs who want to keep their existing MSP for IT management and add a specialist security layer, this is actually an advantage – Arctic Wolf integrates with most MSP tooling.

Sophos MDR: The MSP-Native Option

Sophos MDR is delivered through Sophos’s MSP partner channel, which means it’s typically bundled with your MSP’s managed services stack rather than purchased directly. For Edinburgh and Scottish businesses already working with a Sophos partner MSP, this simplifies procurement and means your MDR and day-to-day IT management are integrated.

Sophos MDR comes in two tiers that have meaningfully different service levels. Sophos MDR Essentials provides detection and notification – the SOC alerts you to threats and recommends remediation steps, but execution is your responsibility. Sophos MDR Complete provides full incident response – Sophos takes containment and remediation actions directly. For SMEs without internal security resource, Essentials creates a response gap at the point it matters most. Complete closes that gap but at a higher price point.

UK pricing through MSP channels: Sophos MDR Complete for a 50-seat business typically runs £18-£25 per endpoint per month, depending on the MSP’s margin and any bundled support. That’s £900-£1,250 per month at 50 seats. Compared to Adarma (which targets larger enterprises and typically has minimum contract values that exclude most Scottish SMEs), Sophos MDR is accessible to businesses from around 10 seats upward.

SentinelOne Singularity with Vigilance MDR

SentinelOne has built a strong reputation in the enterprise MDR market and is expanding its SME presence through channel partners. Their Singularity platform uses a behavioural AI engine that operates without signature updates – the agent detects threats based on behaviour patterns rather than known malware signatures. This matters for zero-day attacks and novel ransomware variants that haven’t been catalogued yet.

SentinelOne’s Vigilance MDR service adds human analyst oversight to the automated detection layer. Their “ActiveEDR” capability is worth noting: unlike some EDR solutions that record endpoint telemetry for analyst review, SentinelOne maps that telemetry to a story – a visualised chain of events showing how an attack progressed. This accelerates analyst investigation and is particularly valuable during active incidents where time matters.

Pricing: SentinelOne is typically positioned above Sophos and Microsoft in the market and below pure enterprise vendors. Expect £28-£40 per endpoint per month for Vigilance MDR, depending on contract terms. At 50 seats, that’s £1,400-£2,000 per month. For Scottish SMEs evaluating SentinelOne, the question is whether the behavioural AI differentiation justifies the premium over Sophos or Microsoft Defender with MDR overlay. For sectors with exposure to sophisticated, targeted attacks – financial services, legal, accountancy – the answer is more often yes.

Pricing Comparison: Scottish Market Reality

Pricing transparency in the MDR market is limited – most vendors require a discovery call before providing quotes, and prices vary significantly by contract length, seat count, and bundled services. The following ranges are based on publicly available information and market intelligence, not official vendor pricing.

For a 50-employee Scottish SME with standard MDR scope (endpoint and identity monitoring, 24/7 SOC, incident response included):

• Microsoft Defender for Business + MDR overlay (via MSP): £800-£1,200/month. Best value if you’re already on M365 Business Premium.
• Sophos MDR Complete: £900-£1,250/month through partner channel.
• Arctic Wolf MDR: £2,500-£3,500/month. Higher price point reflects the dedicated concierge team model.
• SentinelOne Vigilance MDR: £1,400-£2,000/month.
• Adarma: Typically enterprise-focused with minimum contract values of £50,000+ annually. Generally not appropriate for Scottish SMEs under 200 seats.

The Scottish market context is relevant here. Edinburgh has a concentration of financial services and professional services firms with heightened regulatory obligations (FCA, GDPR, SRA). These firms often need MDR providers who understand financial sector compliance requirements, not just security operations. Of the providers above, Sophos and Arctic Wolf have the strongest SME presence in Scotland through their MSP partner networks. SentinelOne is gaining ground in the Edinburgh FS sector specifically.

Making the Right Choice for a Scottish Business

The right MDR provider for a Scottish business depends on three factors that vendor marketing rarely addresses directly: your existing technology stack, your MSP relationship, and your specific threat profile.

If you’re running Microsoft 365 Business Premium across your business, you’re already paying for Defender for Business. The most cost-effective path is to ensure it’s properly configured and add an MDR service layer through your MSP. If your MSP is a Sophos partner, Sophos MDR sits neatly alongside your existing environment.

If you’re in financial services with FCA obligations, or a law firm handling client funds, the threat profile is elevated and justifies evaluating Arctic Wolf or SentinelOne alongside the MSP-native options. The dedicated analyst team model (Arctic Wolf) or the behavioural AI approach (SentinelOne) offers measurable differentiation for higher-risk environments.

For most Edinburgh SMEs in the 10-100 seat range without a complex existing security stack, the recommendation is straightforward: start with a vendor your MSP already partners with. Sophos MDR Complete or Microsoft Defender with MDR overlay are the most accessible entry points. Evaluate whether the service is actually reducing your risk over the first 6 months – your MDR provider should be able to show you detection timelines, incident counts, and response metrics. If they can’t, that’s a signal to look elsewhere.

Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.