How Kaseya MDR works

Once you’ve completed initial access and security setup, but before you begin day‑to‑day use, it helps to understand how Kaseya MDR thinks about security activity.

Kaseya MDR is built around an alert‑centric detection and response model. Rather than exposing raw security events or individual data points, the platform focuses on turning large volumes of telemetry into actionable alerts, supported by investigations and response workflows.

This section explains the mental models, terminology, and system behavior that shape what you see in the platform and how to interpret it. The goal is to help you understand why alerts appear, how investigations are formed, and how response decisions are made—without step‑by‑step instructions.

There are no click‑by‑click procedures in this section. Instead, it provides the conceptual foundation that makes the rest of the documentation easier to understand and use correctly.

How to read this section

The articles in this section explain how Kaseya MDR works conceptually, not how to click through the interface or perform day‑to‑day tasks.

They focus on:

How security signals are evaluated and elevated into alerts
How related activity is correlated into investigations
How detection, investigation, and response fit together as a lifecycle
How platform behavior and availability affect what you see—without changing alert validity

You do not need to read these articles in order. Each topic stands on its own, but together they provide a shared mental model that makes the rest of the documentation, and the platform itself, easier to understand.

These articles are especially useful when alert behavior, investigation outcomes, or response execution do not match initial expectations.

Who should read this section

This section is especially useful if you:

Investigate alerts or validate security incidents
Customize detections, severity, or response behavior
Need to explain alert outcomes or investigations to customers or stakeholders
Want to understand why Kaseya MDR behaves the way it does, not just what it shows

You do not need to master every topic here to use Kaseya MDR. However, understanding these concepts helps prevent incorrect assumptions about alert volume, coverage, automation, or response behavior, and makes day‑to‑day use clearer and more predictable.

What this section covers

This section is divided into two parts:

Core concepts

These articles introduce the shared language and mental models used throughout Kaseya MDR:

Terminology and concepts: Defines key terms such as events, alerts, investigations, defaults, and overrides
Detection and correlation model: Explains how security telemetry is evaluated and correlated to produce alerts, and why fewer alerts does not mean reduced coverage

Detect > Investigate > Respond flow: Describes how Kaseya MDR moves from detection to investigation and, when appropriate, to response—clarifying where automation fits and where human decision‑making applies

These concepts apply consistently across the platform and are assumed knowledge for later sections.

Platform behavior and availability

These articles explain how Kaseya MDR behaves under real‑world conditions, particularly when availability, connectivity, or response execution is constrained:

Agent architecture and security model: Describes the trust boundaries, communication model, and security constraints that govern how the agent and platform operate

Agent connectivity and response availability: Explains how detection continues during temporary connectivity interruptions, how reachability affects response execution, and how isolation impacts communication and investigations

These topics help you interpret alerts and response outcomes correctly when conditions are not ideal.

This section does not explain:

How to deploy or manage agents
How to navigate the user interface
How to perform investigations or response actions
How to troubleshoot specific failures

Those topics are covered in later sections of the documentation, including Using Kaseya MDR and Integrations and data sources.

How these concepts apply across products

Kaseya MDR uses the same alert‑centric detection and correlation model that underpins other Kaseya security products, such as SaaS Alerts. While the data sources and response capabilities differ by product, the core concepts in this section—alerts, investigations, correlation, and response—apply consistently.

Understanding these concepts here will make it easier to interpret alerts and investigations across products that share this model.

For a detailed explanation of how Kaseya MDR, SaaS Alerts, and Kaseya SIEM relate, see Kaseya MDR, SaaS Alerts, and Kaseya SIEM: How the products relate.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.