The mid-market cybersecurity gap is a structural problem, not a market oversight. Enterprises above roughly 2,000 employees can justify full-time security operations staff, dedicated SIEM infrastructure, and the managed security service relationships that come with meaningful SLAs and dedicated analyst teams. Very small organisations — a ten-person firm, a GP practice, a municipal government department — have a simpler attack surface and, realistically, are not the primary targets of sophisticated adversaries (though they face significant ransomware and BEC exposure). The organisations that fall in between — regional logistics companies, mid-size Dutch manufacturers with operational technology environments, healthcare networks with 200-500 staff, professional services firms with significant client data — face sophisticated threat exposure without the internal security resources to address it, and have historically been badly served by the security services market.
The reason the mid-market has been underserved is not that service providers did not see the opportunity. It is that the operational model for managed detection and response built for large enterprises does not translate to mid-market economics. An enterprise MDR contract delivering dedicated analyst coverage, customised detection engineering, and bespoke incident response playbooks is a six-figure annual engagement. Mid-market companies cannot pay enterprise MDR prices, and most could not consume enterprise MDR complexity if they could afford it. The internal IT contact at a 300-person Dutch logistics company does not have a security engineering background — they are a generalist IT manager. The MDR service that works for this buyer needs to abstract away the underlying complexity, deliver findings in language that the IT manager can act on without specialised knowledge, and provide incident response support that does not assume a sophisticated internal security team as a partner.
Eye Security's model when we invested in 2020 was built around exactly this operational translation challenge. Their go-to-market was sector-specific, targeting industries with coherent risk profiles — Dutch healthcare, professional services, public sector — where they could develop deep familiarity with the threat landscape and compliance requirements specific to that sector and encode that knowledge into their detection engineering and response playbooks. A detection rule tuned against the specific EHR systems used in Dutch healthcare, or against the accounting software common in mid-size Dutch professional services firms, produces significantly better signal-to-noise than a generic detection rule applied to the same log sources. Sector specialisation in MDR is a technical investment, not just a sales positioning choice.
The NIS2 Directive's expansion of scope to include mid-market entities in essential and important sectors has created a compliance tailwind that makes the Eye Security investment thesis more urgent. Under NIS2, organisations in sectors including energy, transport, health, digital infrastructure, and postal services that meet the size thresholds (50+ employees or €10M+ revenue) are required to implement specific technical and organisational security measures and report significant incidents within defined timeframes. Many mid-market organisations in these sectors do not have the internal capability to meet these requirements without external support. An MDR provider that can deliver both the monitoring capability required for NIS2 compliance and the incident reporting support for meeting the 24-hour initial notification requirement is addressing a genuine regulatory obligation, not just a security aspiration.
We are realistic about the competitive dynamics in this space. The mid-market MDR category is attracting increased investment and attention because the regulatory tailwind is legible to multiple investors simultaneously. The companies that will build durable franchises are those with genuine operational depth in their target sectors — not those that have built a sales motion for the compliance buyer without the detection engineering capability to back it. Eye Security's differentiation comes from the detection knowledge accumulated over four years of operating in their target sectors: they have seen the specific attack patterns that target Dutch logistics companies, the social engineering techniques used against healthcare administrative staff, the operational technology vulnerabilities common in mid-size manufacturing environments. That operational knowledge, encoded in detection content and response playbooks, is not easily replicated by a generalist MSSP entering the mid-market because NIS2 made it attractive.