Tool

EDR budget calculator: five-category year-one and three-year estimate.

You tell the calculator the rate the vendor quoted (or the market range you are working with). The calculator builds the line-item budget across all five TCO categories. No fabricated vendor rate is supplied; you enter it. Exports to CSV for finance.

Last verified April 2026

Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

Inputs

Workstations

Servers

Mobile devices

Pricing axis

Quoted rate ($/mo)

Server multiplier

Topology

Tuning maturity

Multi-year discount %

Include IR retainer

Include MDR add-on

Internal FTE allocation

Output: line-item budget

Line item	Year 1	Steady-state annual	3-year total
Licence	$35K	$37K	$109K
Deployment	$13K	$0	$13K
Tuning (FTE allocation)	$38K	$19K	$75K
IR retainer	$30K	$30K	$90K
MDR add-on	$0	$0	$0
Internal ops	$150K	$150K	$450K
Total	$265K	$236K	$737K
Per endpoint per month	$44	$39	$41

How to interpret the output

The licence line is what the vendor quoted you, applied to your endpoint mix and adjusted for the multi-year discount. This is what shows on the contract.

The deployment line is the year-one one-time fee. SMB deployments are typically flat-priced; mid-market and larger use a per-endpoint rate ($25 cloud, $50 hybrid, $75 on-prem in the calculator defaults). Negotiate this hard if you are switching from a competitor; vendors often comp it.

The tuning line is the FTE allocation cost. This is what the platform actually requires to run, expressed as a fraction of an internal analyst position. Year 1 default is 0.5 FTE per 1,000 endpoints; year 2+ tuned environments drop to 0.2 FTE per 1,000 as detection-rule debt is paid down.

The IR retainer line is the optional pre-negotiated incident-response engagement. Default rate of $5 per endpoint per month is consistent with mid-market retainer pricing; SMBs often pay flat fees rather than per-endpoint, so for sub-200-endpoint shops use a flat $20K to $40K annual figure instead.

The MDR add-on line replaces or complements the IR retainer with a fully-managed monitoring service. Typical $15 to $30 per endpoint per month all-in. Set IR retainer to off when MDR is on if the MDR contract includes IR (most do).

The internal ops line is the residual platform-administration FTE. For unmanaged EDR, allocate 0.5 to 1 FTE for SMB and 1 to 2 FTE for mid-market. For MDR-bundled posture, drop to 0.1 to 0.3 FTE residual for procurement, evaluation, and high-touch escalations.

Three places EDR quotes usually hide cost

Server multiplier. The calculator defaults to 2x but the actual multiplier varies by vendor. A 1.5x multiplier vs a 2.5x multiplier on 100 servers is roughly $12,000 per year difference at $6 per endpoint per month base rate. Ask the vendor in writing what the multiplier is.
Renewal escalation. Most vendor contracts include a 5 to 10 percent annual escalation clause without a cap. The calculator models 5 percent for year-2 steady-state. Negotiate a cap.
Mobile and VDI adjustments. The calculator treats mobile at 0.5x rate; some vendors include mobile free, others charge full rate, others exclude entirely. Verify the assumption per quote.

Continue