The OT-IT split
Manufacturing endpoint security splits cleanly into two domains that demand different tooling and different cost models. The IT estate is the conventional set of workstations, servers, mobile devices, and corporate infrastructure where EDR applies normally. The operational technology (OT) estate is the programmable logic controllers, distributed control systems, supervisory control and data acquisition systems, human-machine interfaces, robots, and specialised equipment that runs the production line itself. Most commercial EDR agents do not install or do not function reliably on OT systems.
The compensating-control approach for OT is a combination of network segmentation (OT lives on isolated network segments with strict ingress and egress controls, often using the Purdue Reference Model as the architectural framework), passive network monitoring tools designed specifically for OT environments (Claroty, Dragos, Nozomi, Armis are the established names in this category, each pricing in the $100,000 to $500,000-plus per year band depending on plant count and asset count), and EDR on the IT systems that interact with the OT segments to catch attacker movement at the IT-OT boundary.
Treating EDR as the OT solution misses the point. EDR is the IT-side complement to OT-specific monitoring, not a replacement. The honest cost model for manufacturing security therefore involves two separate budget lines: EDR for the IT estate, and OT-specific monitoring for the production estate. The two lines together are often comparable in size; in some plant-heavy operations, the OT monitoring line is larger than the EDR line.
The Windows 7 (and older) problem
Manufacturing plants operate a non-trivial number of Windows 7, Windows XP embedded, and even older endpoints on plant-floor workstations connected to specialised equipment. The vendor that sold the equipment certified the controlling workstation on a specific OS version that they have not updated, and replacing the workstation OS often requires re-certifying the entire equipment line, which is expensive and disruptive.
Most modern EDR platforms still support Windows 7 with reduced functionality. Threat-intelligence updates may be slower or limited; behavioural detection capability is typically reduced; some advanced features (kernel-level telemetry, certain types of memory inspection) may not be available. The honest assessment is that EDR on Windows 7 is degraded EDR, not full EDR. The cost is the same per-endpoint rate, but the detection coverage is meaningfully thinner.
Where Windows 7 endpoints cannot be retired, the realistic posture is reduced-functionality EDR plus tighter network segmentation around those endpoints plus more aggressive monitoring of any traffic to or from them. Some manufacturers in 2026 are starting to use the Microsoft Extended Security Updates programme to maintain Windows 7 support contractually for endpoints that genuinely cannot be retired, adding another cost line that runs roughly $50 to $150 per endpoint per year depending on the year of the programme.
The air-gapped EDR question
Manufacturing security architecture often calls for air-gapped or near-air-gapped network segments, particularly for the most critical production systems. Genuine air-gap (no network connectivity to anything outside the segment) is rare even where the architectural intent is air-gap, because some connectivity is almost always required for monitoring, updates, or operational data flows.
Genuinely air-gapped EDR is rare and expensive. Cloud-managed EDR platforms by definition require connectivity to the vendor's cloud for telemetry processing and detection-rule updates. On-premises EDR deployments do exist (some vendors offer air-gap-deployable variants of their platforms) but are typically priced 20 to 50 percent above the cloud-managed rate, deploy in 8 to 16 weeks rather than 1 to 2, and require internal staff to operate the platform itself, including detection-rule updates, telemetry storage, and platform maintenance.
For most plant environments, the realistic posture is segmented connectivity. The plant network has restricted but real connectivity to the EDR vendor's cloud, with strict firewall rules controlling what can and cannot egress. This is sometimes implemented via a dedicated security-tools network segment that brokers the EDR cloud connectivity for the otherwise-isolated production segments. The cost line for this brokering infrastructure is real but usually small relative to the broader security stack.
The ransomware-target premium
Manufacturing has been disproportionately targeted by ransomware operators since 2021. The Verizon Data Breach Investigations Report consistently places manufacturing among the top three industries by ransomware incident frequency. The reason is straightforward economic incentive: the operational impact of stopped production is immediate and large (every hour of stopped production is direct revenue loss and often customer-contract liability), the ransomware operator can demonstrate impact within hours, and the target's willingness to pay is correspondingly high.
That dynamic shifts the EDR procurement math for manufacturing. The cost of a successful ransomware event in manufacturing is often measured in tens of millions of dollars when production downtime is included, regardless of whether the ransom itself is paid. Several published 2023 to 2025 manufacturing ransomware incidents have reported total impact (downtime, recovery, customer remediation) in the $50M to $300M range. Against that backdrop, even a sizable EDR investment in the $500,000 to $2,000,000 per year range has straightforward return-on-investment economics if it materially reduces the probability or impact of ransomware events.
The cyber-insurance carrier view reflects this. Most cyber-insurance carriers in 2026 require EDR or equivalent endpoint detection as baseline for manufacturing customers, with some carriers requiring additional OT-specific monitoring as a precondition to policy issuance for plant-heavy operations. Premium-reduction bands for fully-equipped postures can run 15 to 25 percent on manufacturing cyber policies, reflecting carrier expectation that manufacturing is a high-frequency claim segment.
Worked cost scenario
One illustrative scenario for a multi-plant manufacturing operation, with cost ranges from aggregated public market research.
| Cost line | Year-one figure | Notes |
|---|---|---|
| EDR on IT estate (2,000 endpoints) | $144,000 to $240,000 | $6 to $10/ep/mo, manufacturing-tier pricing |
| OT monitoring (Claroty, Dragos, etc.) | $200,000 to $500,000 | Separate platform; per-asset or per-plant pricing |
| EDR deployment one-time | $50,000 to $150,000 | $25 to $75 per endpoint vendor-led |
| OT monitoring deployment one-time | $100,000 to $300,000 | Plant-by-plant; longer cycle than IT |
| Optional MDR add-on | $200,000 to $500,000 | $15 to $30/ep/mo on the IT estate |
| Internal security staffing | $400,000 to $900,000 | 2 to 4 FTE allocated |
| Year-one all-in | $1.1M to $2.6M | Multi-plant operation |
The OT monitoring line is roughly comparable in size to the EDR licence line for most plant-heavy operations. Buyers focused only on EDR sometimes underestimate the broader endpoint security stack required for manufacturing. The honest budgeting exercise treats EDR and OT monitoring as complementary line items, with separate procurement cycles and separate vendor relationships.
Manufacturing EDR procurement playbook
- Inventory the IT and OT estates separately. Different tooling, different vendors, different cost lines. Counting OT assets as endpoints in an EDR sizing exercise will produce wrong answers.
- Inventory legacy operating systems explicitly. Windows 7, Windows XP embedded, and older endpoints have implications for EDR functionality and Extended Security Updates cost.
- Decide the OT monitoring posture before the EDR procurement. The two budget lines compete for the same security programme dollars, and decisions on one affect the other.
- Plan for plant-by-plant deployment cycles rather than estate-wide. Plant operations cannot tolerate the disruption of estate-wide rollouts, and per-plant cycles are usually 4 to 12 weeks each.
- Confirm air-gap and segmentation requirements with operations and engineering before signing the EDR contract. On-premises or air-gap-capable variants of the platform may be required for some segments.
- Confirm cyber-insurance carrier requirements specific to manufacturing. Most carriers require EDR plus OT-specific monitoring for plant-heavy operations.
- Cross-link siemcostcalculator.com for the SIEM side of the manufacturing security stack.