Buyer segment

EDR cost for mid-market: per-endpoint ranges for 250 to 2,500 endpoints.

Mid-market is the largest single share of EDR spend by dollar volume and the segment vendors price hardest. The headline range, the four cost surprises that catch finance off guard, and the build-vs-buy SOC threshold for the 250 to 2,500 endpoint band.

Last verified April 2026
Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

What mid-market means in EDR

Vendor segmentation for mid-market is loose. Most platforms treat 250 to 2,500 endpoints as the mid-market band, with 100 to 250 sometimes labelled upper-SMB and 2,500 to 10,000 sometimes labelled lower-enterprise. The staffing profile for a 250 to 2,500 endpoint shop is typically a security team of one to three full-time equivalents, often inside an IT function reporting to a CIO rather than a CISO. There is rarely a dedicated security operations centre. Compliance pressure usually exists (SOC 2, ISO 27001, PCI DSS, HIPAA depending on industry) but a chief information security officer is more common at the higher end of the band than the lower.

That staffing profile shapes EDR procurement. Mid-market buyers cannot absorb the operational load of running EDR fully in-house at the lower end of the band. They cannot afford the dedicated tooling and analyst stack that a true enterprise security operations centre brings. The procurement question is therefore typically a three-way choice between EDR with an internal generalist running it, EDR with a twenty-four-hour managed-detection-and-response provider wrapped around it, or all-in managed bundle from a single provider supplying both platform and service.

The mid-market per-endpoint band

Aggregated public market research puts the mid-market EDR licence band at five to nine dollars per endpoint per month after volume discount, on cloud-managed platforms. The lower end of the band applies to commodity EDR with default telemetry retention, single-platform support, and no premium SKU attachments. The upper end applies to platforms with extensive threat intelligence, identity protection, cloud-workload coverage, and managed-threat-hunting included in the per-endpoint rate.

Server endpoints in this band are typically priced 1.5x to 2x workstation rate, dropping to 1.5x at the upper end of the discount band. Mobile endpoints are sometimes free, sometimes discounted to half the workstation rate, and sometimes a separate per-device line item depending on the platform. VDI seats are occasionally priced per concurrent session rather than per provisioned device, which can move the total in either direction depending on user-to-device ratio.

Worked example, illustrative ranges only: a 1,000-endpoint mid-market shop with 800 workstations and 200 servers, default 30-day telemetry retention, two-year contract, lands in the $60,000 to $96,000 per year band on licence alone. The same shop at three-year contract length and 35 percent volume discount lands closer to $50,000 to $80,000 per year. Add deployment of $25,000 to $50,000 one-time, optional incident response retainer of $50,000 to $250,000 per year, and one to two full-time analysts at $130,000 to $180,000 fully-loaded each. The all-in year-one number commonly lands in the $250,000 to $700,000 band.

The four mid-market TCO surprises

01. Server-vs-workstation premium

The single most common sizing miss at mid-market is treating all endpoints as workstations during the initial business case. A 1,000-endpoint estate that is actually 800 workstations and 200 servers prices roughly 20 to 30 percent higher than a flat 1,000-workstation estate, assuming the typical 1.5x to 2x server multiplier. The miss happens because IT inventory often does not cleanly distinguish server endpoints from workstation endpoints when the question is asked early in the cycle. Get the inventory right before the first vendor conversation.

02. Telemetry retention upgrade

Default retention on most cloud-managed platforms is 30 days. That is rarely sufficient for mid-market compliance regimes (SOC 2 typically wants 90 days, PCI DSS 4.0 wants one year for security event logs, HIPAA varies by carrier interpretation). The 90-day upgrade typically costs 10 to 20 percent on top of the licence rate. The one-year retention SKU is typically a 30 to 50 percent premium and sometimes only available as part of a higher-tier product bundle. Finance often does not see this line until the security team needs to extract historical telemetry for an audit.

03. Deployment as professional services

Mid-market deployments are typically vendor-led or partner-led rather than purely self-deployed. The line-item commonly lands in the $25 to $50 per endpoint one-time band at this scale, presented as a professional-services attachment rather than a per-endpoint add-on. For a 1,000-endpoint deployment, that is a $25,000 to $50,000 one-time fee that is often discovered only when the contract is in legal review. Self-deployment is theoretically possible but practically demands a senior analyst for two to four weeks of dedicated effort, which most mid-market shops cannot spare.

04. The FTE backfill that nobody budgets

Running EDR in-house at mid-market scale typically allocates one to two full-time analysts against the platform. That is $130,000 to $360,000 per year fully-loaded. Most mid-market business cases for EDR present the licence as the cost of the platform and forget the FTE allocation. The FTE line is structurally larger than the licence line at this scale. Either budget for it explicitly or move to a managed-detection-and-response model that absorbs most of the analyst workload into the service price.

The mid-market build-vs-buy SOC threshold

The threshold question for mid-market security teams is whether to run EDR in-house with an internal analyst or two, contract a managed-detection-and-response provider to wrap the EDR, or accept an all-in bundle from a provider supplying both platform and service. The answer depends on endpoint count, analyst availability in the local talent market, regulatory regime, and cyber-insurance posture.

Below 1,000 endpoints, the build-vs-buy math almost always favours buy. Twenty-four-hour security operations centre coverage requires four to five senior analysts at $150,000 to $200,000 fully-loaded each (to cover holidays, sick leave, and training), plus on-call rotation, plus tooling, plus management. That is $600,000 to $1,200,000 per year of fixed cost. Managed-detection-and-response for a 1,000-endpoint mid-market shop typically prices at $180,000 to $300,000 per year all-in. The math is not close.

Between 1,000 and 5,000 endpoints, MDR continues to win on cost in most cases, though a hybrid model (in- house tier-one triage during business hours, MDR for after-hours and escalation) starts to make sense. Above 5,000 endpoints, the economics begin to balance and the decision shifts to non-cost factors: in- house team capability, regulatory expectations, breach history, and the maturity of the security programme overall.

The cross-link to securityoperationscost.com covers the full SOC build cost model. The cross-link to mdrcost.com covers MDR pricing in detail.

The year-three TCO model

Mid-market vendors quote heavily on three-year deals because the discount band is meaningful (15 to 25 percent off list, sometimes more at quarter-end) and the customer-acquisition cost amortises over a longer commitment. Whether the three-year deal actually beats one plus one plus one annual depends on three variables: renewal-quote escalation if you stay annual, cost-line drift across the three years, and the cost of being locked in if the platform stagnates.

Renewal escalation in 2026 is running 5 to 15 percent on commodity EDR and 10 to 25 percent on platforms that have added meaningful capability. A three-year deal that locks you at year-one pricing protects against the upper end of that range. Cost-line drift adds line items as the platform matures: identity protection modules, cloud workload protection, vulnerability management, attack-surface management. Each tends to launch as a standalone SKU and migrate into bundles over time. A three-year contract signed at year zero for the basic platform may need re-papering at year two anyway to add the new modules, eroding some of the up-front discount.

The honest test for whether to sign three years: how confident are you that this platform will still be the right answer at year three? If the answer is high confidence, take the discount. If you are buying largely because the incumbent is already deployed and you have not yet evaluated alternatives, prefer two years with a price-protection clause for year two and an explicit exit clause if service-level commitments are missed.

Procurement playbook for mid-market

  1. Get the endpoint inventory clean before the first vendor call. Workstations, servers, mobile devices, VDI sessions, contractor devices, all separately counted. The single number that moves quotes most.
  2. Decide the deployment model (cloud-managed, on-premises, hybrid) before requesting quotes. Cloud-managed is meaningfully cheaper and faster to deploy; on-prem is required for some regulated regimes.
  3. Decide the service model (EDR alone, EDR plus MDR, all-in MDR bundle) before requesting quotes. Different vendors are stronger at different configurations.
  4. Request three competing quotes minimum. Mid-market is the volume-discount sweet spot and competition moves prices materially.
  5. Normalise the three quotes onto a common per-endpoint, per-month basis with all add-ons priced in. The budget calculator produces a comparison-ready spreadsheet.
  6. Negotiate at quarter-end. Vendor sales cycles drive end-of-quarter discount pressure that mid-quarter quotes do not see.
  7. Insist on price-protection clauses for renewal years if signing multi-year. The standard contract language usually permits annual escalation; that is the negotiable line.

Mid-market EDR cost questions

What is the average EDR cost for a 1,000-endpoint mid-market shop?
Aggregated public market research puts a 1,000-endpoint mid-market EDR licence at five to eight dollars per endpoint per month after typical volume discount, working out to sixty thousand to ninety-six thousand dollars per year on the licence line alone. Add deployment of twenty-five to fifty dollars per endpoint one-time at this scale ($25K to $50K), an optional incident-response retainer of fifty thousand to two hundred fifty thousand per year, and one to two full-time analysts at $130,000 to $180,000 fully-loaded each. Year-one all-in commonly lands in the $250,000 to $700,000 band depending on whether you run EDR alone, EDR with retainer, or EDR with managed-detection-and-response wrapped around it.
When does mid-market hit the volume discount break point?
Volume discount tiers commonly start at five hundred endpoints, with major step-changes at one thousand, two thousand, and five thousand. The first meaningful discount band (15 to 25 percent off list) typically opens at five hundred endpoints. The next break (25 to 35 percent) opens at one to two thousand. Above two thousand and into the lower enterprise band, named-account discounts and quarter-end pressure can drive 30 to 40 percent off list, especially on multi-year contracts. Below five hundred endpoints, discounts are typically minimal because the deal is too small to justify the desk effort.
Should mid-market run EDR in-house or contract MDR?
The threshold question is analyst capacity. Below 1,000 endpoints, MDR is almost always cheaper than building a security operations centre because SOC fixed costs (four to five senior analysts at $150K to $200K fully-loaded each, plus on-call rotation, plus tooling) do not scale down. Between 1,000 and 5,000 endpoints, MDR continues to beat in-house SOC on cost in most cases, though a hybrid approach (in-house tier-one triage with MDR escalation) starts to make sense. Above 5,000 endpoints, the economics balance and other factors (industry, regulatory regime, breach history, talent market) dominate the decision.
What is the typical mid-market EDR contract length?
Two-year and three-year contracts dominate mid-market procurement. One-year contracts are baseline list price; two years typically unlocks 10 to 15 percent off list; three years typically unlocks 15 to 25 percent off list, sometimes more at quarter-end. The tradeoff with multi-year is loss of leverage at renewal and exposure to platform stagnation. Most mid-market buyers in 2026 sign two-year contracts as the discount-vs-flexibility compromise, with year-two pricing protection clauses negotiated in.
What are the most common mid-market EDR cost surprises?
The four recurring surprises: server-vs-workstation pricing (servers typically priced 1.5x to 2.5x workstation rate, often missed in initial sizing), retention upgrade cost (90-day or one-year telemetry retention as paid upgrade rather than default 30-day), the deployment line item (vendor-led $25 to $50 per endpoint at this scale, often presented as professional-services attachment), and the FTE backfill (one to two full-time analysts that finance does not budget against the platform line). Of the four, the FTE allocation is the largest by dollar amount and the most often missed in the initial business case.
Continue

Updated 2 May 2026