Buyer segment

EDR cost for MSPs: multi-tenant pricing, RMM integration, the markup math.

Managed service providers buy EDR wholesale and resell it. The cost stack and margin math are different from direct buyers. Multi-tenant SKU availability, RMM integration economics, the typical 15 to 40 percent markup band, and the standardisation question.

Last verified April 2026
Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

The MSP cost stack is different

MSPs buy EDR wholesale at rates meaningfully below what direct customers pay for the same product. The wholesale rate reflects three economic realities. First, MSPs aggregate endpoints across many customers, which unlocks volume-discount tiers that no individual customer would reach. Second, MSPs absorb most of the operational support load (tier-one and tier-two support to end customers), reducing the vendor's cost-to-serve per endpoint. Third, MSPs are typically multi-year committed channel partners with predictable revenue streams, which justifies the channel discount.

A small MSP with 1,000 to 5,000 endpoints across all clients typically lands at $2.50 to $5 per endpoint per month wholesale on commodity EDR. A large MSP with 50,000-plus endpoints across all clients can land at $1.50 to $3 per endpoint per month wholesale on the same products. Premium-tier EDR products with extensive feature sets price higher across both bands but with similar discount structure. The wholesale rate is what the MSP pays the vendor; what the MSP charges the end customer is a separate calculation.

On top of the wholesale rate, the MSP carries operational cost: the per-endpoint share of the platform engineering team that maintains the multi-tenant deployment, the per-endpoint share of the security operations centre that monitors the customer estates, and the per-endpoint share of the customer- success and account-management functions. These add typically $1 to $3 per endpoint per month to the MSP's all-in cost-of-goods. The markup over all-in COGS is what produces gross margin on the EDR line.

Multi-tenant SKU availability

Not all EDR platforms designed for direct enterprise sale support the multi-tenant capabilities that MSPs need to operate efficiently. Five capability areas matter most.

Tenant separation in the management console. The MSP's analyst should be able to view one customer at a time, with strict separation that prevents cross-customer data exposure. Some platforms designed primarily for direct enterprise sale handle multi-tenancy via separate accounts that the analyst must log in and out of, which is operationally painful at scale. Purpose-built MSP-tier platforms typically support tenant-context switching within a single console session.

Per-tenant policy and detection-rule configuration. Different customers have different risk profiles and may need different detection-rule tuning, different allowlist configurations, and different response-action authorisations. Platforms that force a single global policy across all tenants are unworkable for most MSPs.

Tenant-scoped role-based access control. The MSP's tier-one analyst should have read-only access to alert data across all customers but not have configuration-change capability; tier-two analysts may need configuration access but only for the customers they cover; senior analysts and customer-facing engineers may need broader access. The RBAC model needs to support these patterns without requiring a separate user account per tenant.

Multi-tenant reporting and billing-export capability. Customer billing requires per- tenant endpoint counts, per-tenant alert volumes, and per-tenant service-level statistics. Manual extraction is operationally expensive. API-driven export of these metrics into the MSP's billing system is a baseline expectation for any MSP-suitable EDR platform.

Partner-portal API for automation. Onboarding a new tenant, provisioning agent deployment, configuring policy from a template, and beginning monitoring should be automated end-to-end via API. MSPs that have to perform these steps manually for every new customer cannot operate at scale. The presence and maturity of the partner-portal API is often the determining factor in MSP EDR platform selection.

The RMM integration economics

Remote monitoring and management platforms (ConnectWise, N-able, Datto, Kaseya, Atera) are the operational nerve centre of most MSPs. EDR platforms that integrate well with the customer's chosen RMM are dramatically more operationally efficient than EDR platforms that do not.

The integration value comes from three workflows. EDR-agent push during customer onboarding from the RMM agent that is already deployed (saves manual installation per endpoint, typically 5 to 15 minutes per endpoint avoided). EDR alert surfacing in the RMM console (analysts work in one place rather than switching contexts to the EDR console). EDR response actions orchestrated from RMM workflows (host isolation, file quarantine, process termination triggered from the RMM ticket without needing to switch to the EDR platform).

Integration depth varies meaningfully by RMM-EDR combination. Some integrations are full bi-directional with rich workflow orchestration. Others are one-directional with limited capability (RMM pushes the agent, but alerts must be read separately in the EDR console, and response actions must be performed in the EDR console). MSPs typically choose EDR platforms partly based on the quality of integration with their existing RMM rather than purely on EDR capability.

The cost effect of poor RMM-EDR integration is real but rarely a direct line item. It shows up as additional analyst time per ticket, lower analyst-to-endpoint ratios at scale, and reduced ability to offer competitive per-endpoint pricing to end customers. MSPs that have switched EDR platforms primarily for RMM integration reasons typically report 15 to 30 percent operational efficiency gains.

The markup math

MSPs typically mark up EDR by 15 to 40 percent over wholesale to the end customer, with the band depending on the level of service wrap. Three common pricing patterns.

Bare-licence resale. The MSP resells the EDR with no operational involvement; the customer's IT team operates the platform. Typical markup 15 to 25 percent over wholesale. This is the lowest-margin model but also the lowest operational cost for the MSP.

EDR plus basic monitoring. The MSP triages alerts and forwards relevant ones to the customer; the customer handles response. Typical markup 25 to 40 percent over wholesale. This is the most common model for sub-500-endpoint customers.

EDR plus full managed-detection-and-response. The MSP operates the platform, triages alerts, and handles routine response (host isolation, malicious file removal, tier-one investigation). This is typically priced as a separate per-endpoint MDR rate of $15 to $30 per endpoint per month on top of the EDR licence, rather than as a markup on the EDR licence itself. This is the highest-margin and highest-operational-cost model.

The honest accounting view is that the markup model bundles platform cost with operational cost; the separate-MDR-rate model unbundles them. The unbundled model is more transparent for the customer (they can see what they pay for the platform versus the service) and easier to defend at customer renewal (the operational cost is justified separately from the platform cost). Most MSPs in 2026 trend toward the unbundled model for customers above 200 endpoints.

The standardisation question

MSPs face a recurring question about how many EDR platforms to support across their customer base. The pragmatic answer is one or two primary platforms standardised on for new customer onboardings, with capability to operate customer-existing platforms where displacement would be commercially unattractive.

Standardisation drives three benefits. First, wholesale-rate volume discount: an MSP with 10,000 endpoints concentrated on one platform pays a lower per-endpoint rate than an MSP with the same 10,000 endpoints split across four platforms. Second, operational efficiency for the analyst team: one platform to expert on rather than four reduces training cost, escalation ambiguity, and tier-two handoff complexity. Third, consistent customer experience: customers receive equivalent service quality regardless of which analyst happens to be on shift.

The cost of supporting non-standard platforms when the customer arrives with an established investment is real: additional vendor relationships, additional integration work with the RMM, additional analyst training, and lower volume-discount tier on the non-standard platform. Charging a per-platform operational premium for non-standard platforms is reasonable and creates incentive alignment toward standardisation over time. Some MSPs charge a flat $5,000 to $15,000 per year non-standard-platform fee per customer; others fold it into a higher per-endpoint rate.

MSP EDR procurement playbook

  1. Aggregate endpoint count across all customers for wholesale-rate negotiation. The volume tier matters; consolidate purchasing wherever possible.
  2. Evaluate multi-tenant capability honestly. Tenant separation, per-tenant policy, RBAC, billing- export, and partner-portal API are baseline requirements; not all enterprise EDR platforms have them.
  3. Choose EDR partly based on integration depth with the chosen RMM platform. Operational efficiency gains from full integration are typically 15 to 30 percent.
  4. Decide between markup model and separate-service-rate model for end-customer pricing. The unbundled model is increasingly the norm for customers above 200 endpoints.
  5. Standardise on one or two primary EDR platforms. Charge non-standard-platform premiums for customers who arrive with established alternative investments.
  6. Build customer migration paths for non-standard platforms over the customer-relationship lifecycle. Renewal cycles are natural points to introduce migration.
  7. Cross-link mdrcost.com for the MDR-side pricing framework.

MSP EDR cost questions

How much do MSPs pay for EDR wholesale?
MSPs typically buy EDR at wholesale rates 25 to 50 percent below the equivalent direct customer rate, with the discount band depending on aggregate endpoint volume across all the MSP's clients. A small MSP with 1,000 to 5,000 endpoints across all clients typically lands at $2.50 to $5 per endpoint per month wholesale on commodity EDR. A large MSP with 50,000-plus endpoints across all clients can land at $1.50 to $3 per endpoint per month wholesale. The wholesale rate is what the MSP pays the vendor; what the MSP charges the end customer is a separate calculation that adds operational cost, support, and profit margin.
What multi-tenant features should MSPs look for in EDR?
Five multi-tenant features matter for MSP EDR adoption: tenant separation in the management console (the MSP's analyst should see one client at a time without cross-client data leakage), per-tenant policy and detection-rule configuration, tenant-scoped role-based access control, multi-tenant reporting and billing-export capability, and ideally a partner-portal API for automation. Not all EDR platforms designed for direct sale to enterprises support these multi-tenant capabilities adequately. MSPs typically prefer EDR platforms designed with MSP partner programs from the outset rather than enterprise platforms with bolt-on multi-tenant features.
What is the typical MSP markup over wholesale?
MSPs typically mark up EDR by 15 to 40 percent over wholesale to the end customer, with the band depending on the level of service wrap. Bare-licence resale (the MSP just resells the EDR with no operational involvement) typically marks up 15 to 25 percent. EDR plus basic monitoring (the MSP triages alerts and forwards relevant ones to the customer) typically marks up 25 to 40 percent. EDR plus full managed-detection-and-response (the MSP operates the platform, triages alerts, and handles routine response) is typically priced as a separate per-endpoint MDR rate of $15 to $30 per endpoint per month on top of the EDR licence rather than as a markup.
How does EDR integrate with RMM platforms?
Most major RMM platforms (ConnectWise, N-able, Datto, Kaseya) have integrations with major EDR platforms that support pushing the EDR agent during onboarding, surfacing EDR alerts in the RMM console, and orchestrating response actions from the RMM workflow. The integration depth varies by RMM-EDR combination. Some integrations are full bi-directional (RMM can isolate hosts via EDR API, EDR can trigger RMM tickets); others are one-directional (RMM pushes the agent, but alerts are read separately in the EDR console). The integration choice often dominates the EDR vendor selection at MSPs because operational efficiency requires EDR-RMM coupling.
Should MSPs offer multiple EDR options or standardise on one?
The pragmatic answer is to standardise on one or two primary EDR platforms while remaining capable of operating customer-existing platforms. Standardisation drives wholesale-rate volume discount, operational efficiency for the MSP analyst team (one platform to expert on rather than several), and consistent customer experience. The exception is when a customer arrives with an established EDR platform investment that the MSP would not displace; in those cases, charging a per-platform operational premium for non-standard platforms is reasonable and aligns incentives toward standardisation over time.
Continue

Updated 2 May 2026