Buyer's playbook

EDR for small business: the cheapest defensible posture for under 250 endpoints.

Most 'EDR for small business' content is vendor-authored sales material. This is the neutral posture: three SMB defensive choices, the SMB-specific cost optimisations, what buyers most often miss in the budget, and the cyber-insurance angle that drives most SMB EDR procurement in 2026.

Last verified April 2026
Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

What “small business” means in EDR

Vendor SMB tier usually maps to sub-500 endpoints, sometimes sub-100. Marketing definitions of small business are looser. This page treats genuine small business as 50 to 250 endpoints with one to three IT staff and zero dedicated security headcount. The posture math is meaningfully different above 250 endpoints, where a part-time security analyst becomes affordable and the build-vs-buy IR question changes shape.

The three SMB defensive postures

01

Tier 1: Strong NGAV with cyber-insurance gap acceptance

$2 – $5/endpoint/month

Covers: Machine-learning malware prevention, exploit protection, basic behavioural detection. No persistent telemetry.

Gaps: No threat hunting capability. No post-incident forensics. No EDR-class detection of fileless attacks. Will not satisfy most cyber-insurance underwriters.

For: Unregulated SMBs without cyber insurance, with strong patching and outsourced IT support that handles incidents reactively. Honestly: a shrinking segment in 2026 because cyber-insurance requirements have tightened.

02

Tier 2: Cloud-managed EDR self-deployed (the SMB EDR sweet spot)

$3 – $8/endpoint/month + light deployment

Covers: Full EDR-class detection, telemetry retention 30 to 90 days, response capability (kill process, isolate host), threat hunting tools. Satisfies most cyber-insurance underwriters.

Gaps: Requires some IT capability to interpret alerts. The platform provides detection; someone has to triage. SMBs without analyst capability can leave alerts unread for days.

For: The most common SMB path in 2026. 100 to 500 endpoints, one to three IT staff with security as a partial responsibility. Cyber-insurance compliant.

03

Tier 3: Managed EDR / MDR (the answer if you cannot triage)

$15 – $45/endpoint/month all-in

Covers: EDR plus 24-hour monitored response by an external SOC. No internal security analyst capability required.

Gaps: Highest absolute cost. Vendor-lock typically structural (switching MDR provider often switches the underlying platform).

For: SMBs with no internal security capability. 'We don't have anyone to look at the alerts' is the right reason to choose this. Cross-link mdrcost.com.

SMB-specific cost optimisations

Several optimisations that materially reduce SMB EDR spend, in approximate order of impact:

  1. Microsoft 365 bundling. If you already pay for Microsoft 365 Business Premium ($22 per user per month) or M365 E3 ($36) or E5 ($57), Microsoft Defender for Endpoint Plan 1 or Plan 2 is included. This is structurally the cheapest EDR for organisations already on Microsoft 365 because the marginal cost is zero.
  2. Public sub-100-endpoint SMB plans. Several vendors publish list pricing for sub-100-endpoint tiers (CrowdStrike Falcon Go and others). These plans are feature-stripped versions of the broader product. Verify the SMB plan includes telemetry retention and response capability before purchasing.
  3. Annual vs monthly billing. Annual billing typically 10 to 20 percent cheaper than monthly. Always negotiate annual at SMB scale; monthly is a vendor-friendly default.
  4. Multi-year commitment. Two-year commitments unlock 10 to 15 percent additional reduction. Three-year commitments unlock 15 to 25 percent. At SMB scale where total spend is $5K to $30K per year, the dollar savings are real but the lock-in risk is also real if your headcount or insurance situation changes.
  5. Bundled with other security products. Some vendors bundle EDR with email security or SaaS-app security at SMB tier with material discounts. Worth asking.

What SMB buyers most often miss in the budget

  1. Server licence multiplier. One server is not one endpoint. Most vendors apply a 1.5x to 2.5x multiplier. A 200-endpoint SMB that is 150 workstations and 50 servers prices materially differently from 200 flat workstations.
  2. Migration credit when switching vendors. Most vendors will comp the migration service when you are leaving a competitor. Always ask. A typical SMB migration service is invoiced at $10K to $25K and is one of the easiest line items to negotiate to zero.
  3. Training credits. SMB tiers often include one to two free admin certification seats. These are commonly forgotten and quietly absorbed by the vendor. Always ask.
  4. Renewal escalation. Always negotiable, often forgotten. A 5 percent annual escalation compounds to 16 percent over three years. Cap it at the contract signing.

The cyber-insurance angle for SMB specifically

For most SMBs in 2026, the primary EDR motivation is cyber-insurance compliance. Coalition, Corvus, Beazley, Embroker, and Cowbell all reference EDR or equivalent endpoint detection in their underwriting questionnaires for SMB segments. Some carriers continue to accept NGAV equivalent for sub-100-employee accounts; the window is closing.

The premium offset is meaningful at SMB scale. A typical SMB cyber policy with $35,000 base premium that drops 10 percent for documented EDR ($3,500 saved) covers roughly 60 percent of a $6 per endpoint per month EDR spend on 200 endpoints. Combined with the underlying detection-coverage benefit and the compliance-framework benefit, the math works for most SMBs.

Cross-link EDR and cyber insurance for the full carrier-by-carrier requirement table and premium-reduction band.

Small business EDR questions

What is the cheapest EDR?
The cheapest defensible EDR posture in 2026 is Microsoft Defender for Endpoint Plan 1 if you already have Microsoft 365 Business Premium or higher (it is included). For pure standalone purchase without Microsoft 365 dependency, several SMB-tier products from established vendors run two to four dollars per endpoint per month at sub-100-endpoint scale with public list pricing. Avoid optimising purely for headline rate; verify the SMB tier includes EDR-class telemetry retention (at least 30 days) and response capability (process termination, host isolation), which is the minimum carrier-acceptable definition.
Do I need EDR if I have under 50 endpoints?
It depends on your industry, your cyber-insurance situation, and your patching discipline. Sub-50-endpoint shops in unregulated industries with strong patching, no remote workforce, and no cyber insurance can sometimes defensibly run NGAV alone. Sub-50-endpoint shops with cyber insurance, or in healthcare or financial-services or any regulated context, generally need EDR-class detection. The honest test is whether your insurance carrier accepts NGAV; most carriers in 2026 require EDR baseline regardless of headcount.
Is Microsoft Defender enough for small business?
Microsoft Defender Antivirus, the free product built into Windows, is sufficient as the prevention layer but is not EDR. Microsoft Defender for Endpoint Plan 1 is paid Microsoft EDR and is sufficient as the EDR layer for most small businesses. The structural advantage is that Plan 1 is included free with Microsoft 365 E3 and most Business Premium plans. If you already pay for Microsoft 365 at those tiers, you have free EDR; you should turn it on rather than buying a separate product.
Continue

Updated 2 May 2026