Cost line

EDR telemetry retention cost: 30 vs 90 vs 365 days.

Default telemetry retention is rarely sufficient for compliance-driven environments. The pricing curve from default 30 days through 90-day add-on to one-year premium SKU, the compliance requirements that drive retention, and the security-data-lake alternative for long-retention scenarios.

Last verified April 2026

Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

The default and the upgrade ladder

Cloud-managed EDR platforms in 2026 typically default to 30 days of raw telemetry retention and 90 to 180 days of derived alert and incident records. The default reflects a balance between storage cost and forensic-investigation utility for the typical customer. The split between raw telemetry and derived records is important: the raw telemetry is what allows hunting back through the past for previously-missed activity, while the derived records are summary-level information about already- triaged alerts.

The retention upgrade ladder typically follows three steps. The first step is 90-day raw telemetry retention, typically priced at 10 to 20 percent above the base per-endpoint rate. The second step is one-year retention, typically priced at 30 to 50 percent above the base rate or available only in a premium-tier SKU. The third step, multi-year retention, is typically only available via export to a separate security data lake or SIEM platform rather than as an EDR-native option.

The pricing economics reflect storage cost compounding with retention length and vendor recognition that customers requiring longer retention have specific compliance or threat-hunting reasons that justify premium pricing. The marginal storage cost for the vendor is real but not unlimited; customers can often negotiate better pricing on retention upgrades than the published list rate suggests, particularly as part of multi-year contract negotiations.

Why default 30 days is rarely enough

Default 30-day raw telemetry retention is sufficient for the common case of investigating an alert triggered today against the activity of the last several weeks. It is rarely sufficient for the more consequential investigation patterns.

Dwell-time investigation. Mean time to detect (MTTD) for sophisticated attacks commonly runs 30 to 90 days according to public industry research (Verizon DBIR 2025 places the median for advanced attacks above 30 days). When detection finally fires, investigating back to the original compromise requires telemetry from before the detection date. Default 30-day retention often runs out mid-investigation.

Compliance-driven log retention. Most regulatory regimes that explicitly mention retention require longer than 30 days. PCI DSS 4.0 requires one year of security event logs with three months immediately available. SOC 2 Type II auditors typically expect 90 days as baseline. NYDFS Part 500 and NIS2 expect retention sufficient for incident analysis, typically interpreted as one year minimum.

Threat-hunting capability. Effective threat hunting requires the ability to query historical telemetry for indicators-of-compromise that were not known at the time of original event collection. As new threat intelligence emerges (a previously-unknown attacker tool is identified, a new campaign is attributed to known infrastructure), hunting back through historical telemetry is the only way to know whether the organisation was previously targeted. Limited retention limits hunting depth.

Compliance retention requirements

Common compliance regimes have varying requirements for security event log retention.

Regime	Retention requirement	Notes
PCI DSS 4.0	1 year, 3 months immediately available	Explicit in Requirement 10.7
SOC 2 Type II	90 days typical baseline	Auditor-discretion; 1 year increasingly common
HIPAA Security Rule	Not explicit	OCR investigations expect 90 days to 1 year
NYDFS Part 500	Sufficient for investigation	1 year typical interpretation
FFIEC IT Handbook	Sufficient for forensics	1 year examiner expectation typical
NIS2 (EU)	Varies by national implementation	1 year typical baseline
SEC cyber rule	Not specified	Materiality determination requires depth

The retention requirement to size against is the maximum across applicable regimes. A US public- company financial-services entity in NYDFS scope and PCI DSS scope sizes against the one-year PCI requirement; a healthcare provider in HIPAA scope alone may size against the 90-day to one-year band depending on auditor and carrier preferences.

The retention requirement informs the EDR procurement decision. If the maximum applicable requirement is 90 days, the 90-day add-on at 10 to 20 percent premium typically prices similarly to the equivalent log-management infrastructure cost. If the maximum is one year, the EDR-native one-year premium versus export-to-security-data-lake economics need explicit comparison.

The cold-storage tier alternative

Some EDR vendors offer a cold-storage tier for telemetry beyond the standard retention period. Cold storage typically costs meaningfully less per byte than hot storage but with higher query latency (minutes to hours rather than seconds) and sometimes additional per-query charges.

The cold-storage tier suits compliance use cases where retention is required for auditor or breach- investigation purposes but where the query frequency is low. A healthcare provider that needs one-year retention for OCR investigation purposes but does not threat-hunt back beyond 90 days regularly is a good fit for cold-storage. The cost saving versus full hot retention can be 50 to 80 percent for the cold-tier portion.

The cold-storage tier does not suit threat-hunting use cases that require frequent queries against historical telemetry. The query latency and per-query charges erode the cost savings if hunting is frequent. For active threat-hunting programs with regular look-back requirements, hot retention or export to a security data lake is more cost-effective than cold storage.

Security data lake economics

For very long retention requirements (multiple years) or for very large estates where EDR-native retention pricing becomes prohibitive, exporting EDR telemetry to a separate security data lake is often more cost-effective than EDR-native retention.

The architectural pattern is to use EDR for active detection and the most recent 90 days of investigation, then export telemetry to a security data lake (Snowflake, Databricks, AWS Security Lake, Microsoft Sentinel with long-term storage, Elastic Security with frozen tier) for longer-term retention and historical querying. The data-lake cost typically lands at 30 to 50 percent of equivalent EDR-native retention pricing for long-retention scenarios.

The crossover point depends on EDR vendor retention pricing and data-lake storage and query cost. For a 5,000-endpoint estate, EDR-native one-year retention might cost $50,000 to $100,000 per year as a premium SKU; equivalent retention via export to a security data lake might cost $20,000 to $50,000 per year all-in including storage, ingest, and modest query volume. The tradeoff is operational complexity (two query interfaces, additional integration to maintain) versus cost.

For estates above 10,000 endpoints with long-retention requirements, security data lake export almost always wins on cost. For estates below 1,000 endpoints, EDR-native retention is usually simpler and cheaper. The mid-band requires explicit comparison.

Retention sizing playbook

Identify the maximum applicable compliance retention requirement. Size against that, not against the average or against generic best-practice.
Distinguish raw-telemetry retention from derived-records retention. The latter is typically longer by default and may be sufficient for some compliance use cases.
For 90-day requirements, evaluate the EDR-native add-on against the storage cost it implies. Typical 10 to 20 percent premium is usually attractive.
For one-year requirements, compare EDR-native premium SKU against export-to-security-data-lake economics. The data-lake path often wins at scale.
For multi-year requirements, plan for security data lake or equivalent architecture rather than EDR-native retention. Multi-year retention is rarely cost-effective EDR-native.
Consider cold-storage tier where compliance requires retention but query frequency is low. The 50 to 80 percent cost saving versus hot retention can be material at scale.
Negotiate retention pricing as part of multi-year contract discussions. Vendors are often more flexible on retention add-on pricing than on base licence rate.

EDR telemetry retention cost questions

What is the default telemetry retention on cloud-managed EDR?›

Default telemetry retention on most cloud-managed EDR platforms in 2026 is 30 days for raw event data and 90 to 180 days for derived alert and incident records. The default reflects a balance between storage cost and forensic-investigation utility for the typical customer. Customers requiring deeper retention typically purchase a paid retention upgrade or, for very long retention requirements, integrate the EDR with a separate security data lake or SIEM platform that handles long-term storage.

How much does the 90-day retention upgrade cost?›

The 90-day telemetry retention upgrade typically costs 10 to 20 percent on top of the base per-endpoint licence rate, depending on vendor and tier. For a mid-market shop paying $7 per endpoint per month base licence, the 90-day upgrade typically lands at $7.70 to $8.40 per endpoint per month all-in. The economics of the upgrade vary by vendor: some vendors price the upgrade modestly because the marginal storage cost is low; others price it at the upper end because retention is a high-value differentiator they are willing to charge for.

What about one-year retention?›

One-year telemetry retention is typically a separate premium-tier SKU rather than an add-on, with pricing typically 30 to 50 percent above the base licence rate. For some platforms, one-year retention is available only in the highest-tier product bundle that includes additional capability beyond retention itself. The economics shift at this length because storage cost compounds and because vendors recognise that one-year retention customers typically have meaningful compliance or threat-hunting reasons that justify premium pricing.

What retention does my compliance regime actually require?›

Common compliance retention requirements vary. PCI DSS 4.0 requires one year of security event logs with the most recent three months immediately available for analysis. SOC 2 Type II auditors typically expect 90 days of retention as a baseline. HIPAA does not specify a retention period explicitly but most carriers and auditors expect 90 days to one year depending on the breach notification analysis. NYDFS Part 500 expects retention sufficient to support investigation of cybersecurity events, typically interpreted as one year minimum. NIS2 in the EU expects retention sufficient for incident analysis, varying by national implementation. Confirm the specific requirement that applies before sizing retention.

Is integrating with a separate security data lake cheaper than premium retention?›

Sometimes. Exporting EDR telemetry to a separate security data lake (Snowflake, Databricks, or a SIEM platform with long-term storage capability) and querying retention from there can be cheaper than EDR-native one-year retention for very large estates. The crossover point depends on the EDR vendor's retention pricing and the data-lake storage and query cost. For a 5,000-endpoint estate where EDR-native one-year retention might cost $50,000 to $100,000 per year as a premium SKU, equivalent retention via export to a security data lake might cost $20,000 to $50,000 per year all-in. The tradeoff is operational complexity (two query interfaces) versus cost.

Continue