Cost framework

EDR three-year TCO: when the savings are real and when they are accounting.

Year-one EDR TCO is loaded with deployment and initial tuning. Year-two and year-three reveal the true steady-state cost. Headcount drift, FTE evolution, contract-length premiums, and the conditions under which three-year TCO actually beats one-plus-one-plus-one annual.

Last verified April 2026

Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

Why three-year matters

Year-one EDR TCO over-states steady-state cost because it carries one-time deployment expense, the initial detection-rule tuning effort, and the analyst-team learning curve. Year-three EDR TCO under-states it if you assume linear scaling, because it ignores headcount drift, contract-renewal dynamics, and the typical platform module-addition cycle that adds new line items over the contract period.

The honest three-year picture is non-linear. Year one is loaded; years two and three settle to a steady-state that is meaningfully lower per-year than year one. Add in renewal escalation at year three (if annual contracts) or at the contract-period boundary (if multi-year), and the overall three-year curve has a U-shape: high at year one, low at year two, rising slightly at year three.

Most EDR procurement business cases use year-one TCO as the headline number. This systematically over-states the true steady-state cost and under-states the difference between vendors with different module-addition cadences and renewal-pricing histories. Working through the year-by-year line-item evolution honestly is the more reliable approach for material procurement decisions.

The year-by-year evolution

Year one

Year-one EDR TCO carries the deployment one-time charge ($25 to $75 per endpoint at scale), the initial detection-rule tuning effort (typically 0.25 to 0.5 FTE per 1,000 endpoints in the first six months), the licence at the year-one negotiated rate, and the optional add-ons (incident-response retainer, managed-detection-and-response wrap, premium-tier modules) at their year-one rate.

The deployment line is typically the largest one-time charge in the contract. For a 1,500-endpoint deployment at $40 per endpoint vendor-led, that is a $60,000 one-time charge that lands entirely in year-one TCO. Add the initial tuning effort at half-FTE for six months (roughly $35,000 to $50,000 of analyst time) and year-one TCO is approximately $100,000 above what year-two and year-three look like at steady state.

Year two

Year-two TCO drops the deployment line entirely (no recurring charge). Detection-rule tuning effort typically drops by 20 to 40 percent as the platform matures in the environment, false positives are characterised, and response procedures are documented. Licence rate is typically flat (year two of multi-year contract) or sees modest escalation (year-two annual renewal at typical 5 to 15 percent increase).

Year-two is typically the cleanest steady-state year. The platform is mature in the environment, the analyst team has internalised operations, and no major module additions or contract changes have disrupted the cost line yet. Most vendor TCO presentations focus on year-two figures because they present the platform in the best light.

Year three

Year-three TCO often sees a step change. Multi-year contracts typically renew at year three, which triggers the renewal escalation. New modules launched during years one and two by the vendor may have been added to the contract by year three, expanding the licence line. Headcount drift over three years (typically 10 to 30 percent endpoint growth or shrinkage) shows up in licence cost.

The honest year-three picture is rarely a clean continuation of year-two. Plan for renewal escalation and module-addition expansion when modelling three-year TCO. The conservative budget treats year three as approximately year-two cost plus 15 to 25 percent for these factors.

Headcount drift

Most organisations grow or shrink endpoint count by 10 to 30 percent over a three-year horizon. Mergers and acquisitions, hiring growth or contraction, infrastructure consolidation or expansion all move the endpoint count materially over multi-year periods.

EDR contracts handle drift in different ways. Most contracts price on declared endpoint count at contract signing, with adjustments at renewal or via flexible-licence add-ons during the contract period. Growth above the contract count typically incurs the standard per-endpoint rate without volume- discount benefit until the next renewal; this can erode the multi-year discount meaningfully if growth is rapid. Decline below the contract count typically does not refund per-endpoint cost; this can leave the customer paying for endpoints they no longer have.

Some vendors offer true-up provisions that reconcile actual endpoint count to contract count periodically (typically quarterly or annually) with credit or charge as appropriate. These provisions are not standard but they are negotiable, particularly for customers with known volatility (for example, growing-company endpoint counts, planned acquisition activity, planned divestiture). Push for true-up provisions in multi-year contracts where drift is likely.

The net effect of headcount drift is typically that real three-year TCO exceeds the static-quote calculation by 10 to 25 percent. This is rarely accounted for in procurement business cases.

FTE evolution

The FTE allocation against EDR is not a flat line over three years. The first 6 to 12 months require materially more analyst time per endpoint as detection rules tune to the environment, false positives are characterised, response procedures are documented, and the analyst team builds platform familiarity. By year two, per-endpoint analyst time typically drops by 20 to 40 percent.

By year three, per-endpoint analyst time may continue to drop (mature platform, mature analyst team, stable detection-rule set) or may rise back if new modules are added that require their own tuning cycle. Identity protection modules, cloud workload protection modules, and attack-surface management modules each typically add 0.1 to 0.2 FTE per 1,000 endpoints in their first six months of deployment before settling to lower steady-state.

The honest three-year FTE allocation is therefore a curve with a high front-end (year one), a low mid- term (year two), and a slight rise at year three if module additions occur. The typical mid-market shop with 1,500 endpoints lands at 1.0 to 1.5 FTE in year one, 0.6 to 0.9 FTE in year two, and 0.7 to 1.1 FTE in year three. Fully-loaded, that is approximately $130,000 to $200,000 in year one, $80,000 to $120,000 in year two, and $90,000 to $145,000 in year three.

Worked three-year TCO

Illustrative three-year TCO for a 1,500-endpoint mid-market shop on cloud-managed EDR with two-year initial contract length, standard managed-detection-and-response wrap, and modest endpoint growth.

Cost line	Year 1	Year 2	Year 3	3-year total
Licence (1,500 ep $7/ep/mo)	$126,000	$126,000	$145,000	$397,000
Deployment one-time	$60,000	$0	$0	$60,000
MDR add-on ($20/ep/mo)	$360,000	$360,000	$415,000	$1,135,000
Internal FTE allocation	$160,000	$100,000	$120,000	$380,000
Year subtotal	$706,000	$586,000	$680,000	$1,972,000

Three-year TCO is approximately $1.97M for the worked scenario. Year-one is the highest at $706,000 (loaded with deployment and initial tuning). Year-two is the lowest at $586,000 (clean steady state). Year-three rises to $680,000 (renewal escalation and modest endpoint growth). The naive multiplier (year one times three) would have suggested $2.12M, over-estimating the true TCO by approximately 7 percent.

For a different platform configuration without the MDR wrap, three-year TCO drops by roughly $1.13M (eliminating the MDR add-on entirely), but the internal FTE allocation typically rises by 0.5 to 1 FTE per year to compensate. The net saving is therefore approximately $700,000 to $850,000 over three years, not the full $1.13M. The MDR-versus-in-house question is a real choice with real economic impact.

Three-year TCO procurement playbook

Model TCO year-by-year, not as year-one times three. Deployment and initial tuning are year-one only; FTE evolution, renewal escalation, and module-addition expansion all show up in years two and three.
Apply expected headcount drift to the model. Plan for 10 to 30 percent endpoint count change over three years; build it into the licence projection.
Build in renewal escalation at year three for multi-year contracts that renew during the period. Typical 10 to 20 percent renewal step-up.
Plan for module additions during the contract period. Identity protection, cloud workload protection, and attack-surface management are likely additions at most platforms.
Negotiate true-up provisions for multi-year contracts where headcount drift is likely. Quarterly or annual reconciliation with credit-or-charge alignment.
Compare the three-year TCO of the EDR-only-plus-internal-team configuration to the EDR-plus-MDR configuration honestly. The MDR-wrapped configuration carries a meaningful but not unlimited premium over the in-house alternative when FTE allocation is properly accounted.
Use the budget calculator to produce the line-item year-by-year breakdown that can be presented to finance.

EDR three-year TCO questions

Is three-year EDR TCO meaningfully different from year-one TCO times three?›

Yes, materially. Year-one TCO is dominated by deployment one-time cost (typically $25 to $75 per endpoint vendor-led), licence at the year-one negotiated rate, and the initial detection-rule tuning effort. Year-two and year-three TCO drop the deployment line entirely, see licence-rate evolution (renewal escalation if annual or contract pricing if multi-year), see FTE drift (most platforms require less analyst time per endpoint as detection rules mature), and accumulate detection-rule debt that compounds tuning effort. The honest three-year picture is meaningfully different from year-one times three.

When does multi-year contract beat one-plus-one-plus-one annual?›

Multi-year typically beats annual when three conditions hold: confidence the platform will still be the right answer at year three, willingness to accept reduced flexibility in exchange for discount, and the multi-year discount band is at the upper end (20-plus percent off list, often available at quarter-end). Multi-year typically loses to annual when one of those conditions fails: platform confidence is weak, organisational change is likely, or the multi-year discount is at the lower end of the typical band (10 to 15 percent). The break-even depends on how much you value the flexibility option.

How does headcount drift affect three-year EDR TCO?›

Most organisations grow or shrink endpoint count by 10 to 30 percent over a three-year horizon. Most EDR contracts price on declared endpoint count with adjustments at renewal or via flexible-licence add-ons during the contract period. Growth above the contract count typically incurs the standard per-endpoint rate without volume-discount benefit until the next renewal; this can erode the multi-year discount meaningfully if growth is rapid. Decline below the contract count typically does not refund per-endpoint cost; this can leave the customer paying for endpoints they no longer have. The net effect is that headcount drift typically increases real three-year TCO above the static-quote calculation.

Does the FTE allocation change across the three years?›

Yes. The first 6 to 12 months of EDR deployment require materially more analyst time per endpoint as detection rules tune to the environment, false positives are characterised, and response procedures are documented. By year two, the per-endpoint analyst time typically drops by 20 to 40 percent as the platform matures in the environment. By year three, the per-endpoint analyst time may drop another 10 to 20 percent or may rise back if new modules are added that require their own tuning cycle. The honest three-year FTE allocation is not a flat line; it is a curve that depends on platform stability and module-addition cadence.

What is the typical three-year TCO for a 1,500-endpoint mid-market shop?›

Aggregated public market research suggests a 1,500-endpoint mid-market shop on cloud-managed EDR with two-year contract and standard add-ons lands at approximately $750,000 to $1.5M three-year TCO when including licence, deployment one-time, optional incident-response retainer, and internal FTE allocation. Year-one is typically $300,000 to $600,000 (loaded with deployment and initial tuning), year-two and year-three each $225,000 to $450,000 (steady state). The licence portion is roughly $90,000 to $135,000 per year at this scale; FTE allocation is the largest single line at $130,000 to $360,000 per year fully-loaded.

Continue