Comparison

EDR vs MDR: platform vs service, and how they layer.

EDR is a platform you buy. MDR is a service you contract. They are not alternatives; MDR is a wrapper around an EDR or XDR. The buyer's question is whether you run the platform yourself, contract MDR layered on it, or buy MDR with the platform bundled in.

Last verified April 2026

Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

The category difference

EDR is software. You buy the licence, deploy the agents, configure the policies, read the alerts, decide on the responses. MDR is a service that does some or all of those activities on your behalf using an EDR or XDR platform as the underlying detection technology.

The most common confusion is treating EDR and MDR as alternatives in the same dimension. They are complementary. The real choice is: EDR alone, EDR plus MDR, or MDR with bundled EDR. These are three configurations of the same underlying capability.

The layered cost stack

The three configurations have different cost shapes:

Configuration	Platform cost	Service cost	Internal FTE	Typical all-in /ep/mo
EDR alone (in-house)	$3 – $15/ep/mo	$0	0.5 – 1 SMB / 1 – 2 mid	$15 – $40
EDR + MDR layered	$3 – $15/ep/mo	$15 – $30/ep/mo	0.1 – 0.3 residual	$25 – $50
MDR with bundled EDR	included in service	$25 – $45/ep/mo all-in	0.1 – 0.3 residual	$25 – $45

The all-in figures look similar between EDR-plus-MDR-layered and MDR-with-bundled-EDR. The differences are in flexibility (layered preserves your platform choice if you switch service providers) and procurement complexity (bundled is one contract).

EDR alone all-in is the highest in the table because internal FTE cost dominates at mid-market scale. The headline licence figure ($3 to $15) is misleading on its own; the FTE allocation adds another $10 to $25 per endpoint per month at mid-market staffing levels.

MDR with bundled EDR

Some MDR providers bring their own EDR. Examples include providers who operate proprietary EDR products (or who rebrand a partner’s EDR under the service contract). The pricing model is typically a single per-endpoint per-month rate covering platform plus service.

Pros: simpler procurement (one contract), often lower all-in per-endpoint than separate EDR plus MDR (the provider buys the EDR at scale and passes some of the volume discount through), tightly-integrated console and workflow.

Cons: vendor lock-in is structural. Switching the MDR provider means switching the EDR platform. Telemetry retention does not migrate. The platform is whatever the provider supports; you do not choose it independently.

MDR layered on your existing EDR

The alternative model: you continue to own the EDR platform contract directly, and the MDR provider operates on top of it via the platform’s API. Most major MDR providers support multiple EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Sophos) and let you choose the one you want.

Pros: independence preserved. If the MDR service quality drops, you can switch providers without changing the platform. Platform choice is yours; service is procured separately.

Cons: two contracts to manage. Slightly higher all-in cost than bundled (no volume pass-through). Integration friction is real but typically acceptable for the major EDR-MDR combinations.

Typical add-on pricing for this model is $15 to $30 per endpoint per month for the service layer alone, on top of whatever you pay for the EDR licence directly.

When to buy MDR vs build a SOC

The build-vs-buy threshold question has clear bands.

Below 1,000 endpoints: MDR is almost always the right answer. SOC fixed costs (4 to 5 senior analysts at $150K to $200K fully-loaded each, plus on-call rotation, plus tooling) do not scale down economically.
1,000 to 5,000 endpoints: MDR continues to be cheaper in most cases, but a hybrid approach (in-house tier-1 triage with MDR escalation) starts to make sense.
5,000 to 25,000 endpoints: The economics balance. Some organisations build SOCs at this scale; others stay on MDR for capability reasons (better threat hunting, twenty-four-hour coverage).
Above 25,000 endpoints: In-house SOC is increasingly viable on cost, though regulated industries and mature security functions sometimes maintain MDR alongside in-house teams for surge capacity and as a credible adversary on detection coverage.

Cross-link securityoperationscost.com for the full SOC-build cost model and mdrcost.com for the full MDR pricing framework.

EDR vs MDR questions

Can I have MDR without EDR?›

No, in the literal sense. MDR is a managed service that operates on telemetry from a detection platform. The platform is almost always an EDR or XDR. Some MDR providers bundle their own EDR into the service price (a single bundled SKU). Others operate on the customer's existing EDR via the platform's API. There is no MDR product that operates on no platform; the question is whether the EDR is bundled or separate.

Is MDR cheaper than building a SOC?›

Below approximately 5,000 endpoints, MDR is almost always cheaper than building an in-house SOC because SOC fixed costs (analysts, tooling, training, on-call rotation) do not scale down. A 24-hour SOC requires at least 4 to 5 senior analysts ($600,000 to $900,000 fully-loaded), plus tooling and infrastructure. MDR for a 1,000-endpoint shop is typically $180,000 to $540,000 per year all-in. Above 10,000 endpoints, the in-house SOC math gets more competitive because the fixed costs amortise across more endpoints. Cross-link securityoperationscost.com for the full SOC build cost model.

What is the difference between MSSP and MDR?›

Historically MSSPs (managed security service providers) operated multi-tool security stacks (firewall, SIEM, IDS) on behalf of customers and were broader than MDR. MDR (managed detection and response) emerged as a specialised category focused specifically on detection and response, typically EDR-centric, with stronger threat-hunting and incident-response capabilities than legacy MSSPs. The lines have blurred since 2022 as MSSPs have expanded into MDR-style services and MDR providers have added managed-firewall and managed-SIEM. In practice, evaluate the specific scope of each provider's service rather than the category label.

Continue