EDR vs MDR: Cost and Which Is Right for Your Team
EDR is a tool ($3-15/endpoint/month). MDR is that tool plus a 24-hour analyst team ($15-50/endpoint/month). The right choice depends on your staffing capacity, not just price.
EDR (Self-managed)
- ✓EDR software licence
- ✓Automated detection and alerts
- ✓Response tools (your team acts)
- ✓Threat intelligence feeds
- ✓Investigation interface
- ●In-house analysts to review alerts
- ●24/7 on-call coverage
- ●Threat hunting capability
- ●Incident response plan
MDR (Managed)
- ✓EDR software (included)
- ✓24/7 analyst monitoring
- ✓Active threat hunting
- ✓Incident response
- ✓Monthly security reports
- ✓Breach warranty (most providers)
- ●Initial onboarding (2-4 weeks)
- ●Alert tuning with provider
- ●Communication SLA agreement
Staffing Cost Comparison: EDR + In-House SOC vs MDR
| Organisation size | EDR + In-house SOC | MDR (fully managed) |
|---|---|---|
| 100 endpoints | $80k-150k/yr (1 analyst + EDR) | $18k-60k/yr (MDR only) |
| 500 endpoints | $120k-250k/yr (2 analysts + EDR) | $90k-180k/yr (MDR only) |
| 1,000 endpoints | $200k-350k/yr (3 analysts + EDR) | $180k-360k/yr (MDR only) |
| 5,000 endpoints | $500k-900k/yr (6+ analysts + EDR) | $540k-900k/yr (MDR only) |
Analyst costs based on US median security analyst salary of $100,000-$140,000 per year plus benefits (~40% overhead). In-house cost assumes 24/5 coverage (not 24/7).
EDR vs MDR FAQ
What is the cost difference between EDR and MDR?
EDR software costs $3 to $15 per endpoint per month for the tool only. MDR (managed detection and response) bundles the EDR technology with 24-hour analyst monitoring and response, costing $15 to $50 per endpoint per month. The difference covers the analyst team: typically 2 to 4 trained security analysts per 1,000 endpoints in a managed service model. For a 500-endpoint organisation, EDR might cost $25,000 to $45,000 per year while MDR costs $90,000 to $180,000 per year — but MDR replaces the need for in-house SOC staff.
When is MDR worth the extra cost over self-managed EDR?
MDR is worth the premium when: (1) You cannot staff 24-hour SOC coverage — most EDR threats require response within 30 minutes to prevent lateral movement. (2) Your security team lacks threat hunting expertise — MDR providers proactively hunt threats that automated detection misses. (3) Your cyber insurance requires 24-hour monitoring — many policies now stipulate this. (4) You have experienced a breach and need assurance — MDR providers carry breach warranties. (5) In-house analyst cost would exceed MDR cost — a single experienced security analyst costs $100,000 to $150,000 per year before benefits. For 250 endpoints or fewer, MDR is almost always cheaper than staffing equivalent 24-hour coverage.
What are the leading MDR providers and their pricing?
CrowdStrike Falcon Complete (MDR) is custom-priced at approximately $20 to $30 per endpoint per month with a minimum commitment. SentinelOne Vigilance MDR runs approximately $18 to $25 per endpoint per month. Sophos MDR starts at approximately $11 to $15 per endpoint per month. Arctic Wolf MDR is custom-priced with typical deployments at $15 to $35 per endpoint per month. Deepwatch and Expel are mid-market MDR providers at $15 to $40 per endpoint per month. Most MDR providers require a minimum of 250 to 500 endpoints.
Can I start with EDR and add MDR later?
Yes, and this is a common transition path. Start with a platform like CrowdStrike Falcon Pro or SentinelOne Singularity Core, operate it for 6 to 12 months to understand your threat landscape, then add the vendor's managed layer or engage a third-party MDR provider. Some organisations find that autonomous response in SentinelOne (STAR) reduces alert volume enough to operate without MDR. Others find that after 12 months of managing alerts, the operational burden justifies the MDR cost increase.