The seven onboarding-fee line items
Every EDR contract includes some subset of these seven line items. Some are mandatory; some are negotiable; some are waived as competitive incentive. Each one has a typical band, a buyer-side question, and a tactical recommendation.
Activation / provisioning fee
What it buys: Vendor-side cost of standing up your tenant in their cloud platform: tenant identifier, customer-success owner assignment, billing setup.
Status: Almost always waived. If the vendor lists this on a quote, ask for it to be removed; this is a soft fee with no underlying work.
Vendor-led deployment service
What it buys: Project-managed agent rollout, console configuration, initial policy templates, group-policy or MDM integration, exclusion-list configuration.
Status: Mandatory at scale; on-prem deployments effectively require it. SMB cloud deployments under 500 endpoints can self-deploy in 40 to 120 hours of internal time.
Migration service
What it buys: Replacing a prior endpoint product. Includes uninstall scripting, dual-running configuration during transition, validation that detection coverage is comparable, decommission of prior agent.
Status: Sometimes invoiced; commonly waived as competitive incentive. Always request it as a comp credit when switching from a competitor.
Initial tuning / detection-rule configuration
What it buys: Customer-specific exclusion list (development tools, line-of-business apps that legitimately do unusual things), high-priority detection-rule activation, initial alert-volume tuning to suppress false positives.
Status: Sometimes bundled with deployment; sometimes separate. Push for a fixed-scope statement of work with named deliverables, not time-and-materials.
Integration service
What it buys: Connectors to SIEM (Splunk, Sentinel), SOAR platforms (Tines, Torq), ticketing (ServiceNow, Jira), identity (Okta, Entra). Each integration is a discrete piece of work.
Status: Negotiable per-integration. Bundle three or more for a discount. SIEM integration is the most worth paying for; ticketing integration is usually self-deployable.
Training and certification
What it buys: Self-paced training is typically free for SMB-tier customers; instructor-led admin certification is paid. Advanced threat-hunting courses are paid and typically per-seat.
Status: The most flexible category. Vendors routinely throw in training as deal-sweetener. Always ask. SMB tiers often include one to two free admin seats.
Premium support upgrade
What it buys: Faster SLA on support tickets, named technical-account-manager assignment, named cloud-architect engagement, quarterly business reviews.
Status: Non-negotiable as a percentage; sometimes negotiable on the included scope (TAM hours, QBR frequency).
What is negotiable, what is not
Negotiable to zero: activation fee, migration service when switching from a competitor, training (especially admin courses), integration services if you bundle multiple. Negotiable in size: deployment service (request a fixed-scope SOW with named deliverables), initial tuning (same), premium support (request specific TAM hours rather than a vague named-resource commitment). Largely not negotiable: the licence rate itself only moves on volume, multi-year, and quarter-end timing; standard contractual provisions (true-up clauses, renewal escalation cap) are structurally fixed unless your deal size justifies legal review.
Three negotiation tactics
Bundle the deployment as a competitive-replacement credit
If you are switching from a competitor, the migration credit and the deployment fee are conceptually the same line item. Insist they be combined and credited together. Vendors will resist combining them on paper but routinely waive the combined total to win a competitive replacement.
Demand fixed-scope SOWs, not time-and-materials
Time-and-materials professional services are open-ended and benefit the vendor. Fixed-scope statement-of-work language with named deliverables and acceptance criteria is the buyer-friendly form. Most vendors will pivot to fixed-scope on request because it accelerates their booking; the issue is that they default to T&M and quote it that way.
Push tuning to fixed-scope, not 'as needed'
Initial detection-rule tuning is either a discrete project or an open-ended commitment. Always specify a fixed-scope project with a defined exit point: alert-volume target, false-positive rate target, named environment-specific exclusions delivered. The vendor exits at acceptance; you have a tuned platform; further tuning is your responsibility or scoped as a separate engagement.
What deployment fees actually cost the vendor
Honest assessment of vendor margin to inform your negotiating posture. Vendor deployment service is typically delivered by partner-firm staff or vendor professional-services staff at internal cost in the $90 to $150 per hour range. Charge-out is $250 to $400 per hour. The margin is roughly 50 to 70 percent. This is the structural reason there is real headroom on the deployment line item.
Tuning is more skill-bound and harder to negotiate. The detection-engineering staff who do tuning are scarce and expensive even at vendor-internal rates. Margin is lower (30 to 50 percent), and there is less room. If a tuning quote is high, the alternative is to accept the vendor-default rules in year one and tune yourself in year two.
Training margin varies. Self-paced LMS courses are essentially zero-marginal-cost for the vendor and should be free; live instructor-led courses have real cost. Insist on the LMS portion as included; pay for live courses if you specifically need them.