Why three axes, not four
EDR is endpoint-only. There is no per-cloud-workload axis (that’s an XDR concern), and no per-GB ingest axis (EDR vendors typically bundle telemetry retention into the licence rate rather than charging for it separately). Most endpoint-only EDR pricing reduces to three axes: per-endpoint, per-user, and per-device-class.
Most vendors lead with per-endpoint and treat the others as variants. A few vendors lead with per-user. Almost all vendors apply a per-device-class adjustment behind the scenes (server multiplier, mobile discount or exclusion, VDI variant). The buyer’s framework is fewer axes than XDR but the same normalisation discipline applies.
Axis 1: Per-endpoint
Per-endpoint is the dominant model in EDR. The calculation is straightforward: total endpoint count times the per-endpoint rate times twelve. The rate band of three to fifteen dollars per endpoint per month is quoted in this axis by most vendors as their default.
What per-endpoint rewards: thin-user, device-heavy environments where one user has many devices. A field-services company with 200 users and 350 devices (laptops plus phones plus tablets plus shared tablets in vehicles) pays per-endpoint on the hundred-extra-devices count, not per-user.
What per-endpoint penalises: thin-client, virtual-desktop, and one-user-many-shared-devices environments. A call centre with 100 named users sharing 200 thin-client devices on rotating shifts pays per-endpoint on all 200 devices, even though only 100 are running concurrently.
Server endpoints typically priced 1.5x to 2.5x the workstation rate within per-endpoint. Mobile sometimes free, sometimes priced at half the workstation rate, sometimes excluded.
Axis 2: Per-user
Per-user is less common in pure EDR than in XDR but offered as a bundle alternative by some vendors. The calculation is total named users times the per-user rate times twelve. Per-user rates are typically slightly higher than per-endpoint rates because the multiplier-of-devices math is built into the rate.
What per-user rewards: device-heavy environments. One user with a laptop, phone, tablet, and home workstation pays one user-licence and gets four device coverages.
What per-user penalises: contractor-heavy environments where short-term users churn through the licence count. Shared-workstation environments where many named users access fewer devices. Seasonal workforces.
Microsoft Defender for Endpoint Plan 1 and Plan 2 are the most widely-deployed examples of per-user EDR pricing because they are bundled with Microsoft 365 user licences. Most other vendors price per-endpoint but offer a per-user variant on request.
Axis 3: Per-device-class
The hidden axis. Vendors apply different rates to different device classes (server / workstation / mobile / VDI / IoT / OT) inside whichever primary axis they quote on. Buyers often miss this until they audit their estate against the vendor’s class definitions.
Worked example: a 500-endpoint estate that is actually 350 workstations + 100 servers + 50 thin clients prices very differently from 500 flat endpoints. At a per-endpoint rate of $6 with a 2x server multiplier and thin-client at half-rate, the math is:
- 350 workstations × $6 = $2,100/month
- 100 servers × $12 = $1,200/month
- 50 thin clients × $3 = $150/month
- Total: $3,450/month, or $6.90/endpoint blended.
Comparing that against a flat $6/endpoint quote from a different vendor whose definitions might bundle servers at $6 (effectively a free server upgrade), the flat-quote vendor is fifteen percent cheaper for this specific estate.
How to normalise three quotes
Vendors quote on different axes deliberately. The buyer’s job is to convert all three to a common annual figure for side-by-side comparison.
| Quote | Stated rate | Conversion | Common figure (annual) |
|---|---|---|---|
| A | $6.50/endpoint/mo flat | 500 endpoints × $6.50 × 12 | $39,000/yr |
| B | $22/user/mo, server bundle 100 included | 250 users × $22 × 12 (servers free) | $66,000/yr |
| C | $5/endpoint/mo workstation, $11/server/mo | (400 ws × $5 + 100 srv × $11) × 12 | $37,200/yr |
Quote B looks more expensive on the headline rate but covers 250 users with potentially many devices each; for a device-heavy environment it could be the cheapest. Quote C looks cheapest on a flat per-endpoint comparison but penalises any future server expansion.
The buyer’s rule: make the vendor quote on your axis. If a vendor only quotes per-user and your estate is per-endpoint-shaped, ask for a per-endpoint conversion in writing. The friction the vendor experiences here surfaces real cost differences they would otherwise hide in the conversion.