Category 1: Licence
The quoted rate, in whichever pricing axis the vendor uses (per-endpoint, per-user, per-device-class). For cloud-managed EDR the per-endpoint rate sits in the three to fifteen dollar per endpoint per month range, with mid-market typical at five to eight dollars after volume discount. For Microsoft Defender for Endpoint P1 and P2, per-user pricing is published and is the dominant model.
What to negotiate: Multi-year discount structure (10 to 15 percent for a two-year commitment, 15 to 25 percent for three-year), renewal escalation cap (without a cap, 5 to 10 percent annual increases are typical and often forgotten in the model), true-up clauses for endpoint-count growth (often penal as quoted; can usually be made symmetric with a true-down option).
Category 2: Deployment and onboarding
Cloud-managed deployments typically run one to two weeks self-deployed by an in-house team for environments under 500 endpoints. The vendor side incurs minimal cost (some onboarding fees may be waived). The internal-time cost is real but usually folded into existing IT capacity.
On-prem and hybrid deployments take four to twelve weeks and frequently require vendor-led professional services. Vendor-led deployment for environments above 500 endpoints typically runs $25 to $75 per endpoint as a one-time fee. SMB packages are flat priced at $5,000 to $25,000. On-prem EDR is materially more expensive to stand up and continues to cost more in year-two operating expense.
Migration services when replacing a prior tool typically run $10,000 to $50,000 and are commonly waived as a competitive incentive when switching vendors. Initial detection-rule tuning is sometimes bundled into the deployment fee, sometimes invoiced separately at $5,000 to $20,000. The onboarding and setup fees deep-dive walks through every typical line item.
Category 3: Tuning and content engineering
The most underestimated category. Vendor-supplied detection rules cover commodity attacks. Custom detection-rule writing, false-positive suppression, and content updates as new techniques emerge are ongoing FTE work that compounds in year two as detection-rule debt accumulates.
Typical overhead: 0.25 to 0.75 FTE per 1,000 endpoints in year one for mature in-house deployments, dropping to 0.1 to 0.3 FTE per thousand by year two for tuned environments. Sourced from public Bellator EDR TCO research and Forrester TEI summaries on security operations.
At fully-loaded internal cost of $130,000 to $180,000 per FTE per year (US averages), the tuning category for a 1,000-endpoint mid-market shop runs $32,500 to $135,000 in year one alone. This often matches or exceeds the licence figure. Outsourcing tuning to the EDR vendor (a higher SKU, typically) or to an MDR provider folds the tuning cost into the managed-services line.
Category 4: IR retainer and managed add-ons
EDR provides preventive containment and detection. Post-detection investigation and remediation is the incident-response phase, which most buyers contract separately. The IR retainer is a pre-negotiated rate with guaranteed SLA for that phase.
Pure managed-EDR add-on for fully-bundled twenty-four-hour monitored coverage typically adds $15 to $45 per endpoint per month. This is the “MDR layered on EDR” model. Hourly IR rates without retainer typically run $300 to $600 per hour for established responders, $400 to $800 for premium responders.
The breakeven math: a 1,000-endpoint mid-market shop with a 5 percent annual breach probability and an average 80-hour incident has expected IR work of $24,000 to $48,000 per year. A retainer of $50,000 to $150,000 per year with an SLA premium pays for itself in expected value at this scale, plus the SLA commitment pays for itself again when an incident occurs in the middle of a regional ransomware wave and unrelated firms cannot get capacity. Full IR retainer breakdown.
Category 5: Internal operating cost
Platform administration, integration maintenance, alert triage if not handed to MDR, and the slice of existing security FTE work that the EDR platform attracts. Typical allocation: 0.5 to 1 FTE for SMB unmanaged deployments (often the existing IT manager allocating part-time to the EDR), 1 to 2 FTE for mid-market unmanaged, 2 to 5 FTE for larger mid-market and enterprise.
This is the quietest line item and often the largest. A 500-endpoint SMB allocating one FTE at $150,000 fully-loaded against EDR is spending more on internal cost than on the licence (which at $6/endpoint/month is $36,000 per year). The internal-cost line is what makes managed-EDR or MDR economically attractive at this scale: handing the platform-administration work to a managed provider for $25 per endpoint per month ($150,000 per year) costs no more than the FTE you would otherwise hire and adds 24-hour coverage. Cross-link securityoperationscost.com for the full SOC-build cost model.
Three-year worked examples
Two scenarios using the five categories. All numbers are illustrative aggregated market ranges; not specific vendor claims. The point is the category structure, not the absolute figures.
| Category | SMB 200 ep, in-house | Mid-market 1,500 ep, MDR-bundled |
|---|---|---|
| Licence (3yr) | $36,000 | $324,000 |
| Deployment (yr 1) | $10,000 flat | $60,000 |
| Tuning (3yr) | $50,000 | $240,000 |
| IR retainer / MDR (3yr) | $45,000 retainer | $540,000 MDR bundled |
| Internal ops (3yr) | $135,000 (0.3 FTE) | $135,000 (0.3 FTE residual) |
| Three-year all-in | $276,000 | $1,299,000 |
| Per endpoint per month | $38 | $24 |
The mid-market all-in per-endpoint rate is lower because the MDR bundle replaces both internal-ops FTE and stand-alone tuning effort. The SMB in-house all-in per-endpoint rate is higher because fixed FTE cost does not scale down. This is the structural reason MDR is often the right answer at SMB scale even though the headline rate looks expensive.