Decision tree

When to graduate from EDR: the decision tree to MDR or XDR.

You have EDR. The vendor or MSP is suggesting you upgrade. Three plausible next steps: stay where you are, add MDR (operational layer), move to XDR (platform layer). This page is a decision tree with cost gates and capability gates that names which trigger drives which choice.

Last verified April 2026

Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research (Gartner Market Guide for EDR public summaries, Forrester EDR Wave public summaries, Verizon DBIR 2025, IBM Cost of a Data Breach 2025, MITRE ATT&CK, public cyber-underwriter guidance). They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

Side-by-side comparison

Configuration	Telemetry scope	Response	Internal team requirement	Annual cost / 1,000 ep
EDR alone	Endpoints	You operate	1 – 2 FTE analysts	$72K – $180K licence + FTE
EDR + MDR	Endpoints	Provider operates 24/7	0.1 – 0.3 FTE residual	$300K – $600K all-in
XDR	Endpoints + identity + email + cloud + network	You operate	2 – 4 FTE analysts	$144K – $360K licence + FTE
XDR + MDR	All sources	Provider operates 24/7	0.2 – 0.5 FTE residual	$420K – $900K all-in

The all-in figures are illustrative aggregated bands across mid-market segments. The right answer depends on which gap you are closing.

The decision tree

Branch 01

Are you struggling with alert volume or 24-hour coverage?

Yes -> add MDR

The gap is operational, not telemetry. EDR is producing alerts; you cannot get to them. MDR providers do alert triage and response 24/7 on your existing EDR. Cost: $15 – $30/ep/mo additional. The math is dominated by avoided FTE cost: one analyst position avoided ($150K – $200K fully-loaded) covers the MDR fee for roughly 700 to 1,200 endpoints.

Branch 02

Do you have telemetry blind spots beyond endpoints?

Yes -> move to XDR

The gap is detection coverage, not operational capacity. You have analysts to read alerts; alerts are not arriving from cloud, identity, or email because EDR does not collect there. Specific recent missed detections that came from these sources are the strongest signal. Cost: roughly $100K/year additional licence per 1,000 endpoints versus EDR, plus deployment of new connectors.

Branch 03

Both?

Yes -> XDR + MDR layered

The gap is both coverage and operations. This is the largest investment but the cleanest posture. Typically appropriate for mid-market and enterprise (1,500+ endpoints) where neither budget pressure nor in-house capacity argues against it. Cost: $35 – $50/ep/mo all-in.

Branch 04

Neither?

Stay on EDR. Save the money.

You have analysts, you read your alerts, the existing telemetry covers your threat model. The vendor is upselling. The honest answer is to keep your existing EDR posture and revisit in 12 to 24 months when one of the trigger conditions actually develops.

Worked example: 1,000-endpoint mid-market shop

Three scenarios with different choices, illustrating how the framework applies. All figures are illustrative aggregated bands.

Scenario A: alert backlog, no telemetry gap

Setup: The team has EDR. Alerts arrive but go unread for 24 to 72 hours. No identity, email, or cloud blind spots specifically driving missed detections. The CISO is being asked by the board why response is slow.

Decision: Add MDR layered on existing EDR.

Math: EDR licence stays at $72K/year. MDR adds $216K/year ($18/ep/mo). Replaces the 'we should hire another tier-1 analyst' decision; that hire would have been $130K/year fully-loaded plus on-call rotation infrastructure. Net: MDR more expensive by $86K but adds 24-hour coverage that the analyst hire could not have provided alone.

Scenario B: cloud-heavy environment, in-house SOC

Setup: The team has EDR plus a 4-person SOC. Recent incident showed a credential abuse pattern that EDR did not catch because the attack lived entirely in identity and SaaS layers.

Decision: Move to XDR.

Math: EDR licence ($72K) replaced by XDR licence ($144K) plus per-workload and ingest ($30K). Net additional licence cost $102K/year. Internal SOC reused; no FTE growth required. Justification is the demonstrable identity-layer blind spot.

Scenario C: stable posture, no incident pressure

Setup: The team has EDR. SOC is two analysts handling alerts adequately. No recent incidents. No specific blind spots. Vendor account manager is suggesting XDR upgrade at renewal.

Decision: Stay on EDR. Negotiate renewal.

Math: No upgrade investment. Use the renewal cycle to push for a multi-year discount on existing EDR. Revisit in 18 months when one of the trigger conditions develops or when business growth changes the threat model.

The graduate-prematurely trap

Vendors and MSPs are incentivised to upsell. The questions to ask before agreeing to any upgrade:

What specific blind spot does this upgrade close? If the answer is generic (better detection, more correlation), it is a sales pitch, not an engineering case. Specific named telemetry sources tied to specific attack patterns is the engineering answer.
What is the mean-time-to-detect improvement claim, and what evidence supports it? Vendors should be able to cite case studies or detection-coverage reports that name the techniques their additional telemetry catches.
What recent incident in our own environment would this have caught? If the answer is none, the upgrade is forward-looking. That is sometimes legitimate, but it changes the cost-benefit math.
What is the contract escape clause? XDR migrations are platform changes that lock you in for the new contract term. Verify the residual on the EDR contract and the lock-in horizon on the XDR contract before signing.

Graduation questions

When should I move from EDR to XDR?›

When you are running four or more separate point security tools that could consolidate (the licensing breakeven), when you have demonstrable telemetry blind spots beyond endpoints driving missed detections, or when a regulated threat model demands cross-layer correlation. Without one of these triggers, the EDR-to-XDR upgrade is usually a vendor-driven upsell. The cleanest test: name a specific recent incident or near-miss that XDR's additional telemetry sources would have caught. If you cannot, the upgrade is premature.

When should I add MDR to my EDR?›

When the gap is monitoring rather than telemetry. If alerts are arriving from your EDR but no one is reading them in a timely way, or if you have no twenty-four-hour coverage, MDR is the right answer. MDR layered on existing EDR runs $15 to $30 per endpoint per month additional. Below 1,000 endpoints MDR is almost always cheaper than the in-house SOC alternative; above 5,000 the math gets closer.

Can I keep EDR and add MDR from a different vendor?›

Yes, this is the layered model. Most major MDR providers support multiple EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Sophos) via API integration. The advantage is independence: if the MDR service quality drops, you can switch providers without changing the platform. The mild disadvantage is two contracts to manage and slightly higher all-in cost than a bundled MDR-with-EDR offering.

Does cyber insurance care about the upgrade?›

Increasingly yes. Some underwriters in 2026 are starting to differentiate between EDR-only and EDR-with-managed-monitoring (effectively MDR) for the purpose of premium calculation. Coalition and Corvus have published guidance suggesting MDR-equivalent monitoring can attract additional premium reductions. XDR is not yet differentiated in most underwriting questionnaires; carriers treat it as equivalent to EDR for baseline-control purposes. Verify carrier-specific guidance with your broker before assuming the upgrade attracts premium savings.

Continue