Hidden costs of MDR: what vendors don't tell you before you sign

For most MDR contracts, the subscription line item is roughly two-thirds of what you actually spend. The other third is split across one-time fees and ongoing variable costs that often aren't called out in the initial proposal.

Range: $5,000 to $25,000 one-time, sometimes much higher for complex environments.

Some vendors include onboarding in the headline price; others charge it separately. The work covers agent deployment, policy configuration, integration setup with your existing tools (SIEM, ticketing, identity), and the initial tuning period during which the MDR analysts learn your environment.

How to negotiate: ask explicitly whether onboarding is included before you focus on the per-endpoint number. End-of-quarter deals frequently waive onboarding to close. For deployments above 1,000 endpoints, onboarding waiver is the standard ask.

Range: $1 to $5 per GB per day for ingestion above tier limits. Cloud-heavy environments hit this hardest.

Most MDR providers cap log ingestion volume in their pricing tiers. Beyond the cap you pay per-GB overages. The numbers add up fast when you're sending verbose AWS or Azure logs, M365 audit logs, identity provider events, and security tool feeds all into one collector.

Examples of high-volume sources: AWS CloudTrail with multi-region enabled, Azure AD sign-in logs, Microsoft 365 unified audit log, network firewall verbose logging, and EDR telemetry from large server fleets. A 1,000-endpoint enterprise can ingest 50-200 GB per day across these sources.

How to negotiate: get the cap defined explicitly in writing with measurement methodology. Ask for a 90-day measurement period before overages kick in so you can see your real volume. Negotiate a higher cap upfront rather than paying overages monthly.

Range: $250-$400 per hour, typically sold in 40-hour blocks ($10,000-$16,000).

Standard MDR includes investigation and containment for in-scope incidents. Full forensic IR (evidence preservation, chain of custody, expert witness preparation, regulatory liaison, deep memory analysis) is typically a separate engagement.

Most enterprise MDR contracts include or strongly recommend an IR retainer. The retainer guarantees response within a defined SLA when you call (often 1-4 hours) and locks in hourly rates that would be higher in an emergency.

How to negotiate: get a smaller retainer block (20 hours instead of 40) if your incident risk is moderate. Ask for unused hours to roll over to the next year. Verify what counts as "incident response" versus "covered MDR investigation" so you don't get billed for routine triage.

Range: 3-7% per year, compounded over the contract term.

Most MDR contracts include automatic annual price escalation. On a $100,000 deal, a 5% annual escalation grows the price to $115,762 by year four. Over a 3-year contract the cumulative impact is 9-22% on top of the initial price.

How to negotiate:

• Cap escalation at CPI (currently tracking lower than 5% in 2026)
• Negotiate flat rate for years 1-2 with escalation only from year 3
• Tie escalation to materially expanded scope rather than automatic
• Include a renegotiation right if escalation exceeds a defined threshold

Range: $5,000 to $50,000 depending on integration complexity.

Connecting MDR to your SIEM, SOAR, ticketing system, identity provider, and custom internal tools may require professional services from the vendor. Standard integrations (Splunk, Sentinel, ServiceNow, Slack) are usually free or low-cost. Custom integrations or proprietary internal applications can run into significant fees.

How to negotiate: get an integration scope agreement upfront listing every system the MDR will connect to. Ask for templates and self-service paths where available. Defer custom integrations to phase 2 if budget is tight.

Range: 30-100% on top of base price for full-stack coverage.

The base MDR price typically covers endpoint detection only. Adding cloud workloads (AWS, Azure, GCP), email security (M365, Google Workspace), identity threat detection (Okta, Azure AD), and network monitoring each adds 15-30% to the base.

Full-stack coverage (endpoint + cloud + email + identity + network) typically lands at 1.5-2x the base price. Most enterprise deployments need at least three of these categories to satisfy regulatory and insurance requirements.

Range: Variable, but data portability and migration are real costs.

If you switch MDR providers at renewal, plan for: data migration from the old platform, detection rule recreation in the new platform, parallel-run period (3-6 weeks during which you pay both vendors), and onboarding to the new vendor. The total cost of switching can easily reach 10-15% of annual contract value.

This switching cost is one reason MDR contracts are stickier than they look. Vendors know it; their renewal pricing reflects it.

How to negotiate: at renewal, get a competitive bid first. Even if you stay, the bid moves your renewal price down 10-15%. Lock the renewal price for two years rather than one if you're confident in the relationship.

The headline $20 per endpoint per month works out to $120,000 per year. Real spend in year one lands closer to $164,000 once everything is included, a 37% premium on the headline number. By year two the rate stabilises around $140,000 and grows roughly 5% per year thereafter.