MDRCost.comSOC pricing intel

Comparison / 2026

MDR vs EDR: cost, staffing, and what wins at your scale

EDR is the software. MDR is the software plus a team of analysts who run it for you. Real cost ranges, total cost of ownership at 500 endpoints, and a decision framework that respects what you actually need.

One-line summary

EDR is the platform you operate. MDR is the platform plus a team of analysts who operate it for you.

Cost ranges

Per-endpoint pricing side by side

EDR

$3-15

per endpoint per month

  • + analysts to operate it
  • + SIEM or log platform
  • + threat intel feeds
  • + training and tooling

MDR

$15-50

per endpoint per month

  • EDR included
  • 24/7 SOC analysts included
  • Threat hunting included
  • Triage and response included

Side by side

Capability and cost comparison

DimensionEDRMDR
Per endpoint cost$3-15/mo$15-50/mo
Who operates itYour analystsProvider's analysts
Coverage hoursWhatever you staff24x7x365
Alert handlingIn-house triageTriaged before reaching you
Mean time to respondDepends on staffingSLA-backed (1-8 hrs)
Compliance evidenceYou produceProvider produces
Threat huntingIf you have huntersIncluded
Cyber insurance fitBaseline acceptedPremium discounts available

The hidden cost of EDR

What it really takes to operate EDR yourself

The EDR sticker price is the smallest cost. The actual cost of running EDR effectively is the analyst headcount needed to operate it.

  • Tier-1 analysts ($80-110K/yr each). Triage incoming alerts, follow runbooks, escalate when needed. You need at least 3 for round-the-clock coverage.
  • Tier-2 analysts ($110-150K/yr each). Investigate complex alerts, conduct incident response, write detection rules. Minimum 2 for follow-the-sun cover.
  • SOC manager ($150-200K/yr). Owns the team, reports to leadership, manages vendor relationships, drives detection programme.
  • Recruitment difficulty. Senior security analyst openings sit unfilled for 6-12 months at most organisations. The labour market premium is real.

Add to that

Threat intel feeds ($25K-$100K/yr), SIEM or log platform licences ($50K-$300K/yr), training budgets, conference attendance, and the hardware to run it all. Total run rate for in-house SOC at 500 endpoints typically lands at $1M+/yr including everything.

TCO at 500 endpoints

Total cost of ownership comparison

EDR + in-house SOC

  • EDR licence (500 x $10/mo)$60K
  • 5 analysts ($120K avg)$600K
  • SOC manager$180K
  • SIEM, threat intel, tools$200K
  • Year 1 total~$1.04M

MDR alternative

  • MDR licence (500 x $20/mo)$120K
  • Internal security oversight (1 FTE)$140K
  • Onboarding (one-time year 1)$15K
  • Year 1 total~$275K

At 500 endpoints, MDR runs roughly $765K cheaper per year than building an equivalent in-house capability. The gap closes at higher endpoint counts but rarely flips before 5,000-7,500 endpoints.

Decision framework

Choose EDR alone when, choose MDR when

Choose EDR alone when

  • You already have a mature in-house SOC with 5+ analysts
  • Endpoint count exceeds 5,000-10,000 (in-house economics start to favour internal)
  • Regulatory or sovereignty requirements forbid third-party SOC operations
  • You need detection rules tuned to highly custom internal applications
  • Existing relationships with platform vendors give you platform pricing power

Choose MDR when

  • Endpoint count is 100-5,000
  • You don't have a 24/7 SOC and can't justify hiring 6 analysts
  • Cyber insurance carrier requires managed monitoring
  • Compliance frameworks need documented continuous monitoring
  • Time to value matters (MDR deploys in weeks; in-house SOC takes 12-18 months to mature)

Just shopping EDR pricing?

For deep dives on EDR-only pricing across CrowdStrike, SentinelOne, Microsoft Defender, Sophos, and Trellix, head to edrcost.com.

Compare

MDR vs in-house SOC

Full cost breakdown.

Tool

MDR cost calculator

Model your spend.

Compare

MDR vs XDR

Adjacent definitions.

FAQ

MDR vs EDR questions

Is MDR more expensive than EDR?
Per endpoint, yes. EDR runs $3-15 per endpoint per month. MDR runs $15-50. But EDR alone requires you to staff a SOC to operate it, which costs $700K-$900K per year minimum for 24/7 coverage. Total cost of ownership comparison usually flips MDR to be cheaper for organisations under 5,000 endpoints.
Can I run EDR without MDR?
Yes, if you have analysts to operate it. EDR is the software platform; it generates alerts that someone needs to triage, investigate, and respond to. Without analysts the EDR becomes shelfware that produces dashboards nobody actions. Organisations running EDR without MDR typically have at least 5-6 dedicated security analysts on staff.
Does MDR include EDR or do I pay for both?
MDR includes EDR. The MDR provider deploys and manages an EDR agent on your endpoints (their proprietary one or sometimes one you already own). You don't pay for EDR separately. The exception is Expel, which monitors your existing EDR rather than replacing it.
How many analysts do I need to run EDR myself?
For 24/7 coverage you need a minimum of 5-6 analysts plus a manager. This accounts for follow-the-sun rotation, holiday cover, and skill mix between tier-1 triage and tier-2 incident response. Fully loaded salaries land at $700K-$900K per year. Tooling, training, and threat intel feeds add another $200K-$400K.
Should I run EDR + MDR + SIEM all together?
Most mature security programmes do. The MDR provider handles EDR plus alert triage. The SIEM aggregates logs from sources the MDR doesn't cover (network gear, application logs, custom telemetry) and supports compliance reporting. Some MDR providers (Arctic Wolf, Sophos) include SIEM-style log aggregation as part of the service which can replace a standalone SIEM at smaller scale.
What's the cheapest path to MDR-equivalent coverage?
Huntress at $3-9 per endpoint per month plus the bundled identity threat detection and security awareness training. For a 100-endpoint SMB this lands at $3.6K-$10.8K per year, which is dramatically cheaper than building an in-house team to run EDR alone. The trade-off is no contractual SLA and limited cloud coverage.

Disclaimer

MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor. Pricing data is compiled from public sources, partner channels, Vendr transaction data, and verified buyer reports. Always request a direct quote for your environment.