Match your business to the right MDR tier
Forty MDR vendors, each with three pricing tiers, all promising 24x7 outcomes. Skip the spreadsheet. Tell us your size, industry, and security posture, we will map you to a band, a budget, and a shortlist.
Built for IT and security buyers at SMB and mid-market shops who need a defensible procurement number this week.
Drives risk multiplier and which vendors will respond to your RFP.
Endpoints means devices needing an MDR agent: laptops, desktops, servers, cloud VMs, persistent containers.
Your recommendation
Mid-market hybrid
Hybrid (vendor brings EDR, you keep the IR plan)
80
Fit score
Defensible annual budget
Floor
$77K
Aim
$120K
Cap
$163K
Quotes outside the cap usually mean either custom scope or vendor padding. Ask why.
Vendors to put on the shortlist
Why this band
- 400 endpoints in the professional services sector lands you in the mid-market hybrid band.
- Since you already run EDR, prioritise tooling-led models that overlay your stack. You should not pay twice for an agent.
Things to budget for
- Without an internal IR plan, budget for an IR retainer (60 hours, $24K to $40K). Most MDRs do not include incident response by default.
Common buyer profiles
A reference grid for what each buyer profile typically pays. Use it to sanity-check the wizard output above against where similar shops have actually landed.
SMB bundle
Sub-100 endpoint shop, no security team
$8K to $25K per year
Look at Huntress and Sophos. Avoid anyone who quotes you services-led pricing at this size, you cannot consume the value.
Mid-market hybrid
250 to 1,000 endpoints, growing SaaS
$60K to $180K per year
Arctic Wolf and Expel are the workhorses here. Negotiate hard on the IR retainer, the headline number is rarely the final number.
Mid-market with named pod
Healthcare or fintech, 500 to 2,500 endpoints
$120K to $350K per year
Compliance reporting and audit access add 25 to 40 percent. Worth it if you face HIPAA or SOC2 audits, otherwise commodity 24x7 is enough.
Enterprise with OT-aware analysts
Manufacturing or critical infrastructure
$200K to $700K+ per year
OT shops (Dragos, Claroty) or major-vendor OT modules are the only credible options. Generic IT MDRs miss the ICS protocol nuance.
Three decisions that move the price by 30 percent
Most buyers obsess over vendor selection. These three architectural decisions move your price more than picking between the top three vendors.
Tooling-led vs services-led
If you already run good EDR and just need overnight eyes, tooling-led models cost 25 to 35 percent less. If you have no internal security capacity, services-led is cheaper than building it.
Named pod vs commodity SOC
A named pod feels great in a demo, but you pay roughly 1.5x for it. Most boards do not actually need it. Use the saved budget on an IR retainer instead.
Bundle EDR or BYO
Bundling vendor EDR is cheaper at SMB scale and easier to operate. At mid-market and above, BYO can be cheaper if you negotiate hard on EDR licences.
What to do with this recommendation
- 1Walk into your next vendor call with the budget range as your anchor. Tell them up front what you intend to spend, and listen for the line items they try to add to climb above your cap.
- 2Use the shortlist as your RFP target. Three vendors competing is enough leverage. Five is admin overhead, eight is procurement theatre.
- 3Cross-check against the hidden costs page. Onboarding fees, IR retainer hours, and log retention are routinely missed in the first quote and quietly added in month two.
- 4If your range came back surprisingly high, consider whether the coverage you selected is what you really need. Going from a named pod to commodity 24x7 saves about 35 percent.