See the pricing comparison for side-by-side pricing fields, or the buyer's guide pricing section for negotiation tactics.
The short answer
Budget $8–$35 per endpoint per month for endpoint-only coverage. For a mid-size deployment of 500 endpoints, that works out to roughly $4K–$17.5K monthly. Add cloud workloads, identity monitoring, and SaaS coverage, and total cost generally doubles.
Many providers require a sales call before sharing pricing. At enterprise scale (10,000+ endpoints), Forrester benchmarks annual spend at $400K to over $1M depending on scope and provider.
Four pricing models
MDR providers use one of four structures: per-endpoint, per-user, per-GB or data volume, and custom-quoted. Per-endpoint is easiest to benchmark. Per-user often appears in Microsoft-heavy environments. Data-volume pricing fluctuates with log volume, which rises during incidents. Custom quotes require a scoping call before you can compare numbers.
Per-endpoint works well for endpoint-only deployments. Per-user is better when staff have multiple devices. Data-volume carries the most billing risk because the bill grows when you need the service most. The pricing comparison has a model-by-model breakdown with trade-offs.
What drives the bill
The per-endpoint price is just the starting point. Four factors determine total cost:
- Coverage surfaces beyond endpoints add to the base. Cloud workloads add roughly 20–40%, identity monitoring 15–30% and SaaS coverage 10–20%.
- Organization size affects per-unit cost, but minimum seat requirements (10–200 endpoints) may force you into a higher tier than needed.
- Service level matters: autonomous response costs more than guided response, and breach warranties cost more than standard coverage.
- Multi-year contracts get 10–20% discounts, but lock you in.
Hidden costs to watch for
The per-endpoint or per-user rate is the floor, not the ceiling. Three categories of costs tend to surface after signing:
- Upfront fees: onboarding, integration setup, and custom playbook development can add $5K–$25K before monitoring starts
- Scope creep: cloud, identity, and SaaS monitoring are frequently billed as separate line items even when marketing materials say “included”
- Contract mechanics: annual escalators (3–7%), minimum seat counts you cannot reduce, and IR retainers sold outside the base contract
See the full hidden cost breakdown for more detail.
Cloud changes everything
Per-endpoint pricing was designed for laptops and servers. Cloud workloads don't map cleanly to that model. A Kubernetes cluster with 50 nodes might count as 50 endpoints or 1, depending on the provider. Serverless functions don't map to endpoints at all. Always ask: “We run X VMs, Y Kubernetes nodes, and Z serverless functions. What does that cost?”
How to negotiate
Two tactics matter most: get competing quotes by running POVs with 2–3 providers, and ask every provider for the maximum monthly bill you could receive, including during an active incident. Beyond that, push for annual escalator caps, quarterly right-sizing clauses (so you can reduce seats if you shrink), and multi-year discounts with growth scenarios built in.
The pricing comparison page has a step-by-step negotiation checklist.
FAQ
How much does MDR cost per endpoint?
$8–$35/endpoint/month for endpoint-only coverage. Budget 2x for full coverage (cloud, identity, SaaS).
What are the different MDR pricing models?
Per-endpoint, per-user, per-GB or data volume, and custom-quoted.
What hidden costs should I watch for?
Onboarding fees, data overage during incidents, IR retainers sold separately, annual price escalators, and minimum seat requirements.
See actual provider pricing
Compare pricing models, breach warranties, and minimum requirements across all providers.
View pricing comparison