The short answer
For a 500-endpoint environment, endpoint-only MDR runs $48K–$210K per year ($8–$35 per endpoint per month). Add cloud, identity, and SaaS monitoring, and the bill typically doubles: $96K–$420K+ per year. About 46% of providers don't publish pricing at all.
Four pricing models
1. Per-endpoint ($8–$35/endpoint/month)
The most common model. You pay per device (laptop, workstation, server). Transparent and easy to benchmark, but costs spike when you add cloud workloads. Some providers count servers at 2x the workstation rate.
2. Per-user ($2–$200/user/month)
Common in the Microsoft ecosystem. You pay per person regardless of how many devices they use. Better for organizations where users have 2–3 devices each. Often bundles identity monitoring. The wide range reflects add-on vs. all-inclusive services.
3. Per-GB / data volume
You pay based on data ingested or events processed. Works for low-volume environments, but costs are unpredictable. During an active incident, exactly when you need MDR most, your data volume spikes and so does your bill.
4. Custom-quoted
Price determined after scoping your environment. About 46% of providers use this model. It means you can't comparison-shop without sitting through a sales call. By design, this gives the vendor pricing power.
What actually drives the bill
The per-endpoint price is just the starting point. Four factors determine total cost:
- Coverage surfaces: Endpoint-only is the base. Cloud workloads (+20–40%), identity monitoring (+15–30%), and SaaS coverage (+10–20%) stack on top.
- Organization size: Volume discounts exist but minimum seat requirements (10–200 endpoints) may force you into a higher tier than needed.
- Service level: Autonomous response costs more than guided response. Breach warranties cost more than standard coverage.
- Contract length: Multi-year deals get 10–20% discounts, but lock you in.
Hidden costs to watch for
- Onboarding fees: $5K–$25K upfront, sometimes waived for multi-year contracts
- Data overage: Volume-based pricing punishes you during incidents
- IR retainer: Many providers exclude incident response from the base contract. It's a separate $50K–$150K annual retainer
- Annual escalators: 3–7% annual price increases buried in contract terms
- Technology requirements: Platform-native providers may require you to buy their EDR license separately
- Dev/staging environments: Some providers count non-production servers as endpoints
Cloud changes everything
Per-endpoint pricing was designed for laptops and servers. It breaks in the cloud. A Kubernetes cluster with 50 nodes might count as 50 endpoints or 1, depending on the provider. Serverless functions don't map to endpoints at all. Always ask: “We run X VMs, Y Kubernetes nodes, and Z serverless functions. What does that cost?”
How to negotiate
- Get multi-year pricing with growth scenarios. Ask what you pay in year 1, 2, and 3 if you double endpoints.
- Negotiate a maximum monthly bill cap. Critical for volume-based pricing.
- Request quarterly right-sizing. If you reduce endpoints, can you reduce your bill?
- Use POV results as leverage. Run proof-of-value with 2–3 providers and use results to negotiate.
- Ask for total cost of ownership. Not just MDR. Include add-ons, growth projections, and required technology changes.
FAQ
How much does MDR cost per endpoint?
$8–$35/endpoint/month for endpoint-only coverage. Budget 2x for full coverage (cloud, identity, SaaS).
What are the different MDR pricing models?
Per-endpoint (most common), per-user (Microsoft ecosystem), per-GB (unpredictable), and custom-quoted (46% of providers).
What hidden costs should I watch for?
Onboarding fees, data overage during incidents, IR retainers sold separately, annual price escalators, and minimum seat requirements.
See actual provider pricing
Compare pricing models, breach warranties, and minimum requirements across all providers.
View pricing comparison