Skip to content

MDR Pricing: What Does Managed Detection and Response Cost?

Featured image for mdr pricing cost blog post on falconersecurity.com

CFO Slacks you at 4 PM on Friday: “How much does this MDR thing cost?” You open five vendor sites. Four won’t publish numbers. The fifth says “$10 to $30 per endpoint per month,” which is wide enough to be useless. You need a real figure by Monday. I’ve had that conversation more times than I can count.

Short version: the per-endpoint sticker is the smallest part of what you’ll actually pay. Pricing model, scope, and what happens when a real incident hits matter more than the headline number.

The short answer on MDR cost

For a standard service, budget between $10 and $30 per endpoint per month. Two hundred endpoints puts you somewhere around $24,000 to $72,000 a year. If you need proper threat hunting, a dedicated Sentinel environment, and a real incident response retainer with guaranteed hours, expect the number to rise into the $150,000 to $500,000 range.

Why such a ridiculous spread? Because MDR isn’t one product. It’s a service category that covers everything from basic endpoint alerting up to full outsourced security operations. What a vendor means by “MDR” depends on the vendor.

Before you quote a number: know which pricing model the vendor actually uses, what’s in scope, and what you pay when a real incident hits. The sticker price rarely survives contact with a real quote.

The four pricing models, and why they’re not interchangeable

Most MDR providers land in one of four pricing buckets. You need to know which one applies before any comparison makes sense, because a $15 per endpoint quote from Provider A can include less than a $25 quote from Provider B.

Per-endpoint, per-month

The default. You hand the provider a device count, they multiply it by $10 to $30, that’s your monthly bill. Fine if device counts are stable. It bites when the fleet grows faster than the security budget, and bites harder when you discover servers cost two to three times what workstations do.

Per-user, per-month

Here the provider ignores devices and charges per named user. A laptop, a phone, and a tablet for the same person counts once. Expect $20 to $50 per user, per month. This lines up nicely with Microsoft 365 licensing for organisations where identity is genuinely the perimeter you’re defending.

The catch is service accounts. Every shared mailbox, every break-glass admin, every unattended system identity counts as a user on some vendor price sheets. I’ve seen a client with 180 real employees get quoted for 340 “users” because nobody had cleaned up legacy service accounts in years. Ask how the vendor counts.

Tiered packages

Essentials, Advanced, Complete. Or Bronze, Silver, Gold. Every provider has a different naming scheme and the pricing is usually in “request a quote” territory, which is never a good sign. Entry tiers cover endpoint monitoring. Premium tiers layer in network detection, cloud workload monitoring, SIEM management, and proactive threat hunting.

The trap on tiered packaging is the incident response allocation. Read the fine print. The entry tier commonly excludes real IR work, or caps it at ten or twenty hours per year, which sounds plenty until you have a ransomware incident that eats sixty hours in the first weekend.

Per-GB ingest (data volume)

When an MDR service is built around cloud-native SIEM like Microsoft Sentinel, pricing sometimes attaches to how much log data you push into the platform each day. Typical range: $3 to $10 per GB per day.

Elegant model when your data volumes are known. Painful when they’re not. A new integration adds 4 GB a day overnight, a security incident triples your ingest for a week, and suddenly the “roughly $5,000 a month” estimate is $9,000 and there’s no cap. Ask whether the contract has a ceiling or a smoothing mechanism.

MDR pricing at a glance

Pricing model Typical range Annual cost, 200 endpoints Works when Hurts when
Per-endpoint $10-30/endpoint/month $24,000-$72,000 Device count is stable Fleet grows faster than budget
Per-user $20-50/user/month $48,000-$120,000 Identity is the perimeter Service accounts inflate counts
Tiered packages $50,000-$200,000/year $50,000-$200,000 You want predictable budgeting Entry tiers exclude real IR
Per-GB ingest $3-10/GB/day $22,000-$73,000 (at 20 GB/day) Log volumes are predictable A new log source triples the bill

What actually moves the number

The sticker price is a starting point. Six variables determine what you’ll pay once the contract is on the table.

How big is the environment, and how messy? A clean 100-endpoint Microsoft 365 shop on one tenant is easy money for a provider, and the quote reflects it. A 500-endpoint hybrid estate with Azure, legacy on-premises AD, three acquired business units on separate domains, and a grab-bag of SaaS tools is a different conversation entirely. The effort to baseline, tune, and monitor the second environment is an order of magnitude more, and so is the price.

What are you monitoring? If the scope is endpoints only, costs stay on the lower end. Layering in email security monitoring, identity threat detection, cloud workload protection, and network detection puts more signal into the SOC’s queue, which is more work for them and more visibility for you. Each new signal source bumps the price, but the detection quality improves because correlations across signals catch what any single layer misses.

What does “response” actually mean? “Monitor and alert” is one service. “Monitor, investigate, contain, and remediate” is a very different service at a very different price. Providers that put the word “response” in their name don’t all mean the same thing by it. Ask specifically what happens at 3 AM on a Sunday when a domain controller starts behaving strangely. If the answer is “we send you an email,” that’s not response.

Does the provider live in your tech stack? An MDR built on Microsoft Sentinel and Defender XDR running inside your tenant doesn’t need to stand up parallel tooling. An MDR that ships with its own proprietary SIEM and EDR will insist on deploying its own agents and its own log pipeline, and you’ll pay for that tooling on top of the service. The latter is sometimes unavoidable. Just don’t pretend the pricing is apples to apples.

Contract length. Month-to-month is 10 to 20% more expensive than annual, and multi-year gets you a further discount. Multi-year also locks you into a provider before you’ve had a real incident with them, which is when you genuinely learn whether they’re any good. I lean towards annual with a 90-day notice clause.

Compliance overhead. If you’re in scope for NIS2, HIPAA, or SOC 2, expect compliance-specific reporting, longer log retention, and audit-ready evidence generation to add 15 to 30% to the base price. Some providers won’t touch compliance work at all, which is also useful to know upfront.

MDR versus a real internal SOC

The alternative to buying MDR is hiring a security operations centre. For companies with 50 to 500 employees, the maths basically doesn’t work in-house.

Line item Internal SOC (annual) MDR service (annual)
Security analysts, three minimum for 24/7 $250,000-$450,000 Included
SIEM platform licensing $30,000-$150,000 Included or BYOL
EDR/XDR tooling $15,000-$60,000 Included or BYOL
Threat intelligence feeds $10,000-$50,000 Included
Training and certifications $15,000-$30,000 Included
Recruitment, ramp, and turnover $30,000-$60,000 N/A
Total $350,000-$800,000 $50,000-$200,000

The IBM 2025 Cost of a Data Breach Report pegs the global average breach at $4.44 million, and organisations using managed security services detected breaches 108 days faster on average, knocking $1.76 million off that figure.

Practical bottom line. For mid-market companies, MDR delivers SOC-grade protection at a fraction of what a comparable in-house capability would cost. Doing it internally only starts to make economic sense above roughly 1,000 employees, and even then the talent market will fight you.

The hidden costs that never appear in the sales deck

Contracts bundle things that don’t show up in the headline price. Ask every vendor about these specifically, and get the answers in writing before you sign.

  • Onboarding fees. Common range is $5,000 to $25,000 for initial deployment, connector build-out, and detection tuning. Some vendors absorb it into year one. Others charge it as a line item on top.
  • Incident response overage. If IR hours cap at 40 per year and you burn 70 in a single ransomware weekend, what’s the overage rate? $300 to $500 per hour is typical, and a nasty incident eats hundreds of hours.
  • Tool licensing. Does the monthly fee include the EDR and SIEM, or do you pay those separately? Hidden tooling can add 30 to 50% to the effective cost.
  • Data retention. How long are logs kept? Beyond 90 days usually costs extra, and NIS2 may force you to 12 months or more.
  • Off-boarding. When the contract ends, do you walk away with your detection rules, playbooks, and historical data? Some providers treat the rule content as their IP.
  • Scope creep. Adding new cloud workloads, new SaaS applications, or IoT devices mid-contract often triggers mid-term repricing. Check the re-baselining clause.

How to work out whether the ROI is real

Calculating MDR return on investment properly means looking past the monthly subscription. Here’s the frame I use in client conversations.

Start with your breach risk exposure. Multiply the probability of a significant incident over two years (industry numbers put this at 25 to 30%) by the expected breach cost for your organisation size. For a 200-to-500 person company, realistic expected cost lands between $1M and $5M. That’s your starting risk pool.

Then work out what the same capability would cost internally. Salaries, SIEM licensing, EDR tooling, threat intel, recruitment, turnover. For most SMBs the internal build is $200,000 to $600,000 more expensive per year than buying MDR, and that’s before you count the time your CFO spends trying to hire SOC analysts who don’t exist in the Nordic market.

Detection speed is the third piece, and it’s where the real money lives. The industry median for undetected breach dwell time still runs into months. Organisations with combined MDR and SIEM coverage typically hit mean-time-to-detect under 24 hours for a significant event. A shorter dwell time means smaller blast radius, less data stolen, fewer systems to rebuild, cheaper forensics.

Finally, there’s the compliance overlap. An MDR that generates audit-ready reporting out of the box can replace the standalone compliance-monitoring tool you were eyeing, and cuts audit preparation time by roughly half. For organisations under active regulatory scrutiny, that’s genuine cost avoidance, not hand-waving.

What to actually evaluate in a provider

Cheapest MDR rarely wins. A few things matter more than price.

Look at documented response SLAs. Best-in-class providers commit to 15-minute triage and one-hour containment for critical incidents. If the SLAs are vague or unwritten, assume they don’t exist. Providers who can commit to specific MTTR numbers are the ones who measure themselves against them internally.

Check the tech stack alignment. If your shop runs Microsoft 365, go with a provider that has deep Defender and Sentinel expertise. Generic providers running their own proprietary tooling will underperform on a Microsoft estate because they haven’t invested in the Microsoft-specific detection engineering.

Ask about transparency. Do you get login access to the SIEM? Can you see what the analysts are doing? Do you own the detection rules they write in your tenant? If the answer to any of these is no, you’re renting visibility instead of owning it, and when the contract ends you walk away with nothing.

Test the scalability. If you’re at 120 endpoints today and heading to 400 in 18 months, pin down what the pricing curve looks like. A good provider gives you a reasonable glide path. A bad one re-negotiates the price every time you add 50 devices.

Confirm NIS2 support explicitly. If you’re under the directive, the provider needs to generate evidence aligned with Article 21 operational requirements, not just wave at compliance generically. Ask to see a sample report from another customer in your sector.

Frequently asked questions

How much does MDR cost per month?

Standard MDR runs $10 to $30 per endpoint per month. A 200-endpoint organisation lands between $2,000 and $6,000 a month on that basis. Premium packages with threat hunting, SIEM management, and dedicated IR retainers push into $4,000 to $15,000 a month for the same company.

Is MDR worth it for small businesses?

Usually yes. Small businesses between 50 and 200 employees get attacked disproportionately because attackers assume weaker defences. MDR gives you 24/7 SOC coverage for $50,000 to $100,000 a year, against $350,000 or more to build the same thing internally. The internal option is also hard to staff in the current talent market.

What is the difference between MDR and MSSP pricing?

MSSPs charge less per endpoint ($5 to $15 per endpoint per month) but the service stops at monitoring and alerting. MDR includes active investigation, threat hunting, and hands-on-keyboard response when something real fires. You’re paying for someone to actually act on the alerts. Our MDR vs MSSP comparison goes into the detail.

Does MDR replace the need for a SIEM?

Not exactly. Most MDR services use a SIEM under the hood, often Microsoft Sentinel, as the analytics engine. Some include the SIEM licensing in the subscription, some make you bring your own. MDR replaces the need for internal analysts to drive the SIEM. The platform itself remains part of the architecture.

Does NIS2 require MDR?

NIS2 doesn’t name MDR specifically. Article 21 does require appropriate and proportionate measures for incident handling, business continuity, and supply chain security, and expects continuous monitoring to back them up. For an organisation without an internal SOC, MDR is the most practical way to meet those operational requirements, and your auditor will recognise the pattern.

Next steps

MDR pricing is a function of your environment, your risk appetite, and how deep the service needs to go. Cheapest isn’t always right. Most expensive often bundles things you don’t need yet. The decision comes down to what you’re actually protecting, what compliance bites you, and whether the provider’s technology stack matches yours.

Falconer Security runs Managed Detection and Response natively on Microsoft Sentinel and Defender XDR. No duplicate tooling, no separate SIEM licence, pricing that scales linearly with your organisation rather than stepping up at arbitrary points. If you’re between 50 and 500 employees and want a real number rather than a brochure range, book a security assessment and we’ll give you one based on your actual environment.