MDR Pricing Models: Per Endpoint, Per Identity, Tiered, and All-You-Can-Eat β How to Compare
Group COO & CISO
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
MDR Pricing Models: Per Endpoint, Per Identity, Tiered, and All-You-Can-Eat β How to Compare
MDR pricing is deliberately incomparable. CrowdStrike Falcon Complete prices per endpoint. Arctic Wolf prices per "sensor" plus per "user." Red Canary prices per endpoint with identity bundled. Microsoft prices per Defender XDR seat plus Sentinel ingestion. Sophos prices per user. eSentire prices per asset across categories. Drop the same RFP on five vendors and you get five quotes that cannot be put on the same page without a calculator and a lawyer.
This article gives CISOs and procurement leads a normalised model β the unit-economics math that exposes which vendor is actually cheapest for your specific telemetry footprint, plus the contractual gotchas that turn a $500K quote into a $750K renewal. The numbers are based on real 2025-2026 customer engagements across the Nordics, EU, and India. Names of providers are illustrative; the structural pricing patterns are universal.
The Five Pricing Patterns You Will Encounter
| Pattern | Unit | Typical range | Best fit | Trap |
|---|---|---|---|---|
| Per endpoint | Workstation, server, container host | $5-15/endpoint/month tier-1 | Endpoint-heavy, identity-light | Containers and ephemeral hosts |
| Per identity | Active user account | $3-10/user/month standalone, $50-100/user/month for premium IDR add-on | SaaS-heavy, BYOD | Service accounts and shared mailboxes |
| Per log GB ingested | SIEM ingestion daily/monthly | $2-8/GB/day Sentinel, $1500-2500/GB/day Splunk | Variable telemetry volume | Audit-driven retention spikes |
| Tiered bundle | "Essential / Advanced / Complete" packs | 20-40% premium for top tier | Predictable, auditor-friendly | Features locked behind tier upgrades |
| All-you-can-eat | Flat fee per environment | $120K-$1M/year | Mature security programme, large estate | True-up clause on growth |
None of these are inherently wrong. The trap is mismatching the model to the estate. Per-endpoint pricing on a Kubernetes-heavy environment punishes you for elasticity. Per-identity pricing on a tenant with 12 service accounts per human user punishes you for normal hygiene. Per-GB pricing during a compliance audit when retention triples for 90 days punishes you for being audited.
Build Your Normalised Cost Model
The only way to compare is to compute total cost of ownership against your specific environment. The components, in order of magnitude:
- Endpoint licences β count workstations, persistent servers, and Kubernetes nodes. Containers are usually counted at the host level for tier-1 vendors, but verify; some count per-pod.
- Identity licences β count licensed users in Entra ID, Okta, or Google Workspace. Service accounts often free; high-privilege accounts (PAM-managed) often premium.
- SIEM ingestion β measure baseline GB/day for 90 days. Multiply by 1.4 to allow for compliance retention burst. Distinguish "hot" tier (90 days, fast query) from "archive" tier (1-7 years, slow query).
- Premium add-ons β IDR ($50-100/identity/month), email security ($3-7/user/month), cloud workload protection ($15-30/asset/month), MITRE Engenuity ATT&CK Evaluation tier features.
- IR retainer β typically $10K-$50K/year minimum, with hourly burn rates of $400-$700 once activated.
For a representative 2,500-endpoint, 4,000-identity Nordic mid-market customer the normalised annual cost lands around $250K-$420K for tier-1 MDR with IDR included, of which roughly 60% is endpoint and identity licences and 40% is SIEM ingestion plus premium modules. That figure compares against $1.2M-$1.6M to staff a 24x7 in-house SOC for the same coverage β the reason MDR wins below 5,000 endpoints in almost every model we have built.
Need expert help with mdr pricing models?
Our cloud architects can help you with mdr pricing models β from strategy to implementation. Book a free 30-minute advisory call with no obligation.
Per-Endpoint and Per-Identity: The Two Dominant Units
Per-endpoint dominates the SMB and lower mid-market because the unit is intuitive, easy to forecast, and aligns with the largest XDR vendors' commercial gravity (CrowdStrike, SentinelOne, Sophos). The pricing reflects real cost β the EDR sensor is the heaviest telemetry source and the largest analyst workload. It breaks down in three estates: heavy container/serverless (where ephemeral hosts churn faster than the licence model accommodates), VDI farms (where one image serves dozens of concurrent users), and OT/ICS networks (where "endpoint" is not a meaningful unit). For these, ask vendors for asset-based or seat-based variants.
Per-identity pricing has emerged in parallel because identity is the new perimeter β every credible 2024-2025 incident report makes the same point. T1078 Valid Accounts has displaced unpatched edge devices as the dominant initial-access vector for ransomware affiliates. Per-identity pricing models follow the threat: Identity Threat Detection and Response (ITDR or IDR) modules from Microsoft Defender for Identity, CrowdStrike Falcon Identity Protection, Silverfort, and SentinelOne Singularity Identity sit at $50-100 per identity per month for the premium tier.
The math gets uncomfortable on customers with high service-account ratios. We have seen Nordic banking customers with 40,000 identities, of which 28,000 are service principals or RPA bots β the standard per-identity quote priced as if each had a human at the keyboard. Negotiate service-account exemption explicitly; major vendors all have it but rarely volunteer it. Pair the identity-priced contract with Zero Trust architecture rollout so service-account scopes are tightly constrained and the IDR signal-to-noise stays high.
Per-Log-GB Pricing and the Sentinel Ingestion Trap
Microsoft Sentinel commits at $2-5/GB/day for analytics tier and ~$0.10/GB/month for archive tier β see our Azure Sentinel managed service for the operating model. Splunk Cloud commits per ingest with workload pricing options. Either way, ingestion volume is the lever that breaks budgets when you are not paying attention.
The four ingestion-cost levers worth knowing:
- Filter at source β drop verbose Windows event IDs (4658, 4663 high-volume modes) at the agent before they hit the SIEM. Keep DNS, but downsample HTTP access logs.
- Tier the data β Sentinel basic logs ($0.50/GB ingested, $0.005/GB-day stored) for forensic-only data; analytics logs for hunting and rules.
- Watch retention transitions β moving from 90-day hot to 1-year archive costs storage but cuts hot-tier ingest charges. Most customers leave money here.
- Cap with workspace daily quota β a hard daily ingestion cap stops a misconfigured firewall from generating $40K of overage in a long weekend.
Tiered Bundles and All-You-Can-Eat
Most major vendors now ship three-tier bundles. The structure rewards the top tier and starves the bottom. The bottom tier ("Essential" or equivalent) typically excludes proactive threat hunting, IDR, and active response authority β exactly the deliverables that distinguish MDR from MSSP. The middle tier is the sweet spot for most mid-market customers; the top tier ("Complete" or equivalent) adds vCISO services, premium IR retainer, and tabletop exercises.
The tier-jump trap: features get reorganised between tiers at renewal. A capability you bought in tier 2 last year may have moved to tier 3 this year, requiring an upgrade. Lock the feature inclusions in writing on signature, not just the tier name.
Above 10,000 endpoints or 25,000 identities, the unit-economics model becomes harder to justify than a flat-fee, all-you-can-eat MDR. Vendors offer enterprise agreements at $120K-$1M+/year that bundle everything into a single line item. The advantage is procurement simplicity and a consistent renewal target. The disadvantage is the true-up clause: most contracts include a 10-15% growth allowance, with overage pricing that resembles the per-unit list rate. Acquisitions and rapid growth blow these contracts open.
Real Customer Math: A 2,500-Endpoint Example
For a representative 2,500-endpoint, 4,000-user Nordic mid-market customer with 8 GB/day SIEM ingestion:
| Vendor pattern | Annual cost (USD) | What's included |
|---|---|---|
| Tier-1 per-endpoint MDR (Falcon Complete-class) | $295K-$340K | Endpoint + 24x7 SOC + IR retainer (40h) |
| Per-endpoint MDR + IDR add-on | $385K-$465K | Above + identity threat detection |
| Microsoft Defender XDR + Sentinel + MDR overlay | $310K-$390K | If E5 already licensed; otherwise $145K higher |
| SIEM-led MSSP + IR retainer | $170K-$220K | Triage only; response on hand-off |
| In-house SOC (6 FTE) + XDR licences | $1.2M-$1.6M | Full ownership; recruitment risk |
The MSSP option looks cheaper on paper and almost certainly costs more after the first incident. IBM's 2024 Cost of a Data Breach Report puts the average breach at $4.88M; the marginal $120K/year between MSSP and MDR is rounding error against a single contained ransomware event.
Contract Clauses That Move the Number
Six clauses to negotiate every time:
- True-up cap β annual growth allowance and overage rate, with a hard ceiling.
- Service-account exemption β explicit on identity-priced contracts.
- Detection content portability β Sigma/KQL/SPL export at termination; rules you wrote belong to you.
- Response authority β written authorisation for isolate-host, disable-account, revoke-token without per-incident approval.
- SLA credits β concrete remedies for missed MTTA, MTTD, MTTR. Industry-standard 15-min MTTA, 1-hr MTTD on tier-1.
- Tabletop and purple-team frequency β at least quarterly, with named ATT&CK techniques covered.
How Opsio Helps
Opsio's managed detection and response services price transparently across endpoint, identity, and SIEM ingestion components, with the contractual clauses above on the standard MSA. We also operate engagements as overlays on existing CrowdStrike, Microsoft Defender XDR, and SentinelOne deployments β customers keep the XDR licence relationship and gain 24x7 SOC operations on top. For Microsoft-centric estates we run the full stack via managed cloud security services, including Defender XDR, Sentinel, and Defender for Cloud as a single FinOps-tracked envelope.
About the Author
Group COO & CISO at Opsio
Operational excellence, governance, and information security. Aligns technology, risk, and business outcomes in complex IT environments
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence β we recommend solutions based on technical merit, not commercial relationships.