BUYER BRIEF  ·  VENDOR-NEUTRAL  ·  UPDATED 2026-04-27
FrameworkLast verified April 2026

The four axes XDR vendors price on

Every XDR quote combines two or three of four axes: per endpoint, per user, per cloud workload, per GB of ingest. Understanding which axis your environment scales cheaply on is the most consequential decision in XDR procurement.

An XDR vendor’s pricing model is rarely pure. Most quotes combine two or three of four axes, layered as separate stock keeping units: a base license, an add-on identity module, a separate cloud workload protection SKU, and an ingestion overage band. Two quotes that look comparable on the cover page can price the same environment at radically different annual totals because the blend of axes is different.

per endpointdevices under protectionper useridentities coveredper cloud workloadper GB ingesttelemetry volumeFOUR PRICINGAXES
[advisory]Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research. They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.

Axis 1: Per endpoint

Per-endpoint pricing treats each device under protection as the billable unit. A quoted rate of ten dollars per endpoint per month for a two-thousand-endpoint environment means $240,000 per year before any other line item. Endpoints include workstations, servers, and managed mobile devices. Most vendors exclude containers and serverless functions from the endpoint count, charging them separately on the per-workload axis.

Per-endpoint rewards environments where users carry multiple devices. One user with a laptop, a tablet, and a phone counts as three endpoints; on a per-user axis the same user counts as one. For engineering-heavy or field-workforce organisations where the device-to-user ratio is above two to one, per-endpoint can price significantly higher than per-user for the same environment.

Per-endpoint penalises environments where devices are ephemeral or heavily virtualised. Virtual desktop infrastructure deployments with persistent pools often include more licensed endpoints than active users because the pool must size to peak concurrent load. Thin-client shops, seasonal retail, and contractor-heavy organisations typically pay less under per-user pricing.

Per-endpoint worked example
Inputs
  • Endpoints: 2,000
  • Quoted rate: $10 / endpoint / month
  • Ingest overage: 10 GB/day over bundle @ $0.12/GB/mo
Calculation
  • Base license: 2,000 × $10 × 12 = $240,000
  • Ingest overage: 10 × 30 × $0.12 × 12 = $432
  • Year one total (license line): $240,432

Axis 2: Per user

Per-user pricing treats each protected identity as the billable unit. An identity includes full-time employees, contractors with access, and sometimes privileged service accounts depending on the vendor’s definition. Some vendors count all identities; others count only human identities and include service accounts in the bundle.

Per-user rewards device-heavy organisations. An engineer with a laptop, a desktop, and a dev server counts as one user on a per-user axis and three endpoints on a per-endpoint axis. For organisations where the device-to-user ratio is above one and a half, per-user is usually cheaper per device covered.

Per-user penalises contractor-heavy and seasonal workforces. Every contractor with an email address or a federated identity counts as a licensed user; many organisations are surprised by how much of their user count is contractor or partner access that was never billed under per-endpoint pricing. Extended access relationships with customers and suppliers can inflate the user count significantly.

Per-user worked example
Inputs
  • Users (inc. contractors): 1,400
  • Quoted rate: $9 / user / month
  • Identity add-on bundled
Calculation
  • Base license: 1,400 × $9 × 12 = $151,200
  • Identity add-on: $0 (bundled)
  • Year one total (license line): $151,200

Axis 3: Per cloud workload

A cloud workload is a unit of compute or storage in a cloud environment: a virtual machine, a container, a serverless function, a managed database instance. Per-workload pricing is almost always a separate SKU layered on top of per-endpoint or per-user; a vendor’s base XDR rate rarely covers cloud workload protection without a dedicated subscription.

Per-workload rewards environments with a static, predictable cloud footprint. An on-premises shop with fifty production VMs pays a small per-workload add-on. Environments where workload count is dynamic, particularly Kubernetes environments with frequent pod scheduling or serverless architectures with function counts in the thousands, face per-workload line items that can exceed the endpoint license.

Container and serverless counting is inconsistent across vendors. Some count peak concurrent workloads; some count average; some count per-workload-hour and bill a per-container equivalent based on runtime hours. The definition is worth asking before the quote is final; the same cloud environment can price differently across vendors by a factor of three depending on the counting method.

Axis 4: Per GB of ingest

Per-GB pricing treats each gigabyte of telemetry ingested into the platform as billable. Per-GB is the axis that most often surprises buyers after go-live. Initial quotes usually bundle a telemetry allowance (typically one to five GB per day per endpoint depending on source types); overage above the bundle is metered per GB with tiered pricing.

Per-GB rewards low-telemetry environments. Endpoint-only logging with minimal cloud audit ingestion and no packet capture can run under one GB per day per endpoint. Organisations that already ingest verbosely into a SIEM and migrate that ingest to an XDR face multiples of this. Full packet capture for a segment, detailed cloud audit logs from a heavy AWS or Azure footprint, and Kubernetes API logs can each add ten to twenty GB per day on their own.

The single most consequential per-GB decision is retention tier. Hot retention (immediately queryable) is commonly priced three to five times more per GB per month than cold archive. A compliance requirement for twelve months of queryable retention is a fundamentally different line item from twelve months of archive retention. The data ingestion cost page works the retention math through in full.

Normalising three quotes onto a common axis

The skill that matters most when evaluating XDR quotes is converting three differently-structured quotes into a single comparable figure. Assume an environment of two thousand endpoints, fourteen hundred users, one hundred and twenty cloud workloads, and forty GB per day of telemetry. Three hypothetical vendors quote as follows.

 Vendor AVendor BVendor C
Structureper-endpoint + per-GB overageper-user bundled ingestper-workload + per-GB
Quoted rate$10/ep/mo + $0.12/GB$11/user/mo$4/ep + $0.08/GB
License calc2,000 × 10 × 12 = $240K1,400 × 11 × 12 = $185K2,000 × 4 × 12 = $96K
Ingest calc40 × 30 × 0.12 × 12 = $1.7Kbundled40 × 30 × 0.08 × 12 = $1.2K
Workload add-on120 × $5 × 12 = $7.2Kbundledincluded
Normalised annual$249K$185K$97K

Vendor C looks cheapest on the surface. Before accepting the quote, a buyer should press on ingestion assumptions and verify that the bundled workload coverage is not limited by workload type or cloud provider. Many vendors offer headline rates that bundle generously and then exclude the most useful telemetry (for example, covering AWS CloudTrail but not AWS VPC flow logs) at a surcharge. The quote call should flush this out before the contract is signed.

Vendor B is the second cheapest despite the higher per-user rate because the bundled ingestion and workload coverage avoid the add-on SKUs. Vendor A is most expensive because the per-endpoint rate is aggressive but every module is separately billable. This pattern is common; the question bank lists the prompts that surface bundled-vs-unbundled differences.

Read next
// Q&A appendix

Frequently asked questions

01.Can I ask a vendor to price in a different axis?+
You can ask; vendors do not always agree. Most vendors have internal pricing models built around a primary axis and will only quote in that axis for standard deals. Larger negotiations occasionally unlock custom structures. Your leverage is the normalisation exercise itself: if you show the vendor that their primary axis prices your environment unfavourably compared to a competing quote, you get a discount on the per-unit rate rather than a change of axis.
02.Which axis is cheapest?+
There is no universally cheapest axis. Per-endpoint is cheapest for device-heavy environments where users carry multiple devices. Per-user is cheapest for light-device environments where each user has one laptop. Per-workload is cheapest for on-premises shops with minimal cloud footprint. Per-GB is cheapest for organisations that keep telemetry volume low by ingesting only high-signal sources. The right axis is the one that rewards how your environment is structured.
03.What is a bundled pricing model?+
A bundled pricing model combines multiple axes into a single per-unit rate. Bundles simplify the contract but obscure which axis is moving the total cost. Bundles are fine if your environment is typical for the vendor’s target customer; they are expensive if your environment is unusual on any of the underlying axes. Unbundling the rate during the quote call (asking the vendor what the price would be for the base licence without bundled telemetry) surfaces which component is actually expensive.