Most published XDR pricing guides quantify the licensing line and mention the other categories in passing. The useful framing is the opposite: name all five categories up front, estimate a realistic range for each, and present finance with the complete picture. Finance will ask the hard questions in year two anyway. It is better to have the answer in year one.
- Cat. 01 · 38%Licensingper-endpoint / per-user / per-workload
- Cat. 02 · 24%Data ingestion & retentionper-GB, overage, hot/cold tiers
- Cat. 03 · 9%Onboarding & servicesdeployment, migration, integration
- Cat. 04 · 18%Managed-service add-onsMDR, 24/7 SOC, threat hunting
- Cat. 05 · 11%Internal operating costplatform admin, tuning, FTE
Category 1: Licensing
Licensing is the recurring per-unit fee the vendor charges for platform access. It is always denominated in one or more of the four pricing axes: per endpoint, per user, per cloud workload, per GB of ingest. Most quotes combine two or three axes, often as separate stock keeping units that add together on the cover page.
Licensing typically represents thirty to forty-five percent of XDR TCO for a mid-market deployment. The percentage falls for ingest-heavy environments where the retention and overage line grows, and rises for quiet environments where telemetry stays inside bundled allowances.
Multi-year commitments are the largest lever on licensing cost. Published case studies consistently report fifteen to thirty percent per-unit discount for three-year commitments over single-year. The trade-off is flexibility: renegotiation mid-term is usually possible but often unfavourable. True-up clauses that allow the license count to grow mid-term without repricing the per-unit rate are worth negotiating when available.
Category 2: Data ingestion and retention
Ingestion and retention run twenty to forty percent of XDR TCO for a typical deployment. The line varies widely by environment: a Kubernetes-heavy cloud shop with verbose audit logging lands at the high end; an on-premises shop with minimal cloud footprint and light logging lands at the low end.
The most expensive retention decision is how many months to keep in hot tier. Hot retention is queryable by the detection engine and the analyst console; cold retention is archived and requires rehydration. Hot is typically three to five times more expensive per GB per month. See data ingestion cost for the full worked example.
Category 3: Onboarding and professional services
Onboarding covers initial deployment, integration with existing tools, detection content migration, and analyst training. Typical mid-market figures fall between five thousand and fifty thousand dollars as a one-time fee. Larger enterprises and migrations from legacy SIEM platforms routinely reach the low six figures.
Migration services are the most variable line item inside onboarding. A greenfield deployment with no prior tool costs materially less than a migration from an established EDR or SIEM, because migrating detection content often requires rewriting each rule in the new platform’s query language. Detection content migration is commonly quoted at a per-rule rate by vendor services teams, typically one thousand to three thousand dollars per rule depending on complexity.
Integration services for open-XDR architectures are a third line inside this category. Each third-party telemetry source typically requires configuration work by the vendor services team or a partner. A deployment with eight integrations spends materially more on onboarding than a deployment with two.
Category 4: Managed-service add-ons
Many organisations buy a managed detection and response service on top of the XDR platform. The MDR provider operates the platform on the customer’s behalf, investigates alerts, and often takes response actions. MDR is typically priced per endpoint or per user as a service fee, in the fifteen to thirty-five dollars per endpoint per month range. See mdrcost.com for the MDR pricing framework.
Managed services are a category-level decision. If the organisation operates a twenty-four-seven internal SOC, managed services are optional and often duplicate internal coverage. If the organisation cannot or will not staff twenty-four-seven coverage, managed services are the difference between XDR as a tool and XDR as a useful capability. The internal-operating-cost line below depends heavily on this choice.
Category 5: Internal operating cost
Running an XDR platform consumes internal FTE time for platform administration, detection content engineering, tuning, and integration maintenance. Typical mid-market deployments allocate half to one and a half full-time equivalents; enterprise deployments allocate two to five FTE across platform engineering and detection engineering roles.
Fully-loaded cost for a security engineering FTE in most North American markets runs one hundred and twenty thousand to two hundred thousand dollars depending on seniority. The internal operating line is therefore non-trivial at even modest scale: a one-FTE mid-market deployment is adding roughly one hundred and fifty thousand dollars per year to TCO that does not appear in any vendor quote.
See securityoperationscost.com for the full framework on internal SOC operating costs.
Consolidation breakeven model
The most consequential TCO question is whether replacing multiple point tools with a single XDR platform actually saves money. The informal rule of thumb in published case studies is four point tools. Below four, the category-premium licensing differential rarely offsets the consolidation savings. At four or more, consolidation is usually net-positive.
Worked consolidation example
A mid-market organisation running four point tools at hypothetical rates:
| Tool | Price axis | Annual |
|---|---|---|
| EDR | $8/endpoint/mo × 1,500 | $144,000 |
| Email security | $4/user/mo × 1,000 | $48,000 |
| Cloud workload protection | $6/workload/mo × 140 | $10,080 |
| Identity threat detection | $3/user/mo × 1,000 | $36,000 |
| Integration maintenance | 0.5 FTE | $75,000 |
| Point tools total | $313,080 |
An XDR platform replacing all four tools at a hypothetical $12 per endpoint per month plus ingestion and onboarding:
| Line | Calculation | Annual |
|---|---|---|
| XDR base license | $12/endpoint/mo × 1,500 | $216,000 |
| Ingest & retention (30% uplift) | illustrative | $64,800 |
| Onboarding amortised 3yr | $25K / 3 | $8,333 |
| Integration maintenance | 0.25 FTE | $37,500 |
| XDR consolidation total | $326,633 |
In this hypothetical, consolidation is roughly cost-neutral in direct spend but frees half an FTE of integration maintenance and reduces analyst context-switching. The actual net savings are often captured in soft benefits (analyst hour reduction, faster mean time to respond) rather than hard licensing savings. That is why consolidation is a tougher sell below four tools: the hard-dollar savings may not materialise.
Above four tools, licensing savings alone typically cover the XDR premium. For breach-cost ROI framing see incidentcostcalculator.com.