The category difference
Extended detection and response is a platform: software you license to ingest telemetry, correlate detections, and expose an analyst console. You (or someone on your behalf) operate it. The platform does not analyse alerts; it surfaces them. A human still reviews, triages, and responds.
Managed detection and response is a service: a team of human analysts at a provider who monitor your telemetry, investigate alerts, and often take response actions directly. MDR is priced per endpoint or per user as a service fee. The provider either operates on your XDR platform using delegated access or brings their own platform (often the same products or an in-house equivalent).
The two are layered, not alternatives. An XDR platform without operators is a collection of alerts no one looks at. An MDR service without a platform has no telemetry to analyse. The commercial question is whether you operate the platform yourself with internal analysts or pay a service provider to do it for you. For the full MDR framework see mdrcost.com.
The layered cost stack
The diagram shows the three-tier stack. Telemetry is the foundation: the tools that generate logs and alerts (endpoint, email, identity, cloud, network). The XDR platform sits above telemetry and correlates events into incidents. MDR sits above the platform and provides human analysis on the incidents the platform surfaces. Each layer has its own cost.
A complete stack for a mid-market environment at illustrative rates might look like: telemetry (sensor licenses) at what the organisation already pays for endpoint agents, email gateways, and identity tools; XDR platform at ten dollars per endpoint per month; MDR service at twenty-five dollars per endpoint per month. The stack total runs comfortably above the platform-only cost, and the service fee is typically the largest line item in the stack.
MDR-only without a separate XDR
Some MDR providers bundle their own platform into the service. The customer pays a single per-endpoint rate covering platform licensing, ingestion, retention, and analyst coverage. The bundled model is simpler operationally: one vendor, one contract, one invoice. It is commercially opaque: the component costs are hidden, comparison across providers is harder, and switching providers typically means switching platforms as well.
Organisations that choose MDR-only bundled typically do so for operational reasons (small security team, no bandwidth to run a platform) rather than commercial reasons. The total cost per endpoint is often competitive with split-stack pricing once service coverage is matched apples-to-apples.
MDR on top of your XDR
The alternative is to license an XDR platform separately and then engage an MDR provider who operates on that platform via delegated access. Many MDR providers support multiple platform vendors; this preserves the customer’s option to switch MDR providers without changing the underlying telemetry substrate.
Typical split-stack pricing for MDR operating on a customer-owned XDR runs fifteen to thirty-five dollars per endpoint per month for the service alone, on top of the XDR platform license. Higher rates typically reflect tighter response SLAs (twenty-four-seven triage inside fifteen minutes versus within an hour) or additional services like threat hunting, tabletop exercises, and incident response retainer.
The split-stack model is harder to stand up because two vendor relationships must be coordinated. It is easier to manage long-term because the components can be renegotiated independently and platform-vendor lock-in is decoupled from service-provider lock-in.
When to buy MDR vs build a SOC
The MDR-vs-internal-SOC decision is the most common question in the category. The rough numbers: a single MDR contract at twenty-five dollars per endpoint per month for a fifteen-hundred-endpoint environment costs roughly $450,000 per year. A genuinely capable internal twenty-four-seven SOC requires five to eight FTE (one analyst per shift plus leadership) at fully-loaded cost, which runs roughly $750,000 to $1.2M per year. MDR is usually cheaper in direct spend at mid-market scale.
Internal SOCs make sense above five thousand endpoints, in regulated industries with strict data-handling requirements, and when the organisation has strong preferences for in-house control. See securityoperationscost.com for the full internal SOC cost framework.