Comparison guide · Detection and response · Buying committee
EDR vs XDR vs MDR: what each one covers and how to choose without overpaying
A comparison aimed at buying committees: EDR and XDR are products; MDR is a managed service. Here we explain what problem each one solves, where they overlap, which decision makes sense depending on maturity, sector and budget, and how they fit with NIS2, DORA and ISO 27001:2022.
One-page summary
The EDR vs XDR vs MDR conversation gets messy because it mixes two separate questions: what technology do I need, and who operates it. Once you separate them, the decision becomes simpler.
Product
EDR
Deep endpoint telemetry and on-device response: isolation, kill process, rollback. The non-negotiable layer if you want to spot the attacker moving through the estate.
EDR glossary entry →Product
XDR
EDR extended with identity, email, network, SaaS and cloud. A single console correlates signals across surfaces. The point of XDR is to catch attacks that no longer live on the endpoint.
XDR glossary entry →Managed service
MDR
Whoever operates the EDR or XDR. Human analysts 24×7, sector-tuned use cases, assisted containment and a contractual response SLA. MDR closes the gap between buying technology and operating it well.
MDR glossary entry →Comparison table
The three options do not compete on the same axis. EDR and XDR answer what technology; MDR answers who operates it. They combine, they do not exclude.
| Dimension | EDR | XDR | MDR |
|---|---|---|---|
| Nature | Technology product | Technology product (suite) | Managed service with people |
| Surface covered | Endpoint (Windows, macOS, Linux, server) | Endpoint + identity + email + network + cloud + SaaS | Whichever surface the underlying technology covers |
| Response capability | Automated and manual actions on the endpoint | Cross-surface actions (revoke session, isolate, block) | Assisted containment with human analyst through to closure |
| Who operates the console | In-house team (IT or security) | In-house team | MDR provider (L1-L3 analysts 24×7) |
| Sector tailoring | Rules and exclusions you maintain | Vendor use cases + your tuning | Use cases tuned to your sector and environment |
| Time to productive operation | 4-8 weeks deployment + months of tuning | 8-16 weeks full rollout + ongoing tuning | 4-8 weeks until the SLA is live |
| Indicative annual cost (500-2,000 endpoints) | €30-90k in licences | €70-200k in licences | €80-250k all-in (with or without provider EDR) |
| Main risk | Buying it and not operating it | Switching on consoles and leaving half untuned | A provider that only alerts and does not contain |
| NIS2/DORA evidence | Telemetry yes, operational evidence no | Rich telemetry; operational evidence depends on whoever uses it | Continuous evidence of detection, response and improvement |
Indicative figures
These ranges assume a mid-sized estate with average configuration. Your case may sit above or below.
Operate over buy
Mid-range technology operated well beats premium technology operated badly, every day of the year.
Auditable evidence
What auditors look at for NIS2 and DORA is the flow: alert → investigation → containment → notification → improvement.
What makes sense in your situation
There is no single right answer. These four scenarios cover most of the buying committees we see in regulated sectors.
Scenario 1
Strong IT team, no SOC
The fit is EDR + external L1 service. Your team knows the estate but 24×7 monitoring is not realistic in-house. A well-tuned EDR plus an L1 service that filters noise and escalates the serious cases leaves final response with your team. This is the most cost-efficient combination when internal maturity is high.
Scenario 2
Identity and M365 are business-critical
The fit is XDR + MDR. The attacks that matter no longer live on the endpoint: phishing, MFA fatigue, OAuth abuse, stolen tokens. XDR correlates identity, email and cloud; an enterprise MDR turns that correlation into action. Twelve minutes vs twelve hours of detection translates into days of business impact.
Scenario 3
NIS2 or DORA apply and you want evidence, not improvisation
The fit is a well-documented MDR. The question is no longer just to detect, but to produce continuous evidence and notify within the regulator's window. An MDR with contractual SLAs and traceable records generates exactly the material supervisors expect, without rebuilding the file each time. Pair it with a vCISO to keep the discipline.
Scenario 4
You plan an in-house SOC over 18-24 months
The fit is XDR + MDR as a bridge. While you build the team, deploy the platform and define use cases, the MDR operates against an SLA and produces evidence. The real win is the exit plan written into the contract: use cases, playbooks, integrations and lessons learned remain with you when the service ends. Negotiate that exit on day one, not when you are leaving.
EDR · what it really covers
A modern EDR is a lot more than an advanced antivirus. It captures hundreds of events per endpoint (processes, connections, disk access, module loads, scripts), applies behaviour-based detections and allows response actions: isolate the host, kill processes, roll back changes. What a pure EDR will not see is what happens off the endpoint. If the attacker comes in through Entra ID with a stolen token and never lands on a device, EDR will not notice.
Strengths
- Behaviour-based detection with granular telemetry
- Endpoint isolation in seconds
- Retrospective hunting with KQL-style queries
- Execution blocking and rollback
Where it falls short
- Identity compromise without endpoint activity
- OAuth abuse, MFA fatigue, stolen tokens
- Lateral movement across SaaS (M365, Google Workspace)
- Attacks that live in cloud infrastructure (IAM, containers)
XDR · when it actually adds value
XDR broadens the field of vision: it ingests identity (Entra ID, AD), email, network, cloud and SaaS telemetry and correlates signals an EDR would see in isolation. The classic chain — phishing → stolen token → OAuth abuse → exfiltration through M365 — is only visible end-to-end with XDR. The awkward part is that XDR is easy to buy and hard to operate. Many organisations light up three consoles and leave two untuned.
Makes sense when
- Your critical surface lives in identity and SaaS
- You operate in cloud across several accounts and services
- You want a single end-to-end detection console
- Your EDR does not cover identity by design
Makes less sense when
- Critical operation lives in OT or industrial environments
- You already need long retention covered by SIEM
- You lack a team to tune use cases
- Budget requires a layered approach
MDR · what a serious contract must include
You recognise an enterprise MDR by the contract, not the sales pitch. Five elements must appear in writing for the service to be enforceable.
Measurable SLAs
MTTD, MTTC, notification and isolation with precise definitions and consequences if missed.
Assisted containment
Isolate endpoint, revoke session, block C2 inside the SLA. Alert-only is not MDR.
Tuned use cases
Adapted to sector and customer; validated with controlled false positives before the SLA goes live.
Exit plan
Use cases, playbooks, integrations and lessons learned handed over when the contract ends.
Executive reporting
Trends, KPIs, ATT&CK coverage and an improvement proposal at a monthly cadence.
Forensic bridge
When a severe incident exceeds MDR scope, an orderly transition to DFIR without losing evidence.
Common mistakes in the buying committee
- Comparing EDR from one vendor with MDR from another as if they were the same thing. They are not: one is product, the other is operation. They complement each other.
- Deciding on the prettiest console in the demo. You will look at the console for three months; SLAs and the human team live with you for years.
- Negotiating licence discounts without negotiating operational SLAs. A 20% licence discount with a weak SLA costs more than list price with a firm one.
- Assuming a one-size-fits-all MDR works for your sector. Banking and manufacturing share neither the threats nor the operating hours nor the use cases.
- Failing to measure ATT&CK coverage before and after. If you do not know which techniques you detect today, you cannot say what the investment buys you.
- Confusing MDR with MSSP. MSSP is the broad umbrella; MDR is a specific managed-response contract with SLAs. Pin down the scope in writing.
Related services at Hard2bit
Managed SOC and MDR
24×7 operation with SLAs and assisted containment on your EDR or ours.
View →
Enterprise MSSP
Broad umbrella: SOC, vulnerabilities, CTI, response and reporting.
View →
Threat hunting
Offensive hypotheses mapped to MITRE ATT&CK on a regular cadence.
View →
Incident response
When scope exceeds MDR: forensics, deep containment and regulatory communication.
View →
vCISO
Governance discipline above the operation, so investment translates into outcomes.
View →
Full catalogue
Explore services by sector and intent.
View →
Frequently asked questions
What is the essential difference between EDR, XDR and MDR?
EDR is the technology that watches the endpoint and lets you take actions on it. XDR extends that visibility with identity, email, network, cloud and SaaS telemetry, correlating everything. MDR is the managed service: a provider operates EDR or XDR 24×7 with human analysts and contractual response SLAs. EDR and XDR are products; MDR is operation.
Do I need XDR if I already have a high-end EDR?
It depends on scope. A modern EDR is solid on the endpoint but does not see attacks that live in identity (Entra ID, AD), email, SaaS or cloud. If your critical surface is outside the endpoint — or you want a single detection console — XDR adds real value. If all you need is to harden the Windows estate, a good EDR may be enough.
Can I take on MDR without an existing EDR?
Yes. Many enterprise MDR providers include their own EDR as part of the contract and handle deployment and tuning. Others operate in BYO-EDR mode: you keep your CrowdStrike, Defender for Endpoint or SentinelOne licence and the MDR runs on top. Both models are legitimate; what changes is total cost of ownership and portability.
Which fits NIS2 and DORA best?
NIS2 (article 21.2) and DORA (articles 9-10) require a demonstrable capability to detect, respond and notify within tight windows. EDR and XDR provide the technical detection layer, but the operational evidence is produced by whoever runs the platform: an in-house SOC if you have one, a documented MDR if you do not. For regulated sectors without a dedicated 24×7 team, MDR is usually the most cost-effective and traceable option.
What does MDR cost compared with standing up an in-house SOC?
A minimum in-house SOC (24×7 shift coverage, L1-L3 analysts, tooling, use cases) typically starts at €600-900k per year in a mid-market organisation, plus 9-18 months to mature. An enterprise MDR for 500-2,000 endpoints sits between €80-250k per year and reaches productive operation in 4-8 weeks. In-house wins on tailoring; MDR wins on speed, predictability and operational discipline.
What separates a real MDR from a marketing one?
Three things. First, concrete SLAs in the contract (MTTD, MTTC and notification) with clear consequences if missed. Second, real assisted containment, not just alert emails. Third, use cases tuned to your sector and environment, not a generic template. If the provider will not sign specific SLAs or pretends a bank and a manufacturer can be operated the same way, that is not enterprise MDR.
Does XDR replace SIEM?
Not always. XDR is excellent at operational detection with native and partner telemetry. SIEM is still required when long retention is mandated (PCI DSS, banking, public sector) or when you need to ingest sources XDR does not cover (ICS/OT, bespoke applications, business logs). In practice, XDR and SIEM coexist and complement each other.
How does an EDR vs XDR vs MDR engagement start at Hard2bit?
We begin with a diagnostic of your existing surface and telemetry: which sources you have, what ATT&CK coverage your current stack delivers, how many false positives you generate and what your response time is today. From that baseline we propose a realistic target (EDR plus L1 service, XDR plus L2-L3 service, or full MDR) and a transition plan that avoids resetting your environment.
Leave the buying committee with a decision you can sign off
A 30-minute working session to look at your current surface, what coverage your stack delivers and which EDR/XDR/MDR combination fits your sector, budget and regulatory obligations.