EDR vs XDR vs MDR: which fits an Australian SMB

Every Australian SMB shopping for cyber protection right now is being pitched EDR, XDR, or MDR by their MSP. The acronyms sound similar. The price tags are not. The honest reality is that most businesses are quoted the wrong tier, usually the most expensive one, because the vendor margins reward that.

We see this every week. A 40-person professional services firm in West Perth gets quoted a $60,000 annual MDR contract when EDR plus a defined incident response retainer would have closed the same risk for a fraction of the cost. Or the reverse, a 200-person business on basic EDR thinks they are covered, and then experiences a ransomware event at 11pm on a Friday with nobody watching.

This is the comparison every business owner should understand before signing the next renewal. We will walk through what each tier actually delivers, where the cost goes, and how to match the right one to your business reality.

What the three acronyms actually mean

EDR is Endpoint Detection and Response. It is a software agent that runs on your devices, watches for malicious behaviour, and either blocks it automatically or alerts someone to investigate. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and Sophos Intercept X all sit in this category. The technology is mature, the unit cost is well understood, and good EDR is now table stakes for any business above ten staff.

XDR is Extended Detection and Response. The core idea is that watching only endpoints misses too much. Modern attacks move through identity systems, cloud services, email, and network paths that an endpoint agent never sees. XDR pulls data from those additional sources and correlates them so an attack that crosses multiple systems still gets caught. Microsoft Defender XDR, Palo Alto Cortex XDR, and CrowdStrike Falcon Complete operate in this space.

MDR is Managed Detection and Response. This is not a different technology. It is a service wrapper around EDR or XDR where a 24/7 security operations centre run by another company watches the alerts and responds. You pay for the technology plus the human expertise to operate it. Arctic Wolf, eSentire, Huntress Managed ITDR, and Sophos MDR are common providers, and most large MSPs resell one of them under their own brand.

The relationship between the three is layered. EDR is the technology floor. XDR extends that technology across more data sources. MDR adds humans on top of either EDR or XDR. You do not pick between them as alternatives. You pick a combination that matches your business.

What each actually costs in Australia

Honest pricing ranges, current as of 2026, for Australian mid-market SMBs.

EDR runs $5 to $15 per endpoint per month depending on the vendor and tier. A 50-person business with 60 endpoints (laptops, servers, mobile) ends up at roughly $4,500 to $11,000 per year for the technology. Self-managed, meaning your team handles the alerts.

XDR sits at $15 to $35 per endpoint per month for the technology layer. Same 50-person business is now looking at $11,000 to $25,000 per year. Same caveat, self-managed unless you bolt on a service.

MDR adds another $30 to $80 per endpoint per month on top of the technology. The same business hits $25,000 to $60,000 per year all-in. The variance depends on response SLAs, hours covered, threat hunting depth, and integration scope.

The numbers you should not see in a quote are vendor list prices. MSPs and direct vendors negotiate discounts of 20 to 60 per cent off list for any account above 50 endpoints. If your provider is quoting list without telling you, that is a renegotiation conversation.

When EDR alone is enough

EDR alone is the right answer for a narrower band of businesses than vendors will admit. Specifically, businesses where the following three conditions all hold true.

The first is that you have a defined internal or contracted resource who actually looks at EDR alerts within business hours. Not “we get the emails”, but a named person who reviews the dashboard daily and can investigate suspicious activity competently. If that role does not exist, the EDR is producing alerts that nobody reads, which is functionally the same as having no EDR.

The second is that you have an incident response retainer in place with somebody you can call at 2am. EDR is a detection tool. It does not contain a breach by itself. When the agent says “this looks bad”, somebody needs to act. Without that retainer, the gap between detection and response can stretch into days.

The third is that your attack surface is mostly endpoints. If most of your business value sits in Microsoft 365, SaaS applications, and cloud infrastructure, an endpoint agent is watching the wrong place. Identity attacks against Entra ID never touch an endpoint. The Proofpoint FIDO downgrade attack we wrote about in our phishing-resistant MFA piece happens entirely in the browser session and is invisible to most EDR.

When XDR earns the upgrade

XDR makes sense the moment any of the following are true.

You run Microsoft 365 or Google Workspace as the primary work environment. Modern attacks are increasingly identity-first. The credential phish, the MFA fatigue, the OAuth consent grant, the suspicious Inbox rule. EDR cannot see any of those. XDR feeds the identity provider data into the same correlation engine that watches endpoints, and the result is meaningfully better detection.

You have meaningful cloud infrastructure beyond M365. Azure subscriptions, AWS accounts, GCP projects, custom-built applications. Each of those is an attack surface. XDR pulls cloud telemetry alongside endpoint data and catches lateral movement patterns that single-source tools miss.

You handle data that triggers Notifiable Data Breach obligations. Healthcare, legal, financial, professional services holding client records. The 72-hour clock starts ticking from detection, not from breach. Faster, more accurate detection through XDR materially shortens incident response and reduces the regulatory risk profile.

You have an internal IT team or MSP capable of operating XDR. The technology adds value only if somebody is consuming the correlations. If the team is already at capacity managing the existing toolset, adding XDR without adding human capacity creates more noise than signal.

When MDR is the right call

MDR is the right answer for Australian SMBs that match one of these patterns.

Twenty-four-hour exposure with no internal night cover. Your business does not stop at 6pm but your in-house IT does. Attackers know this. The majority of significant Australian ransomware events in the last two years detonated between 10pm Friday and 6am Sunday, choosing the window when defenders are weakest. MDR puts a watching team in that window for you.

You have outgrown your existing team’s threat-hunting capacity. Detecting that a domain admin account is being abused at scale is not a “check the dashboard” task. It needs analysts who do this for a living. Most Australian SMBs cannot hire that capability in-house, and the MDR market exists because building it costs more than buying it.

Cyber insurance is forcing the conversation. Most Australian cyber insurers now ask explicitly whether you have a 24/7 monitored security operation. Saying no is increasingly priced into the premium or excluded from cover entirely. The maths often works out that MDR costs less than the insurance excess on a single uncovered claim.

You are subject to Essential Eight Maturity Level 2 or above, especially the November 2023 maturity model update. The evidence requirements around event logging, monitoring, and incident response are not realistically met by an MSP doing weekly health checks. Our Essential 8 Compliance Guide covers what auditors are actually looking for in 2026.

The combination most businesses miss

The pattern we recommend to most Perth and Australian mid-market businesses is XDR plus partial MDR, scoped to the gaps your in-house team cannot cover. That usually looks like one of two structures.

The first structure is XDR technology paid directly, plus an MDR retainer for after-hours and weekend monitoring only. Your team handles business hours. The retainer handles 6pm to 8am and weekends. Cost is meaningfully lower than full 24/7 MDR because you only pay for the hours you cannot cover internally.

The second structure is full XDR with a defined incident response retainer rather than ongoing MDR. The retainer activates only when an incident actually occurs, billed per hour with a guaranteed response time. This works well for businesses confident in their detection but wanting expert hands when something goes wrong.

The structure that does not work, despite being the most commonly quoted, is EDR alone with no incident response arrangement and no after-hours cover. That is a cost-saving choice for a business that has not yet had a serious incident. The savings disappear the first time something happens.

The questions to ask your provider

What we recommend

For Australian businesses below 25 staff with low data sensitivity, EDR plus a contracted incident response arrangement is usually sufficient and the right cost point. Add MDR when growth or data sensitivity pushes you out of that bracket.

For businesses 25 to 150 staff, XDR with bolt-on after-hours MDR is the sweet spot. The technology investment pays for itself in detection accuracy. The partial MDR scoping keeps total cost manageable.

For businesses 150 staff and up, or any business in regulated industries regardless of size, full XDR with full MDR is the realistic floor. The downside risk in your sector justifies the cost, and the insurance market has effectively priced this in.

Where we see the most waste is businesses paying for full MDR with limited XDR coverage. The MDR analysts can only act on data they receive. If the XDR scope does not include identity or cloud, the analysts are watching half the attack surface for a premium price.