EDR vs XDR vs MDR: when which fits (matrix 2026)

Keep the definitions clean

EDR (Endpoint Detection and Response): agent on endpoints, local detection, telemetry to central console, containment actions. Products: CrowdStrike Falcon Insight, SentinelOne, Microsoft Defender for Endpoint Plan 2, Sophos Intercept X.

XDR (Extended Detection and Response): correlation across multiple telemetry layers (endpoint, email, cloud, identity, network). Platform logic, not isolated sensors. Products: Microsoft Defender XDR, Palo Alto Cortex XDR, SentinelOne Singularity, CrowdStrike Falcon Complete (with MDR), Trellix, Trend Micro Vision One.

MDR (Managed Detection and Response): a service that handles operational detection and response on the customer's behalf. 24/7 SOC, threat hunting, incident response. Providers: CrowdStrike Falcon Complete, Arctic Wolf, eSentire, Sophos MDR, Red Canary, plus regional providers.

Axis 1: SOC maturity

Low maturity (no in-house SOC, <2 FTE security operations): MDR is the default. Operating an XDR platform yourself produces alerts without response.

Medium maturity (small SOC, 2-5 FTE, possibly 8x5 instead of 24/7): XDR platform plus co-managed MDR for 24/7 coverage.

High maturity (in-house 24/7 SOC, threat hunters, detection engineering): XDR as platform layer, SIEM with detection-as-code, optional specialised MDR for identity or OT.

Axis 2: compliance load

NIS2 Art. 21 (a, b, e, h) expects an effective detection and response capability. Plain antivirus is not enough. EDR is the floor; XDR or MDR is defensible.

DORA Art. 9 and 17-23 expect 24/7 ICT security monitoring and incident classification. Without MDR or in-house 24/7 SOC hard to defend.

BAIT BTO 5 and MaRisk AT 7.2 expect documented selection with appropriate reasoning. A decision-memo duty.

Axis 3: budget and TCO

EDR licence per endpoint: typically EUR 3-10 per endpoint per month, plus staff for triage. Rule of thumb: from 1000 endpoints you need 2-3 FTE security operations.

XDR platform: typically 50-150% premium over EDR licence, in exchange for tool consolidation.

MDR service: typically EUR 8-25 per endpoint per month all-in, often with minimum term. Economically sound up to ~5000-10000 endpoints, beyond that in-house often cheaper.

Common wrong calls

Buy EDR without response capacity: 'we now have CrowdStrike' changes nothing when nobody acts on the alerts.

Take XDR vendor promises at face value: 'XDR' is a marketing layer, not a certified category. Telemetry depth and identity integration vary widely.

Scope MDR too narrowly: triage-only without incident response mandate yields 24/7 alerts and no action in a real incident.

Underestimate lock-in: XDR often consolidates onto one vendor stack (Microsoft, CrowdStrike). Exit strategies become expensive under renewal pressure.

Selection matrix in short

Under 500 endpoints + no in-house SOC + NIS2 in scope: MDR from an established provider.

500-5000 endpoints + small in-house SOC (8x5) + NIS2/DORA: XDR platform + co-managed MDR for 24/7.

Over 5000 endpoints + in-house 24/7 SOC: XDR platform + SIEM with detection engineering, MDR only for specialised domains (identity, OT).

Banks/insurers under DORA: practically always 24/7 capability (in-house or MDR) + a documented selection memo.

What DecisionOS does

The choice between EDR, XDR and MDR is a classic decision-memo case: weighted criteria (maturity, compliance, budget), dealbreakers (24/7 capability, EU data residency, NIS2 audit readiness), evidence (Gartner, MITRE ATT&CK Evaluations, references), stakeholder alignment (CISO, CIO, CFO, possibly board). DecisionOS produces the auditable memo that a supervisor or NIS2 auditor accepts.