The acronym soup around endpoint detection has gotten worse since 2022, not better. EDR, XDR, MDR, MXDR, every vendor has reasons their version is the only one that matters. Strip away the marketing, and the actual question is straightforward: how much of the work do you want to do yourself, and across how much of your environment? This is a vendor-neutral 2026 buyer’s guide that answers exactly that.
EDR, endpoint detection and response
EDR is a software agent on each endpoint (laptop, server, virtual machine) that watches process behaviour, file activity, and network connections. It generates alerts when behaviour matches known-bad patterns or anomalies. The good ones also let you respond, isolate a host from the network, kill a process, roll back a change.
What EDR does not do: see the network, see your cloud workloads beyond the agent’s reach, see your SaaS apps, or operate itself. You buy the platform, you deploy the agents, your team triages the alerts. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Cortex XDR’s endpoint module are the leaders in 2026.
XDR, extended detection and response
XDR is what happens when the EDR vendor stitches in additional telemetry sources, email, identity (Entra ID, Okta), network, cloud workloads, and runs cross-source correlation. The pitch: a phishing email that drops malware which then reaches out to a C2 server should be one incident with three pieces of evidence, not three separate alerts in three separate tools.
XDR is genuinely useful when the vendor’s stitching is real. It’s vapourware when “XDR” is just an EDR with a partner integration page. The test: ask the vendor for a demo where a single attack chain produces a single, correlated incident with the evidence linked across sources. If they have to switch dashboards mid-demo, it’s not XDR.
MDR, managed detection and response
MDR is the people layer. The vendor’s analysts watch your alerts twenty-four hours a day, triage what matters, and either tell you what to do or take pre-authorised response actions on your behalf. MDR usually rides on top of EDR or XDR, the technology layer is the same, the difference is who’s looking at it.
MDR is the right answer for organisations without a 24×7 SOC. That’s most of them. Building an in-house security operations team that can actually cover overnight shifts, weekends, and holidays takes a minimum of eight analysts and a manager, well over a million dollars a year fully loaded. MDR delivers the same coverage at a fraction of the spend, with the trade-off being less institutional context.
The three questions that decide it
Do you have analysts on shift outside business hours? If no, you need MDR. The mean time to detection on weekend ransomware deployments is the difference between a contained incident and a full encryption event. If you can’t watch the alerts at three in the morning on Sunday, pay someone who can.
Is your environment mostly endpoints, or is it mostly SaaS and cloud? Pure endpoint shops can get away with EDR alone. Cloud-heavy environments where the actual crown jewels live in Snowflake, Okta, and a Kubernetes cluster need something that sees those, that’s where XDR earns its keep.
What’s your incident-response runbook on day one? If the answer involves “we’ll figure it out,” buy MDR with response authority, give the vendor pre-approved actions for common scenarios (isolate a host, disable a user, kill a session). Without that, you’ll watch the analyst tell you what to do for ninety minutes while the attacker keeps moving.
The 2026 pricing reality
EDR is a commodity now, expect roughly $5 to $9 per endpoint per month for the major platforms, less at scale. XDR adds a premium of roughly fifty per cent on top, depending on how much non-endpoint telemetry you bring. MDR is priced per endpoint or per user, typically $15 to $30 per endpoint per month, with the higher end including 24×7 response and threat hunting.
The decision is rarely “do we buy this,” it’s “how much do we own ourselves.” For most mid-market organisations, the right structure in 2026 is: an EDR/XDR platform you co-own with the vendor, an MDR partner watching it, and a small in-house team that handles the contextual decisions the MDR can’t make alone. That stack catches more than any one of the three components on its own.