EDR, XDR and MDR are three distinct approaches to detection and response that share objective and vocabulary, but solve different problems. EDR is an endpoint-focused product that detects and responds to suspicious behaviour on workstations and servers. XDR extends that scope to multiple sources (network, identity, cloud, email) with integrated vendor correlation. MDR is not a product but a managed service: an external SOC operates the technology 24x7. Mixing up the three categories leads to wrong purchases, capability duplication and expectations the contract will not meet. This article clarifies what each one does, when to choose them, how they fit NIS2, DORA, ISO 27001 and ENS, and what questions to ask before signing.
The essentials: EDR is an endpoint product, XDR is an integrated multi-source platform, MDR is a managed service over either of the previous two. The real decision is not between EDR, XDR and MDR, but between operating yourself or outsourcing, and between covering only endpoint or extending to identity, network and cloud. Team maturity, regulatory scope and operational budget drive the right answer.
The 3 categories in one sentence each
Before going deeper, a brief definition to anchor the conversation.
- EDR (Endpoint Detection and Response): a product that instruments endpoints (Windows, macOS, Linux, servers) with an agent capturing deep telemetry and applying behavioural detection over processes, files, network and memory. It responds by isolating the endpoint, terminating processes or executing remote actions.
- XDR (Extended Detection and Response): a vendor platform that extends EDR logic to several vectors (network, identity, cloud workloads, email, SaaS), correlates events in a single console and enables integrated cross-source response.
- MDR (Managed Detection and Response): a service in which an external provider operates the technology (EDR or XDR, owned or from a third party), monitors 24x7, investigates alerts and executes initial response. It is people + process + technology sold as a service.
The three overlap in marketing language, but they are distinct decisions: EDR and XDR are bought as software, MDR is contracted as a service. You can have EDR without MDR, MDR operating a third-party XDR, or any intermediate combination.
EDR: what it is and what it solves
EDR replaces classic antivirus by adding detailed telemetry and response capability. An agent installed on each endpoint captures:
- Process creation and full command line.
- Registry modifications (Windows) or configuration files (Linux).
- Outbound and inbound network connections with metadata.
- DLL loads, kernel modules and injection patterns.
- Local authentication events and credential access.
- Memory behaviour to detect fileless techniques.
That telemetry is evaluated against behavioural models (not just signatures) that recognise known patterns and deviations from baseline. When the engine identifies malicious activity, the EDR can isolate the endpoint, terminate the process, remove the binary and execute remote remediation scripts.
Most modern EDRs use a kernel driver or an eBPF module on Linux to capture at low level without going through user APIs that an attacker can manipulate. That depth distinguishes EDR from traditional antivirus, but introduces operational risk: a fault in the driver can affect system stability, as the global incident of July 2024 reminded the industry.
Reference EDR engines
The main engines on the market are CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Bitdefender GravityZone, Sophos Intercept X, Trend Micro Apex One and Cybereason. They differ in agent architecture, detection quality, identity and cloud integration, per-endpoint cost model and API maturity for external integrations.
Extended detail in what is EDR.
Trade-offs of pure EDR
EDR solves the endpoint problem and little more. It does not correlate with identity, does not see internal traffic between servers, does not detect SaaS abuse and does not cover cloud-native workloads such as ephemeral containers. If an attacker pivots from an endpoint to Active Directory, accesses SharePoint and exfiltrates from an S3 bucket, the EDR will only see the initial stage. That is why almost no vendor sells pure EDR anymore: most package it inside an XDR proposal.
XDR: a natural extension of EDR
XDR keeps the endpoint agent from EDR and adds additional telemetry sources integrated by the vendor:
- Network: NDR (Network Detection and Response), east-west traffic, DNS and proxy analysis.
- Identity: Active Directory events, Entra ID, Okta, anomalous authentication, privilege escalation.
- Cloud workloads: workload telemetry on AWS, Azure and GCP, containers, Kubernetes, serverless functions.
- Email: message, attachment and link analysis, integration with the email gateway.
- SaaS: activity on applications such as Microsoft 365, Google Workspace, Salesforce, GitHub.
The differential value is the correlation engine: an alert is not evaluated in isolation, it is enriched with everything the XDR knows about the user, endpoint, session and historical behaviour. The same event may be benign on endpoint alone and critical when crossed with an anomalous identity access.
XDR also pushes towards vendor consolidation: instead of buying EDR from one vendor, NDR from another, email gateway from a third and CASB from a fourth, the XDR packages the bundle with native integration. That consolidation reduces integration overhead but introduces strong vendor dependency.
Reference XDR players
The main ones are Palo Alto Cortex XDR, Microsoft Defender XDR (combining Defender for Endpoint, Identity, Cloud Apps and Office 365), CrowdStrike Falcon XDR, SentinelOne Singularity XDR, Trend Micro Vision One and Trellix XDR. Key differences: real breadth of integrated sources, quality of the correlation engine, ability to ingest third-party sources, licensing model (per endpoint, per GB, per user) and maturity in cloud workloads.
SIEM vs SOAR vs XDR comparison in SIEM vs SOAR vs XDR.
XDR limitations
XDR does not replace SIEM in regulated organisations: it retains little history (typically 30 to 90 days), does not allow the deep customisation each context requires and does not cover legacy sources or internal applications. Out-of-the-box coverage is high for standardised environments but low for heterogeneous architectures.
In addition, XDR is still a tool. It needs someone to operate it: review alerts, tune detections, write organisation-specific rules, validate incidents, execute advanced responses. If you do not have that team, you reach the next block.
MDR: managed service
MDR (Managed Detection and Response) answers the problem "I have technology but no team to run it 24x7". An external provider:
- Monitors alerts 24x7 including public holidays.
- Investigates every alert with tier 1, 2 and 3 analysts, discarding false positives and validating real incidents.
- Performs proactive threat hunting on the telemetry.
- Executes initial response: isolates endpoints, disables accounts, contains lateral movement according to agreed runbooks.
- Maintains incident response retainer, with DFIR available if matters escalate.
MDR is not just "an external SOC": the contract includes technology integration, organisation-specific runbooks, operational metrics (MTTD, MTTR, incident count), periodic tuning review and reporting oriented to compliance.
When MDR fits you vs an internal SOC
A properly sized internal SOC requires at least 6 to 8 analysts for three shifts with redundancy, plus threat hunting, detection engineering and leadership profiles. For many organisations, the total cost (salaries, training, retention, tooling) exceeds an equivalent MDR.
MDR fits when you have no operational security team or your team is overwhelmed, you need 24x7 coverage you cannot sustain internally, you operate under a regulatory framework (DORA TLPT, NIS2 essential) requiring short detection and notification times, or you need fast time-to-value (a mature MDR is operational in weeks; an internal SOC takes months or years).
An internal SOC remains better when the organisation handles extremely sensitive data that cannot leave the logical perimeter, requires deep customisation that is impossible to outsource or already has a consolidated expert team.
Pure-play MDR vs vendor-led MDR
Two models coexist:
- Pure-play MDR: the provider is independent of the technology vendor and usually supports several EDR/XDR. Examples: Arctic Wolf, Red Canary, eSentire, ReliaQuest. Advantage: flexibility and neutrality. Trade-off: less native integration than vendor-led.
- Vendor-led MDR: the EDR/XDR vendor runs the service on its own platform. Examples: CrowdStrike Falcon Complete, SentinelOne Vigilance, Microsoft Defender Experts, Sophos MDR. Advantage: native integration, access to vendor internal research. Trade-off: strong technology lock-in, changing EDR means changing MDR.
Extended detail in what is MDR.
8-dimension comparison table
To fix the differences without going into product detail.
| Dimension | EDR | XDR | MDR |
|---|---|---|---|
| Coverage | Endpoint only | Endpoint + network + identity + cloud + email | Whatever the operated platform covers |
| Telemetry sources | Endpoint agent | Multiple vendor connectors | Whatever the contract integrates |
| Automation | Automatic endpoint response | Integrated cross-source response | Human decision + provider automation |
| Customization | Medium (rules and exclusions) | Medium-low (vendor models) | Low in platform, high in runbooks |
| SLA | Not applicable (software) | Not applicable | Defined in contract (MTTD, MTTR, escalation) |
| Cost model | Per endpoint/year | Per endpoint or user, additional modules | Fixed or variable fee + retainer |
| Expertise required | High (internal operation) | Medium-high | Low (provider brings it) |
| Integration overhead | Low (endpoint only) | Medium (multiple connectors) | Low (provider handles it) |
The table shows the pattern: the more you outsource, the less internal expertise is required, but the less control and customisation you retain.
When to choose each one
The decision depends on three variables: security team maturity, regulatory scope and operational budget.
Pure EDR
Fits organisations with a mature internal SOC, expert detection and response team, ability to operate the tool and limited budget for additional modules. Typical in technology companies with strong internal security profiles, where other sources (identity, network, cloud) are already covered by best-of-breed tools. Pure EDR reduces per-endpoint cost and keeps flexibility to integrate other pieces.
Does not fit if the team is small or if the relevant threats go more through identity and cloud than through endpoint.
XDR
Fits organisations with a maturing SOC looking to consolidate tooling, simplify integrations and reduce the number of consoles. Typical in medium and large companies with multi-cloud environments, strong Microsoft 365 or Google Workspace adoption and budget for a unified platform.
XDR shines when the organisation wants to reduce operational overhead while accepting vendor lock-in. Does not fit if customisation requirements are very high or if there is already a heterogeneous stack that is hard to migrate.
MDR
Fits when there is no internal SOC or the existing one is overwhelmed, when the regulatory framework requires 24x7 coverage (DORA art. 17, NIS2 art. 23 on 24-hour notification) or when the organisation needs fast time-to-value without investing years in building the team.
MDR is the majority option for regulated SMBs, mid-sized financial sector and organisations where the opportunity cost of not operating 24x7 exceeds the service cost. Does not fit in contexts with extreme data sensitivity, strict sovereignty requirements or already mature internal teams.
Regulatory fit
The three categories intersect with the main European and Spanish frameworks.
- NIS2 article 21 letter b: technical measures for incident management are mandatory. EDR, XDR or MDR cover the detection side; response and notification additionally depend on organisational processes.
- NIS2 article 23: early notification within 24 hours, incident notification within 72 hours. Without 24x7 capability, complying systematically is complicated, which pushes many cases to MDR.
- DORA chapter IV: management, classification and notification of ICT incidents. Requires detection, logging and response capability. Chapter V TLPT also implies validating that detection works against real adversaries.
- ISO 27001 control A.5.24 (incident management): does not require specific technology, but auditors ask for evidence of detection and response capability. EDR/XDR/MDR provide the most direct technical evidence.
- ENS (Spanish National Security Framework): requires detection and monitoring capabilities proportionate to the category (basic, medium, high). For high category, 24x7 coverage is practically mandatory.
Full NIS2 audit walkthrough in NIS2 audit step by step.
Common mistakes
Patterns that appear in projects that disappoint or end in cost overruns.
- Buying XDR without the real integrations needed. Many contracts bill modules separately (identity, cloud, email). If the organisation only uses the endpoint module, it pays for value it does not leverage. Before signing, list which sources will actually be integrated in the next 12 months.
- Choosing cheap MDR without clarifying responsibilities. Some services are cheaper because they leave advanced response, critical decisions and tuning to the client. If the contract does not specify what the provider does and what stays in-house, in a real incident the split becomes painful.
- Not testing real capability with purple team before signing. Asking the MDR provider for a controlled scenario before the annual contract avoids surprises. If they miss a common MITRE ATT&CK technique in lab, they will miss it in production.
- Overlapping EDR + XDR + MDR without clarity. Some organisations end up with three layers duplicating capabilities. The map of what each one does should fit on one page.
- Forgetting the agent footprint. Old Linux servers, OT, IoT and non-standard devices often fall outside. If the EDR does not support a kernel version, that part of the estate is left without telemetry.
How to evaluate a provider
The RFP is the moment to fix objective criteria. Operational recommendations:
- Real scenarios. Include 3 or 4 specific attack scenarios (ransomware from phishing, abuse of valid credentials, cloud exfiltration) and ask the provider how they would detect and respond.
- MTTD and MTTR metrics. Do not accept generic marketing values. Ask for real metrics from comparable clients with clear definitions of what is measured.
- Runbooks by incident type. Ask for samples that will apply to the client. If they do not exist or are generic, it is a sign of an immature service.
- Data jurisdiction. Where logs are stored, where analysts are located, which regulation applies. Relevant in NIS2 and DORA contexts.
- Real SLAs with penalty. Initial response time, escalation, availability. An SLA without penalty is marketing.
- Pilot tests. A 30 to 60 day PoC with a subset of endpoints shows how the service behaves before committing 3 years.
- Exit plan. How data, runbooks and operational knowledge are returned if the relationship ends. Exit friction is a hidden cost.
Complementary guide in SOC as a Service: outsourcing guide.
Frequently asked questions
Does XDR replace SIEM?
In medium and large organisations, no. XDR retains little history, does not allow the deep customisation each context requires and does not cover legacy sources or internal applications. The usual pattern is for the XDR to feed the SIEM or for both to coexist. In SMBs highly standardised on a single cloud provider, an XDR can cover most of the work, although retention requirements from NIS2, DORA or ISO 27001 eventually push towards adding a lightweight SIEM. Full comparison in SIEM vs SOAR vs XDR.
Does MDR cover all my NIS2?
Not by itself. MDR covers the operational side of detection, response and initial notification, which is relevant to articles 21 and 23 of the directive. But NIS2 also includes governance, risk management, supply chain security, business continuity, training and reporting to the competent authority. MDR is an important piece, not full compliance.
Is EDR enough for an SMB?
It depends on risk level and regulatory framework. For a small SMB without specific obligations and a standardised estate, a mature, well-operated EDR covers the dominant risk (ransomware from endpoint). For an SMB under NIS2, in the financial sector or with sensitive data, pure EDR falls short and should be combined with identity coverage and managed service.
Single-vendor or multi-vendor XDR?
Single-vendor gives deeper integration, faster deployment and unified console, in exchange for strong lock-in. Multi-vendor gives flexibility and better best-of-breed coverage in each category, at the cost of greater integration and operational overhead. The decision depends on team maturity: organisations with a small SOC usually win with single-vendor; organisations with a large SOC can afford multi-vendor.
What happens if the MDR fails?
This is the critical question that few contracts answer well. Possible scenarios: the MDR does not detect on time, detects but does not escalate, escalates but the response is insufficient. The contract must define SLA breach penalties, post-incident review process and liability for derived damages. The legal reality is that final liability for the incident remains with the data owner; the MDR is liable for breach of contract, not for the full damage.
Approximate cost?
Relative market ranges: EDR is billed per endpoint per year, with rates varying by engine and tier; XDR adds a multiplier for additional modules (identity, cloud, email); MDR is charged as recurring service, usually more expensive than the sum of XDR licences it operates, but replaces the cost of an internal SOC. Practical rule: always compare total cost (technology + operation + training), not licence cost alone.
Can EDR + MDR coexist?
Yes, it is a very common pattern. The client buys the EDR (sometimes the MDR provider's own brand, sometimes a preferred one) and contracts the MDR to operate it 24x7. This gives flexibility: if the client wants to change MDR provider without changing the underlying technology, they can. It is common in organisations that have invested years in a specific EDR and do not want to migrate the platform to outsource operation.
Related resources
- What is EDR
- What is MDR
- SIEM vs SOAR vs XDR
- What is SIEM
- SOC as a Service: outsourcing guide
- What is threat hunting
- NIS2 audit step by step
EDR/XDR/MDR selection and validation with Secra
Choosing between EDR, XDR and MDR is not only a technical decision: it combines team maturity, regulatory scope, operational budget and existing architecture. At Secra we work with clients on three complementary fronts: RFP evaluation (requirements definition, tender drafting, proposal comparison), purple team validation (testing the real capability of the EDR/XDR/MDR against relevant attack scenarios before and after contracting) and integration (connecting the chosen solution with the rest of the defensive stack, defining runbooks and operational metrics).
If your organisation is evaluating buying, switching or validating a detection and response solution, tell us the context and we will design a plan that makes sense based on real capability, not vendor marketing.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.