Blog/July 9, 2026
MDR vs EDR vs SIEM: what small business owners actually need to know
Cybersecurity vendors love acronyms. Here is what EDR, MDR, and SIEM actually do, which ones your business needs, and how to buy them without getting oversold.
By William Galvin
Founder, Green Desert IT
If you’ve evaluated cybersecurity for your business in the last two years, you’ve heard three acronyms over and over: EDR, MDR, and SIEM. Every vendor uses them. Almost no one explains what they actually are, in plain language, or which combination a business your size actually needs.
Here’s the plain-English version.
EDR — Endpoint Detection and Response
What it is: software installed on every laptop and server that watches for suspicious behavior — not just known malware signatures, but patterns like “process X just tried to encrypt 5,000 files in 90 seconds” or “user Y just downloaded a credential dumper.”
What it replaces: traditional antivirus. If your provider is still selling you “antivirus” in 2026, they’re behind by a decade. EDR is the modern baseline.
What it doesn’t do: monitor itself. An EDR product without a human watching its alerts is a dashboard nobody’s reading.
Who sells it: SentinelOne, CrowdStrike, Microsoft Defender for Business, Sophos, Huntress. All roughly comparable at the SMB tier.
Cost: $6–$15 per endpoint per month depending on tier.
MDR — Managed Detection and Response
What it is: the humans. MDR is a 24/7 Security Operations Center (SOC) of trained analysts who watch your EDR alerts, triage them, and respond. When your EDR fires at 3 AM on a Saturday because someone’s credentials just got popped in Uzbekistan, MDR is what quarantines the account before it moves laterally.
What it replaces: the fantasy that anyone at your business is going to watch EDR alerts overnight, on weekends, and during holidays. They’re not. You need someone whose job it is.
Two flavors:
- MDR from your MSP — often built on top of the same EDR you already have, staffed by the MSP’s team or a partner SOC.
- MDR from a specialist (like Huntress, Arctic Wolf, Red Canary) — standalone product, works alongside your MSP.
Cost: $15–$40 per endpoint per month on top of EDR, depending on coverage tier.
SIEM — Security Information and Event Management
What it is: a log aggregator. Every security-relevant event across your environment — firewall, EDR, identity provider, cloud infrastructure — gets shipped to one place, correlated, and made searchable. Alerts fire when patterns across sources match a threat.
What it does that EDR alone doesn’t: connect the dots across systems. EDR sees suspicious activity on one endpoint; SIEM sees the same actor probing three endpoints, then hitting Azure AD, then downloading files from SharePoint.
Who needs it: businesses with regulatory requirements (SOC 2, PCI-DSS, HIPAA at scale, CMMC), meaningful cloud infrastructure, or 100+ endpoints. If you’re a 30-person accounting firm, you probably don’t need a dedicated SIEM — your EDR + MDR + M365 audit logs cover most of what SIEM would give you.
Cost: varies wildly. Managed SIEM starts around $2,000–$5,000/month for small deployments; self-run SIEM is a lot of engineer time you probably don’t want to spend.
What most small businesses actually need
Under 50 endpoints, no regulated data:
- EDR everywhere
- MDR from your MSP
- Skip standalone SIEM — Microsoft 365 audit logs are sufficient
50–200 endpoints or regulated vertical (healthcare, legal, financial services):
- EDR everywhere
- MDR (ideally 24/7)
- Managed SIEM starts to make sense, especially if you have compliance auditors asking for centralized log retention
200+ endpoints or serious compliance (CMMC L2+, PCI, SOX):
- All three, plus a documented incident response plan, tabletop exercises, and a defined SOC relationship
Common vendor traps
- “We do MDR” — but their SOC is one person during business hours. Ask: who is watching alerts at 2 AM on Sunday, and how quickly do they respond?
- “AI-powered detection” — mostly marketing. What matters is: how fast does a human make a decision when an alert fires?
- “Our SIEM includes MDR” — sometimes, but often the “MDR” is just alerting you. That’s not response.
- Bundling everything at a premium — sometimes a bundle is right, sometimes an à la carte approach with a specialist MDR is cheaper and better. Get quotes both ways.
The one question that cuts through the noise
Ask any security vendor: “When your product detects a genuine incident, what specifically do you do next, on my behalf, without waiting for my team to approve?”
- If the answer is “alert you” — that’s monitoring, not response.
- If the answer is “isolate the endpoint, disable the compromised account, and call you” — that’s real response.
Buy the second one.
If you want a look at what your current stack covers vs. leaves exposed, we do a 90-minute security posture assessment with a written report you can hand to your leadership or insurance carrier.