Skip to content

Blog/July 9, 2026

MDR vs EDR vs SIEM: what small business owners actually need to know

Cybersecurity vendors love acronyms. Here is what EDR, MDR, and SIEM actually do, which ones your business needs, and how to buy them without getting oversold.

By William Galvin

Founder, Green Desert IT

If you’ve evaluated cybersecurity for your business in the last two years, you’ve heard three acronyms over and over: EDR, MDR, and SIEM. Every vendor uses them. Almost no one explains what they actually are, in plain language, or which combination a business your size actually needs.

Here’s the plain-English version.

EDR — Endpoint Detection and Response

What it is: software installed on every laptop and server that watches for suspicious behavior — not just known malware signatures, but patterns like “process X just tried to encrypt 5,000 files in 90 seconds” or “user Y just downloaded a credential dumper.”

What it replaces: traditional antivirus. If your provider is still selling you “antivirus” in 2026, they’re behind by a decade. EDR is the modern baseline.

What it doesn’t do: monitor itself. An EDR product without a human watching its alerts is a dashboard nobody’s reading.

Who sells it: SentinelOne, CrowdStrike, Microsoft Defender for Business, Sophos, Huntress. All roughly comparable at the SMB tier.

Cost: $6–$15 per endpoint per month depending on tier.

MDR — Managed Detection and Response

What it is: the humans. MDR is a 24/7 Security Operations Center (SOC) of trained analysts who watch your EDR alerts, triage them, and respond. When your EDR fires at 3 AM on a Saturday because someone’s credentials just got popped in Uzbekistan, MDR is what quarantines the account before it moves laterally.

What it replaces: the fantasy that anyone at your business is going to watch EDR alerts overnight, on weekends, and during holidays. They’re not. You need someone whose job it is.

Two flavors:

  • MDR from your MSP — often built on top of the same EDR you already have, staffed by the MSP’s team or a partner SOC.
  • MDR from a specialist (like Huntress, Arctic Wolf, Red Canary) — standalone product, works alongside your MSP.

Cost: $15–$40 per endpoint per month on top of EDR, depending on coverage tier.

SIEM — Security Information and Event Management

What it is: a log aggregator. Every security-relevant event across your environment — firewall, EDR, identity provider, cloud infrastructure — gets shipped to one place, correlated, and made searchable. Alerts fire when patterns across sources match a threat.

What it does that EDR alone doesn’t: connect the dots across systems. EDR sees suspicious activity on one endpoint; SIEM sees the same actor probing three endpoints, then hitting Azure AD, then downloading files from SharePoint.

Who needs it: businesses with regulatory requirements (SOC 2, PCI-DSS, HIPAA at scale, CMMC), meaningful cloud infrastructure, or 100+ endpoints. If you’re a 30-person accounting firm, you probably don’t need a dedicated SIEM — your EDR + MDR + M365 audit logs cover most of what SIEM would give you.

Cost: varies wildly. Managed SIEM starts around $2,000–$5,000/month for small deployments; self-run SIEM is a lot of engineer time you probably don’t want to spend.

What most small businesses actually need

Under 50 endpoints, no regulated data:

  • EDR everywhere
  • MDR from your MSP
  • Skip standalone SIEM — Microsoft 365 audit logs are sufficient

50–200 endpoints or regulated vertical (healthcare, legal, financial services):

  • EDR everywhere
  • MDR (ideally 24/7)
  • Managed SIEM starts to make sense, especially if you have compliance auditors asking for centralized log retention

200+ endpoints or serious compliance (CMMC L2+, PCI, SOX):

  • All three, plus a documented incident response plan, tabletop exercises, and a defined SOC relationship

Common vendor traps

  • “We do MDR” — but their SOC is one person during business hours. Ask: who is watching alerts at 2 AM on Sunday, and how quickly do they respond?
  • “AI-powered detection” — mostly marketing. What matters is: how fast does a human make a decision when an alert fires?
  • “Our SIEM includes MDR” — sometimes, but often the “MDR” is just alerting you. That’s not response.
  • Bundling everything at a premium — sometimes a bundle is right, sometimes an à la carte approach with a specialist MDR is cheaper and better. Get quotes both ways.

The one question that cuts through the noise

Ask any security vendor: “When your product detects a genuine incident, what specifically do you do next, on my behalf, without waiting for my team to approve?”

  • If the answer is “alert you” — that’s monitoring, not response.
  • If the answer is “isolate the endpoint, disable the compromised account, and call you” — that’s real response.

Buy the second one.

If you want a look at what your current stack covers vs. leaves exposed, we do a 90-minute security posture assessment with a written report you can hand to your leadership or insurance carrier.

#cybersecurity#edr#mdr#siem#small-business

Ready to make IT boring again?

Book a 20-minute intro call. We'll tell you within that call whether we're a fit.