Hidden Costs of MDR - What Vendors Don't Tell You Before You Sign
The subscription price you see in an MDR proposal is only 60-75% of what you will actually spend. The rest comes from onboarding fees, log ingestion overages, incident response retainer hours, annual price escalation, integration costs, and coverage expansion charges. None of these are hidden in the sense that they are in the contract - but they are almost never mentioned during the sales process. This page documents every additional cost so you can build an accurate total cost of ownership before signing.
MDRCost.com is an independent pricing guide. We are not affiliated with any MDR vendor.
Onboarding and Deployment: $5,000-$25,000 One-Time
When you sign an MDR contract, the vendor needs to deploy their agent across your endpoint fleet, configure policies for your environment, integrate with your existing tools (SIEM, ticketing system, identity provider), and tune detection rules to minimise false positives specific to your applications and workflows. This onboarding process typically takes 2-6 weeks and involves professional services staff from the MDR vendor. Some vendors include onboarding in the subscription price, especially for larger deals above $100,000 per year. Others charge it as a separate line item. Always ask explicitly whether onboarding is included and negotiate to have it waived or amortised into the monthly price. For deals above $75,000 per year, onboarding fee waivers are common negotiation concessions.
Log Ingestion and Data Volume: $1-5/GB/Day in Overages
Many MDR providers cap the volume of log data they ingest. The cap may be expressed in GB per day, events per second, or total storage per month. When your environment generates more data than the included allowance, overage charges apply. Cloud-heavy environments are most at risk because AWS CloudTrail, VPC Flow Logs, GuardDuty findings, and Azure Activity Logs can produce hundreds of GB per day for large deployments. A single verbose application logging to a cloud SIEM can blow through caps quickly. Ask your vendor for the specific log volume cap, what counts toward the cap (just security events or all telemetry), and the per-GB overage rate. Model your expected log volume before signing.
Incident Response Retainer: $250-$400/Hour
Standard MDR includes detection, investigation, and containment. When the analysts find a threat, they investigate it, determine the scope, and take containment actions like isolating the compromised host or blocking the malicious IP. This is included in the base price. Full incident response - which includes digital forensics, evidence preservation for legal proceedings, breach notification coordination, recovery planning, and post-incident remediation guidance - is a separate service that most vendors charge at $250-400 per hour. IR retainer blocks are typically sold in 40-hour increments at $10,000-16,000. Some premium MDR tiers (like CrowdStrike Falcon Complete) include a block of IR retainer hours. Budget for at least one 40-hour block per year as insurance.
Annual Price Escalation: 3-7% Built Into Most Contracts
Read the fine print on price adjustment clauses. Most MDR contracts include automatic annual price escalation of 3-7%. On a $100,000 annual contract with 5% escalation, you pay $100,000 in year one, $105,000 in year two, and $110,250 in year three - a total of $315,250 over three years instead of the expected $300,000. Arctic Wolf contracts are particularly known for escalation clauses. Negotiate the rate down to 2-3% or request a flat-price multi-year commitment. Some vendors will lock pricing for the full term if you commit to a multi-year contract upfront.
Integration and Professional Services: $5,000-$20,000
Connecting the MDR platform to your SIEM, SOAR, ticketing system (ServiceNow, Jira), and identity provider (Active Directory, Okta, Entra ID) may require professional services beyond standard onboarding. Custom API integrations, webhook configurations, and automated workflow development are typically billed at professional services rates of $200-350 per hour. Estimate 20-60 hours for a typical mid-market integration project.
Coverage Expansion: 50-100% Price Increase for Full Stack
The base MDR price typically covers endpoint monitoring only. Adding cloud workload monitoring (AWS, Azure, GCP), email security monitoring (Microsoft 365, Google Workspace), identity monitoring (Active Directory, Entra ID), and network telemetry can double the base price. Vendors often demonstrate their platform with full-stack coverage enabled during the proof of concept, then quote you for endpoint-only in the proposal. Clarify exactly which data sources are included in the quoted price and what the incremental cost is for each additional source.
Renewal and Switching Costs
MDR creates operational dependency. Your detection rules, alert tuning, and institutional knowledge about your environment live in the vendor's platform. Switching MDR providers means losing this customisation and starting fresh with a new vendor's onboarding process. Renewal negotiations should account for the switching cost leverage that vendors know they have. Additionally, some vendors charge early termination fees of 50-100% of the remaining contract value if you leave before term. Understand your exit options before signing.
Hidden MDR Costs FAQ
What percentage of total MDR cost is the subscription fee?
The base subscription typically represents 60-75% of total MDR spend over the contract term. The remaining 25-40% comes from onboarding and deployment fees, log ingestion overages, incident response retainer hours, coverage expansion costs, annual price escalation, and integration professional services. Budget for at least 30% above the quoted subscription price to account for these additional costs.
How much does MDR onboarding cost?
MDR onboarding and deployment typically costs $5,000-25,000 as a one-time fee. This covers agent deployment across your endpoint fleet, policy configuration, integration with existing tools, and initial baseline tuning to reduce false positives. Some vendors include onboarding in the subscription price (especially for larger deals), while others charge it separately. Always ask whether onboarding is included and negotiate to have it waived for deals above $75,000 per year.
What are MDR log ingestion overages?
Many MDR providers cap the volume of log data they ingest and analyse. When your environment generates more logs than the cap, overage charges of $1-5 per GB per day apply. Cloud-heavy environments with verbose logging are most affected. An AWS environment with detailed CloudTrail, VPC Flow Logs, and GuardDuty findings can generate hundreds of GB per day. Ask your MDR vendor about their log volume cap and what happens when you exceed it before signing.
How much do MDR incident response retainer hours cost?
Standard MDR includes investigation and containment - the analysts find threats and stop the bleeding. Full incident response with digital forensics, evidence preservation, legal coordination, and recovery guidance typically costs $250-400 per hour and is sold in 40-hour retainer blocks at $10,000-16,000 per block. Some premium MDR tiers include a block of IR retainer hours in the annual subscription. Ask specifically what response actions are included in the base price versus what triggers additional charges.
What is MDR annual price escalation?
Most MDR contracts include automatic annual price escalation clauses of 3-7%. This means a $100,000 contract becomes $103,000-107,000 in year two and $106,000-114,000 in year three. Over a three-year term, a 5% annual escalation turns a $300,000 expected cost into approximately $315,000. Always negotiate the escalation rate down to 2-3% or request a fixed-price multi-year contract. Some vendors will lock pricing for the full term in exchange for a multi-year commitment.