EDR vs Antivirus: what's the difference and which does your company need?
Direct answer
Traditional antivirus (EPP) blocks known threats by signature; EDR detects and responds to suspicious behavior on the endpoint, even when there is no malicious file. Today 79-81% of intrusions use no malware (CrowdStrike 2025) — so antivirus alone is not enough. For most Brazilian companies the answer is: EDR as the baseline and MDR (managed EDR, 24/7) if you don't have a team to investigate alerts. Real ranges: standalone EDR costs from R$ 18 to R$ 120 per endpoint/month depending on the tier; managed MDR from R$ 35 to R$ 180 per endpoint/month, with floors of R$ 6,000 to R$ 30,000/month in packages for up to 50-100 machines. The price depends on the number of endpoints, telemetry retention, SLA, and whether there is a human SOC in the contract.
In short
- ›Antivirus (EPP) is signature/reputation-based prevention: great against known malware, blind to attacks that use legitimate Windows tools (PowerShell, mshta, rundll32) and stolen credentials.
- ›EDR adds continuous telemetry, behavioral detection, machine isolation, and threat hunting — it's what sees modern ransomware and the fileless attacks antivirus doesn't catch.
- ›79-81% of intrusions in 2024-2025 were 'malware-free' (CrowdStrike): the attacker gets in with valid credentials and uses native tools. That alone justifies EDR for any company with sensitive data.
- ›Having EDR is not enough: someone has to read and investigate the alerts. If you don't have a 24/7 security team, EDR turns into noise. That's where MDR comes in (managed EDR with a human SOC).
- ›Honest pricing: standalone EDR ~R$ 18-120/endpoint/month; managed MDR ~R$ 35-180/endpoint/month. What moves the price is the number of machines, log retention, response SLA, and the presence of a human analyst.
- ›For Brazilian SMBs with 20-200 endpoints and no security team, MDR usually comes out cheaper and more effective than building an in-house SOC — because the real cost of EDR is not the license, it's the operation.
What traditional antivirus (EPP) is and where it gets it right — and goes blind
The antivirus you know today is part of a category the industry calls EPP (Endpoint Protection Platform). The name difference matters for buying well: 'antivirus' in the classic sense was a signature engine; 'EPP' is the modern prevention suite that bundles that signature engine, file reputation, heuristics, host firewall, device control, and, in the good versions, a machine-learning module that tries to classify a file as good or bad before it runs. When someone says 'I have corporate antivirus,' they are almost always talking about an EPP. Understanding this keeps you from paying twice for the same layer.
EPP is a prevention technology, and prevention means: trying to stop something bad from happening, based on what is already known to be bad. The mental model is a doorman with a wanted list. A file arrives, the engine computes a hash, compares it against the signature database and cloud reputation intelligence, and decides to block or allow. This works very well for a huge class of threat: commodity malware, the mass-circulating trojan, the recognized malicious attachment, the executable already cataloged by millions of other customers. For that kind of threat, modern antivirus is fast, cheap, and effective. No one sensible recommends removing EPP from a company — it stops the background noise and lets the team focus on what is hard.
The problem is structural, not brand-related: signature/reputation prevention sees files, and the modern attack depends less and less on files. CrowdStrike's Global Threat Report 2025 measured that 79% of intrusion detections in 2024 were 'malware-free' — that is, with no malicious file for the antivirus to catch — and that number rose to 81% of intrusions in the first half of 2025. The intruder does not 'install a virus'; they log in with a stolen credential (bought in a stealer log, obtained via phishing) and from there use the tools that already exist in Windows. To the EPP, a running PowerShell is Windows working normally. There is no bad hash to block. The door is blind.
The second blind spot is the fileless attack and living-off-the-land (LOTL — using what is already on the machine). Here the malicious code runs straight in memory, or is loaded by a legitimate binary signed by Microsoft itself — the so-called LOLBins (Living-Off-the-Land Binaries), such as powershell.exe, mshta.exe, rundll32.exe, certutil.exe, wmic.exe. Because nothing suspicious touches the disk, there is nothing to scan. CrowdStrike itself defines LOTL as the use of native, legitimate tools to conduct malicious activity, precisely to evade signature-based defenses. The Ponemon Institute estimated that fileless attacks have roughly ten times the chance of success of file-based attacks. It is not that your antivirus is bad — it is that it was designed for a game the adversary stopped playing.
There is a third, subtler and more dangerous problem for a buyer: traditional antivirus does not tell the story. Even when it blocks something, it gives you an isolated event — 'file X blocked at 2:32 p.m.' It does not tell you how that got there, what else that process did, whether it moved to another machine, whether it exfiltrated data. Without that narrative, you don't know whether it was a scare or the start of a ransomware incident. It is exactly that gap — visibility, context, and the ability to respond — that gave rise to the EDR category.
What EDR is and why it sees what antivirus can't
EDR stands for Endpoint Detection and Response. The term (originally ETDR) was coined in 2013 by Gartner analyst Anton Chuvakin to name a new category of tools focused on detecting and investigating suspicious activity on hosts, and was shortened to EDR in 2015. The motivation was precisely the limitation of antivirus against advanced threats. Note the order of the words: detection and response. Antivirus is prevention; EDR assumes something will get past prevention — and prepares to see and act when it does. The two do not compete: EDR presupposes that you already have prevention and covers what it lets slip through.
Mechanically, an EDR installs an agent on each endpoint that does something antivirus does not: it continuously records the machine's behavior. Process creation, network connections, writes to registry keys, DLL loads, parent-child process relationships, logons. This telemetry stream is sent to a central platform, where it is correlated in real time against behavioral detection rules. The question EDR asks is not 'is this file known to be bad?', but 'is this sequence of actions what an attacker would do?'. When Word opens PowerShell, which downloads something from the internet, which disables Volume Shadow Copy (Windows backups) and starts encrypting files in bulk — each step may be 'legitimate' in isolation, but the whole chain is unmistakably a ransomware attack. EDR sees the chain. Antivirus saw each link, and each link looked harmless.
This is where MITRE ATT&CK comes in, the framework that became the lingua franca of modern detection. ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a public knowledge base, maintained by MITRE, that catalogs how real adversaries operate. In the Enterprise version (v18, 2025) there are 14 tactics — the 'whys,' from Reconnaissance to Impact — and 216 techniques with 475 sub-techniques — the 'hows.' A serious EDR maps its detections to these techniques: when it alerts 'T1059.001 — PowerShell' or 'T1490 — Inhibit System Recovery' (deleting backups), you don't get a generic alarm, you get the exact name of the adversary's move and where it sits in the attack timeline. That changes everything in the investigation — you know whether you are at the beginning (initial access) or the end (impact/exfiltration), and how urgent it is.
The 'Response' part of EDR is what turns it from a detector into a defense. Faced with an alert, EDR allows actions antivirus never had: isolate the machine from the network with one click (it keeps talking only to the platform, and the attacker loses their foothold), kill a malicious process remotely, roll back changes, collect forensic artifacts, and block the indicator across the entire fleet at once. In a real incident, the difference between isolating patient zero in five minutes and discovering the problem three days later is, literally, the difference between a scare and the company halted with everything encrypted. IBM's Cost of a Data Breach 2025 report measured the average time to identify and contain a breach at 241 days — the lowest in nine years, but still eight months. EDR exists to bring that number down from months to minutes.
Finally, EDR enables threat hunting: because it retains historical telemetry, an analyst can ask retroactive questions — 'did any endpoint run this suspicious command in the last 30 days?', 'did this credential log on from somewhere it never had before?'. It is proactivity: searching for the intruder who is already inside and has not yet triggered any automatic alarm. No antivirus does this, because it does not keep the history — it only reacts to files at the moment they appear. This telemetry retention, incidentally, is one of the main price factors for EDR, as we will see.
Want to stop guessing whether your antivirus can handle it? Decripte deploys managed EDR/MDR sized to your real risk — with a SOC operating when the attacker actually attacks. Start with Preventive Security (/plano/seguranca-preventiva), get to know managed detection and response (/solucoes/mdr) or 24/7 monitoring (/plano/soc-247). Cybersecurity for every size, from MEI to enterprise.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
Antivirus vs EDR vs MDR: the comparison that decides the purchase
There is a third term you need to understand before signing any contract, because it is where most companies go wrong: MDR — Managed Detection and Response. EDR is a tool; MDR is a service. With standalone EDR, the platform generates the alerts — and someone at your company has to read them, investigate them, separate false positives from real attacks, and press the response button, 24 hours a day, 7 days a week, including at 3 a.m. on a Sunday (which is exactly when ransomware groups prefer to attack, precisely because no one is watching). With MDR, a vendor's human SOC (Security Operations Center) does this for you: it monitors, triages, investigates, responds, and calls you when it is serious.
This distinction is the source of the biggest budgeting mistake in endpoint security: buying EDR thinking you bought protection, when in fact you bought a tool that needs an operator. A top-tier EDR generating 200 alerts a day for a three-person IT team that already handles the printer, email, and ERP is not security — it is an alarm ringing in an empty house. The value of EDR is realized only when there is qualified human capacity to operate it. That is why the buying question is not 'EDR or antivirus?', but, in sequence: (1) do I have EPP? (yes, keep it); (2) do I need EDR? (almost certainly yes); (3) do I have people to operate EDR 24/7? — if not, you need MDR.
The table below summarizes the three layers from the decision-maker's viewpoint. Read it as steps that stack, not as mutually exclusive options: MDR normally already includes EDR (the tool) embedded in the service, and EDR presupposes an EPP underneath. You do not 'swap' antivirus for EDR; you stack capabilities according to your risk and your operational maturity.
In Brazilian practice, the tipping point is usually this: if your company handles sensitive personal data (and nearly every one does, by force of the LGPD — Law 13,709/2018, whose art. 46 requires technical and administrative security measures, and whose art. 48 obliges companies to report incidents to the ANPD and to data subjects), and if a one-day outage from ransomware would be a serious cash or reputation problem, then EDR has stopped being a luxury and become a baseline. The next question — operate it in-house or contract MDR — is a decision about total cost and about honesty regarding your real capacity to respond in the middle of the night.
How much it costs: honest ranges from the Brazilian market and what moves the price
First, the honesty missing from most sites: there is no single price for EDR or MDR, and anyone who gives you a fixed number without asking anything about your environment is guessing or locking you in. The price is per endpoint (each laptop, desktop, and server counts as an endpoint), and it varies by capability tier, by volume, and by a list of factors I detail below. What you can do responsibly is give real ranges and teach you how to position yourself within them.
For standalone EDR (the tool, without a human SOC), the international list prices of the leaders in 2025 come in, in annual per-endpoint terms: entry tiers around US$ 36 to 96 (e.g., CrowdStrike Falcon Go ~US$ 60, SentinelOne Core ~US$ 70); mid tiers of US$ 96 to 216 (CrowdStrike Pro ~US$ 100); and enterprise tiers with full EDR of US$ 184 to 420+ (CrowdStrike Enterprise ~US$ 185, SentinelOne Complete ~US$ 160). Microsoft Defender for Endpoint Plan 2 goes standalone for ~US$ 5.20/user/month (~US$ 62/year) and comes 'for free' (zero marginal cost) for those already paying for Microsoft 365 E5. Converting and adjusting for the reality of resale in Brazil (taxes, local support, exchange rate), an honest range for standalone EDR sits around R$ 18 to R$ 120 per endpoint/month depending on the tier — entry at the bottom, enterprise at the top.
For MDR (managed EDR with a 24/7 human SOC), the international market verified in 2025-2026 runs between US$ 10 and US$ 30 per endpoint/month on average, with vendors ranging from ~US$ 3-9 (Huntress) to ~US$ 25-45 (managed CrowdStrike). For small companies, the monthly floor model is common: packages of US$ 1,500 to US$ 5,000/month for environments of up to 50-100 endpoints, because the cost of the human service does not scale down linearly. In Brazil, an honest range for MDR sits around R$ 35 to R$ 180 per endpoint/month, frequently with a contract floor between R$ 6,000 and R$ 30,000/month for small and medium environments. MDR looks more expensive per endpoint than standalone EDR — and it is, because it includes people. The fair comparison is not EDR-license vs MDR-service; it is MDR vs (EDR license + salaries of 24/7 analysts + tools + on-call).
What moves the price, and what you should ask any vendor to avoid buying wrong: (1) Number of endpoints — almost every price drops by volume tier; ask for the step table. (2) Servers vs workstations — servers usually cost more, being a critical target. (3) Telemetry retention — keeping 7, 30, 90, or 365 days of logs changes the price a lot (it is storage and processing); for the LGPD and serious investigation, less than 30 days is risky. (4) Response SLA — 'we respond in 15 minutes' costs differently from 'within 4 business hours'; demand the SLA in writing. (5) Active response included or notification only — some cheap MDRs only alert you ('we saw something'), without isolating the machine; that is half-MDR. (6) Onboarding and tuning — one-time deployment fees exist (abroad US$ 5-25k) and the fine-tuning of rules in the first weeks determines whether you will live drowning in false positives. (7) Annual increase — ask for the clause; 3-7% per year is common and adds up over a 3-year budget.
An anti-trap warning: be wary of suspiciously cheap 'EDR.' There are products sold as EDR that are antivirus with a pretty dashboard — they have the label, not the continuous behavioral telemetry nor the real response capability. Ask explicitly: does the agent continuously record processes/network/registry? Does it map detections to MITRE ATT&CK? Does it allow isolating the machine remotely? Does it keep historical telemetry for hunting? If the answer is vague, it is EPP in disguise. And be wary too of the MDR that does not deliver an incident report and does not tell you, in plain language, on which site you should change the leaked password — because the deliverable of MDR is not the alert, it is the resolution you can understand and act on.
No card, no commitment — understand your real risk before you invest.
No card, no commitment. Find out in minutes what has already leaked from your company and what your real risk is.
When a company needs EDR, and when it needs managed MDR
Start with risk, not the tool. Ask three honest questions. First: if your biggest endpoint (the finance laptop, the ERP server) were encrypted by ransomware tonight, how big would the damage be — in halted revenue, in exposed customer data, in reputation? If the answer is 'serious' or 'catastrophic,' you need EDR. Second: do you handle personal, financial, health, or crypto data? If so, the LGPD already puts you under the obligation to adopt appropriate technical measures (art. 46) and to report incidents (art. 48) — and 'I only had antivirus' is a weak defense before the ANPD after a breach. EDR becomes part of the minimum due diligence. Third: does your current antivirus tell you the story of an attack, or just block loose files? If it gives you no context and no ability to isolate a machine, you have prevention, not detection and response.
You need EDR (and not just antivirus) when: you have assets whose downtime hurts; you have sensitive data under the LGPD; you have already had a scare or an incident; you have grown beyond the point where 'you could keep an eye on everything by hand'; or you have any exposure to remote access, VPN, and employees who click on email (that is, all companies). The most underrated trigger is working with credentials: since 79-81% of intrusions today use stolen valid logins, any company whose employees have passwords worth money — and that is any company — is exposed to exactly the kind of attack antivirus doesn't see and EDR does.
You need MDR (managed EDR) — and not just to buy the EDR license — when any of these is true: you don't have a dedicated security team covering 24/7; your IT is already overloaded and won't investigate 50 alerts a day with method; you don't have an analyst who can read a MITRE ATT&CK chain and decide in minutes whether to isolate the machine; or you did the math and realized that building an in-house SOC (a minimum of 3 to 5 analysts to cover shifts, plus tools, plus on-call) costs far more than contracting the service. For the overwhelming majority of Brazilian SMBs with 20 to 200 endpoints, the math points to MDR: you outsource the 24/7 operation to someone who already has the SOC built and spreads the cost across many clients.
The case where standalone EDR (without MDR) makes sense is specific: companies that already have a mature security team, with real on-call, response processes, and analysts who live in the platform — typically larger organizations, or those in regulated sectors, that want full control and have the people to exercise it. Even these often contract MDR to cover nights and holidays, or hybrid MDR (co-managed), where the vendor covers outside business hours and the in-house team handles the day. There is no shame in outsourcing the operation — there is recklessness in buying the tool and leaving it without an operator.
A practical decision test, in one sentence: if no one at your company is going to wake up at 3 a.m. on a Sunday to isolate a compromised machine, you don't need another tool — you need someone on call. That is MDR. If you have that someone and want to give them the best tool, that is EDR. And in both cases, underneath, the antivirus/EPP stays on, sweeping up the known noise. The three layers coexist; what changes is how much of the operation you operate and how much you delegate.
How to buy well: criteria, questions, and vendor traps
Contracting EDR or MDR is less about the product brand and more about the quality of the operation behind it — because, as we've seen, the tool without operation does not protect. The first criterion is transparency of the deliverable: a good vendor shows you, before you sign, what the incident report you will receive looks like, what the detection and response SLA is in writing, and what exactly is included ('alert only' vs 'active machine isolation'). If the salesperson dodges on these three things, that is your exit sign.
The second criterion is clarity for non-experts. Good security is not the kind that fills the report with acronyms; it is the kind that tells you, in plain language, 'what happened, what we've already contained, and what you need to do now.' If the finding is a leaked credential, the report has to say on which system you should change the password — not hand you a JSON of IoCs and wish you good luck. You are buying the ability to decide and act, not a console no one at your company knows how to use. Ask to see a real (anonymized) sample report before closing.
Third: watch out for disguised half-measures. The most common traps in the Brazilian market are (a) the 'EDR' that is repackaged antivirus — no continuous behavioral telemetry, no MITRE mapping, no remote isolation; (b) the 'MDR' that only notifies and does not respond — it emails you at 3 a.m. and the machine stays infected because no one pressed the button; (c) the contract with short log retention (7 days) that leaves you blind to investigate an attack that started weeks earlier; and (d) the hidden price floor that only appears in the final proposal. Ask all of this in writing and require it in the contract.
Fourth: size it yourself before requesting a proposal, so you negotiate on equal footing. Count your real endpoints (workstations + laptops + servers). Define your minimum retention (recommendation: 30 to 90 days to be able to investigate and meet the LGPD). Define the SLA your risk demands (a fintech needs response in minutes; an office can tolerate hours). Add up the total cost of 3 years including the annual increase. With those numbers in hand, you compare proposals by what matters — the total cost of the capability you need — and not by the per-endpoint sticker price, which is what vendors use to look cheap.
Finally, the fifth criterion is the fit with the rest of your security. EDR/MDR is the endpoint layer; it gets stronger connected to credential-leak monitoring (because the modern attack starts with a stolen password), to an incident response plan (for when EDR detects something big), and to a 24/7 SOC if your operation is critical. At Decripte, preventive security (managed EDR/MDR) is the baseline — at /plano/seguranca-preventiva — with managed detection and response detailed at /solucoes/mdr and continuous 24/7 monitoring at /plano/soc-247. The point is not to stack products: it is to design the endpoint layer to the size of your risk and operate it for real, with people, at the hours the attacker actually attacks.
Antivirus (EPP) vs EDR vs MDR: what each layer does
| Criterion | Antivirus / EPP | EDR | MDR (managed EDR) |
|---|---|---|---|
| What it is | Prevention technology | Detection and response tool | Service with a 24/7 human SOC |
| How it detects | Signature, reputation, heuristics (looks at files) | Continuous behavior (processes, network, registry) | EDR + analysts investigating the alerts |
| Catches modern ransomware? | Only the known kind; fails on the new/packed | Yes — sees the attack's chain of actions | Yes — and actively contains it in minutes |
| Catches fileless / stolen-credential attacks (79-81% today) | No — there's no file to scan | Yes — detects the anomalous behavior | Yes — with human validation and response |
| Incident response | Blocks an isolated file, no context | Isolates the machine, kills the process, does hunting (you operate) | The vendor isolates, investigates, and calls you |
| Maps MITRE ATT&CK | No | Yes (in mature products) | Yes, with an analyst interpreting the chain |
| Who operates it 24/7 | Automatic, no operator | Your team has to investigate the alerts | The vendor's SOC, even at 3 a.m. on Sunday |
| Price range (Brazil, estimated) | R$ 5-30/endpoint/month | R$ 18-120/endpoint/month | R$ 35-180/endpoint/month (floor R$ 6-30k/month) |
| For whom | Minimum baseline for every company | Those with a security team to operate it | Those without their own security on-call (most SMBs) |
Key terms
- Antivirus / EPP (Endpoint Protection Platform)
- Prevention technology on the endpoint. Blocks threats by signature, reputation, and heuristics — effective against known malware, blind to fileless and stolen-credential attacks.
- EDR (Endpoint Detection and Response)
- Detection and response on the endpoint. Continuously records the machine's behavior (processes, network, registry), detects attack chains by behavior, allows isolating the machine and threat hunting. Term coined by Anton Chuvakin (Gartner) in 2013.
- MDR (Managed Detection and Response)
- Managed EDR: a vendor's human SOC monitors, investigates, and responds 24/7 for your company. Solves the problem of having the tool without having anyone to operate it in the middle of the night.
- Fileless attack / Living-off-the-Land (LOTL)
- An attack that leaves no file on disk: it runs in memory or uses the system's own legitimate binaries (LOLBins, such as PowerShell, mshta, rundll32). Invisible to signature-based antivirus; about 10x more likely to succeed (Ponemon).
- Malware-free intrusion
- An intrusion with no malware — the attacker uses stolen valid credentials and native tools. It accounted for 79% of detections in 2024 and 81% of intrusions in the first half of 2025 (CrowdStrike).
- MITRE ATT&CK
- A public knowledge base (MITRE) that catalogs real adversary tactics and techniques. The Enterprise version v18 (2025) has 14 tactics, 216 techniques, and 475 sub-techniques. Mature EDRs map detections to these techniques.
- Threat hunting
- Proactive threat hunting: using the EDR's historical telemetry to look for intruders who are already inside and have not yet triggered an automatic alarm.
- Telemetry retention
- How long the endpoint's behavior logs are kept (7, 30, 90, 365 days). A key factor in price and in the ability to investigate incidents that began weeks earlier.
How to decide and hire well
- Map the risk before the tool: list your critical endpoints and calculate the real damage (cash, data, reputation) if the worst of them were encrypted by ransomware tonight.
- Confirm the baseline: do you already have antivirus/EPP on every machine? Keep it — EDR and MDR add to it, they don't replace it.
- Decide whether you need EDR: if there are assets whose downtime hurts, data under the LGPD (arts. 46 and 48), or exposure to stolen credentials, the answer is yes — antivirus alone does not cover the 79-81% of malware-free attacks.
- Run the on-call test: is anyone at your company going to wake up at 3 a.m. on a Sunday to isolate a compromised machine? If not, you need MDR (managed EDR), not another tool without an operator.
- Size it yourself: count real endpoints (workstations + servers), define minimum telemetry retention (30-90 days), and the response SLA your risk demands. Take those numbers into the negotiation.
- Demand in writing from each vendor: the detection and response SLA, whether the response is active (isolation) or notification only, log retention, onboarding fee, and annual increase.
- Ask for a real (anonymized) sample report: a good deliverable says in plain language what happened, what was contained, and which password to change — not a JSON of IoCs.
- Compare by the total 3-year cost of the capability you need (including the increase), not by the per-endpoint sticker price, which makes vendors look cheap.
- Connect it to the rest: fit EDR/MDR together with credential-leak monitoring, an incident response plan, and a 24/7 SOC if your operation is critical.
Frequently asked questions
What's the difference between EDR and antivirus, in one sentence?
Antivirus (EPP) prevents known threats by blocking files via signature; EDR detects and responds to attack behavior on the endpoint — including when there is no malicious file at all, which is the case in 79-81% of modern intrusions. Antivirus is the doorman with a wanted list; EDR is the camera that sees the whole scene and can lock the door.
Isn't antivirus alone enough anymore? Why?
It's not enough for the current threat. Antivirus sees files, and the modern attack uses files less and less: the intruder gets in with a stolen credential and uses legitimate Windows tools (PowerShell, mshta, rundll32). To antivirus, that's the system working normally — there's no bad hash to block. That's why fileless attacks are about 10x more likely to succeed (Ponemon). Keep the antivirus, but add EDR.
Is EDR worth it for my company, even though it's small?
If you have assets whose downtime hurts, personal data under the LGPD, or employees with passwords worth money (that is, practically every company), it is. Modern ransomware doesn't pick by size — it picks whoever is unprotected and blind. For small companies, the most cost-effective path is usually MDR (managed EDR), because you outsource the 24/7 operation instead of building an expensive in-house SOC.
What's the difference between EDR and MDR?
EDR is the tool; MDR is the service. With standalone EDR, the platform generates the alerts and someone at your company has to read them, investigate them, and respond 24/7. With MDR, a vendor's human SOC does all of that for you and calls you when it's serious. If you don't have a security team on call, buying EDR without MDR is buying an alarm ringing in an empty house.
How much do EDR and MDR cost in Brazil?
Honest ranges: standalone EDR runs around R$ 18 to R$ 120 per endpoint/month (entry to enterprise); managed MDR, R$ 35 to R$ 180 per endpoint/month, with common floors of R$ 6,000 to R$ 30,000/month for environments of up to 50-100 machines. The price varies by number of endpoints, telemetry retention, response SLA, and whether there is a human analyst in the contract. Be wary of a single number nailed down without anyone asking anything about your environment.
MDR looks more expensive than EDR. Why choose MDR?
MDR is more expensive per endpoint because it includes people — a SOC operating 24/7. The fair comparison is not 'EDR license vs MDR service,' but 'MDR vs EDR license + salaries of 3 to 5 analysts to cover shifts + tools + on-call.' For most SMBs, outsourcing the operation comes out cheaper and more effective than building and maintaining an in-house SOC.
How do I choose an EDR/MDR vendor without falling into a trap?
Demand in writing: the detection and response SLA, whether the response is active (isolates the machine) or only notifies, log retention (minimum 30-90 days), and the annual increase. Ask for a real sample report and see whether it explains in plain language what to do. Be wary of the cheap 'EDR' that is repackaged antivirus (no behavioral telemetry or remote isolation) and of the 'MDR' that only emails you without responding.
Do EDR or MDR replace antivirus?
No. The three layers coexist and add up. Antivirus/EPP keeps sweeping up known malware (cheap and effective for that); EDR covers what prevention lets slip through, with behavioral detection and response; MDR adds the 24/7 human operation. You don't swap one for another — you stack them according to your risk and your real capacity to operate.
References
- ›IBM Cost of a Data Breach Report 2025 — global cost US$ 4.44M, Brazil R$ 7.19M, 241 days to identify and contain — https://www.ibm.com/reports/data-breach
- ›CrowdStrike 2025 Global Threat Report — 79% of detections malware-free in 2024, 81% of intrusions in H1 2025; Living-off-the-Land concept — https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/living-off-the-land-attack/
- ›MITRE ATT&CK — Enterprise Matrix (v18, 2025): 14 tactics, 216 techniques, 475 sub-techniques — https://attack.mitre.org/matrices/enterprise/
- ›Origin of the EDR/ETDR term — Anton Chuvakin (Gartner), 2013→2015 (Wikipedia: Endpoint detection and response) — https://en.wikipedia.org/wiki/Endpoint_detection_and_response
- ›LGPD — Law No. 13,709/2018, art. 46 (security measures) and art. 48 (reporting incidents to the ANPD) — https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
- ›Software Pricing Guide 2025 — EDR price ranges (CrowdStrike, SentinelOne, Microsoft Defender) and MDR per endpoint — https://softwarepricingguide.com/cybersecurity-software-pricing-2025-what-crowdstrike-sentinelone-and-microsoft-defender-actually-cost-at-enterprise-scale/
How Decripte solves this
From the free assessment to the managed service — pick the right entry point.
Want to stop guessing whether your antivirus can handle it? Decripte deploys managed EDR/MDR sized to your real risk — with a SOC operating when the attacker actually attacks. Start with Preventive Security (/plano/seguranca-preventiva), get to know managed detection and response (/solucoes/mdr) or 24/7 monitoring (/plano/soc-247). Cybersecurity for every size, from MEI to enterprise.
Start free with Threat Management and see what is already exposed. Move up to the managed plans when it makes sense — without building an in-house team.
