1300 002 001
Follow Us  —Fb. /Lk. /X. /Ig.

Insights · June 8, 2026 · 7 min read

EDR vs MDR — what Australian SMBs actually need.

EDR is a tool. MDR is a service. The difference matters more than vendors will admit. A practical decision tree for Australian SMBs sizing up endpoint security spend.

The acronyms have run together. Vendors sell “EDR with managed services” and call it MDR. Other vendors sell “MDR” that is really an alerting dashboard on top of a SIEM. For an SMB writing a cheque, the gap between the two is the gap between owning a tool and renting an outcome. Below is the version of this you would get from somebody who runs the contracts, not somebody trying to sell you one.

The confusion

In the analyst categories, EDR and MDR are different things. In the buying process they get muddled because:

  • Most EDR vendors offer a “managed” tier that resembles MDR.
  • Most MDR vendors run on top of an EDR (theirs or yours).
  • The marketing rounds the edges off both.
  • Procurement asks “do you have EDR/MDR?” without distinguishing.

The honest answer is that they are different layers of the same stack. EDR is the sensor. MDR is the human team paid to read what the sensor says.

What EDR is

EDR — Endpoint Detection and Response — is software that runs on each endpoint (laptops, servers, sometimes mobile devices). It does three things:

  1. Collects behavioural telemetry — process trees, file writes, network connections, registry changes, command-line arguments. Far more granular than antivirus signature matching.
  2. Detects suspicious patterns — vendor-supplied detection logic plus, increasingly, machine-learning models flag behaviour that fits known adversary tradecraft (LSASS dumping, suspicious PowerShell, lateral movement attempts).
  3. Responds automatically — isolates the endpoint from the network, kills processes, quarantines files, rolls back ransomware-style file changes.

Crowdstrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Sophos Intercept X — all EDR. They differ in detection quality and integration story, less than vendors would have you believe.

The thing EDR does not do is decide whether an alert is real. It generates the alert and, on high-confidence detections, takes an automatic action. The judgment call — is this a real intrusion, what does the attacker have access to, what do we do next — is a human task. If no human reads the alert, EDR is a smarter alarm system with the speakers turned off.

What MDR is

MDR — Managed Detection and Response — is a service. The service buys you a 24/7 analyst team who:

  1. Ingest telemetry from your EDR plus identity signals (Microsoft 365 sign-ins, Active Directory, conditional access), network sensors, and often cloud workload telemetry.
  2. Triage alerts — tier-1 analysts work through the queue, dismiss false positives, escalate genuine signals.
  3. Investigate escalations — tier-2 analysts pivot across the telemetry to understand scope, impact, and what to do.
  4. Take contracted response actions — isolate endpoints, disable accounts, block IPs — inside an SLA measured in minutes for high-severity incidents.
  5. Report monthly on what they saw, what they actioned, what’s trending, and what changed in your environment.

The load-bearing part is “24/7” and “humans”. An alerting dashboard that sends emails to a generic inbox at 2am is not MDR. Neither is “we’ll look at it Monday morning”. The point of MDR is to compress the time between detection and response so the attacker has hours rather than months of dwell time.

Symsafe delivers MDR built on a specialist MDR platform: 24/7 monitoring and triage from the platform’s analyst pool, with confirmed threats phoned through to Symsafe under documented SLAs. Symsafe engineers take the response actions, and the Sydney service desk coordinates client communication and on-site response. That is the practical shape of MDR at SMB scale.

The decision tree

Three rough bands, based on staff size and the type of data the business holds. The boundaries are indicative, not absolute.

Under ~30 staff, no regulated data. EDR plus good IT hygiene is usually the right answer. A managed Microsoft Defender for Endpoint deployment, conditional access on Microsoft 365, MFA enforced, patching SLAs, regular backups, and a competent MSP watching the daily operations. The investment doesn’t yet justify a 24/7 MDR contract — the marginal risk reduction is real but small at this scale, and the budget is better spent shoring up the prevention controls.

30 to 100 staff, or any regulated data. MDR becomes the right answer. The threshold is partly about attack surface (more identities, more endpoints, more places to go wrong) and partly about consequence (regulated data means a breach is reportable, which means the cost is no longer just operational). If you hold patient records, financial data, customer PII at scale, or you sell into government — start MDR conversations at the lower end of this band, not the upper.

Over 100 staff. MDR always. At this scale the question is no longer “do we need it” but “which provider and what coverage”. An incident in a 100-plus headcount business with no monitoring will run for weeks before anyone notices.

These bands assume an Australian SMB context. If you are a 25-person fintech holding card data, you are in the middle band by data classification, not the bottom band by headcount. The data is the dominant variable. Headcount is the proxy.

Questions for any MDR vendor

If you are evaluating MDR providers, these are the four questions that surface the substance underneath the marketing.

1. Where is the SOC physically located, and what’s the analyst rotation?

Some MDR providers run analyst pools in Australia. Most run a follow-the-sun model with analysts in the US, Europe, India, or the Philippines. Both can work. The wrong answer is evasiveness — “global coverage” usually means “we cannot tell you where the person looking at your environment at 3am actually is”. You want a clear answer and a clear tier-2 escalation path.

2. What’s the SLA for high-severity response, and what counts as high-severity?

A contracted SLA is the difference between MDR and “we’ll get to it”. Typical SMB-tier SLAs are 15 minutes to acknowledge, 30 minutes to begin containment on critical-severity incidents. The definition of severity matters as much as the time on the clock — if every alert is severity-low, the SLAs are theatre.

3. Is incident response retainer included, or extra?

When an alert turns into a confirmed breach, who runs the incident? Some MDR contracts include a defined number of IR hours per year; most charge separately under a separate engagement. Neither is wrong, but you want to know which one applies before you need it. Calling a forensics firm during a live ransomware event is a bad time to negotiate hourly rates.

4. Can we see a sample monthly report?

Reporting is the artefact you live with month to month. A good MDR report shows what was seen, what was actioned, trending data on the environment’s security posture, and where the gaps are. A bad report is a screenshot of a dashboard with a logo on it. Ask for a redacted sample before you sign — vendors who refuse this are usually hiding the answer.

The economics nobody quotes

A genuine 24/7 SOC needs five to seven analysts to staff three shifts with overlap, leave cover, and tier-2 escalation. At Australian salaries that is north of a million dollars in fully-loaded headcount before you have bought a single tool. Which is why almost no SMB runs its own SOC, and almost every MDR provider — Symsafe included — runs on shared analyst pools that watch many tenants concurrently.

Shared pools are fine. They are how this market works at SMB scale. They are also why the vendor questions above matter — at shared-pool scale the difference between a competent provider and an indifferent one is whether the analysts understand your environment well enough to spot the alerts that are real, fast.

The wrong question is “how do I get a dedicated SOC”. The right questions are “what does the provider’s runbook look like for my environment” and “what do their monthly reports show me”.


Background reading: IBM, “Cost of a Data Breach Report 2025”; ACSC Annual Cyber Threat Report.