What's the difference between EDR, MDR, and XDR?

These three acronyms get tangled in marketing copy. Here's the clean separation:

EDR — Endpoint Detection and Response

Scope: Endpoints only (PCs, laptops, servers). Operation: Software platform you deploy and manage yourself (or via MSP). Generates alerts, automated responses possible. You/your team handles investigation and response decisions.

MDR — Managed Detection and Response

Scope: Usually endpoint-focused, increasingly broader. Operation: EDR technology plus a 24/7 SOC of human analysts. Service provider investigates alerts, takes response actions, escalates real incidents. You don't have to staff a security team.

XDR — Extended Detection and Response

Scope: Endpoints PLUS identity (Microsoft 365, Entra ID, Okta), email, cloud workloads (Azure, AWS), network, and SaaS apps. Operation: Correlates signals across all those sources to detect attacks that touch multiple surfaces. Can be self-managed (XDR platform) or managed (MXDR — managed XDR).

Choosing the right one

• Small business, limited budget: EDR + Microsoft Defender for Office 365 covers the basics
• Mid-market, no internal security staff: MDR makes the most sense — outsource the analyst function
• Larger organization with mature security team: XDR platform (Microsoft Defender XDR, CrowdStrike Falcon, SentinelOne Singularity) with internal SOC
• Larger organization without security team: Managed XDR (MXDR) service combining XDR scope with managed SOC

The market is increasingly converging: most "MDR" services now include identity and email signals, blurring the line with MXDR. The labels matter less than the actual scope.