EDR for Small Business: What to Deploy, How to Configure, and What It Costs

Key Takeaways

• For many teams, EDR starts becoming worth the overhead around 50 to 75 employees, and earlier if you're in healthcare, fintech, or selling to enterprise customers.
• Ransomware was present in 88% of small business breaches in 2025, and many of those attacks rely on common intrusion methods such as credential abuse and phishing that routinely evade traditional antivirus alone.
• EDR only protects you when it's deployed and configured correctly.
• Managed detection and response (MDR) paired with EDR costs a fraction of one security analyst's $124,910 median salary, and one analyst alone cannot provide continuous 24/7 alert coverage without gaps.
• The most common EDR failure mode is "installed but not protecting": agents deployed in detection-only mode that never transition to prevention because no one owns the milestone.

An employee installs a malicious VS Code extension disguised as a legitimate developer tool on their first day. The attacker walks away with prod credentials, source code, and an active session to internal systems.

In May 2026, a compromised Nx Console extension led to the exfiltration of approximately 3,800 internal GitHub repositories after a single employee installed the wrong extension. If Microsoft-owned GitHub can get hit this way, a 50-person company without a security team is squarely in the blast radius.

Companies that already have endpoint detection and response (EDR) often still have weaker protection than the dashboard suggests. The dashboard says 100%, but the real number is usually much lower. Agents sit in detection-only mode, go stale, or never get installed on unmanaged devices in the first place. CISA has documented the same pattern: in one assessment, EDR caught a phishing payload, but defenders "neither read nor responded to" the alert.

Whether EDR is the right call comes down to where you are in your growth, what you deploy, how you configure it, what it costs to run, and who owns the work in year two when the configuration starts to drift.

Want CrowdStrike deployed, configured, and continuously monitored without hiring a security team? Get a quote from Zip.

When Small Businesses Actually Need EDR

EDR becomes necessary at different points depending on company risk. A very small startup with no customer data can often wait longer. A larger company in a regulated or high-scrutiny environment often can't. The three variables that move the threshold are the same ones that attackers and enterprise buyers look at: company size, revenue, and industry.

Employee Count

For many small business teams, EDR starts becoming worth the overhead somewhere around 50 to 75 employees. Below that, many smaller teams can often prioritize lighter controls first and still cover the most realistic threats at that stage.

As teams grow, the environment usually gets harder to secure consistently: more endpoints, more SaaS sprawl, faster onboarding, and more identities to manage. The informal trust model that works at very small size becomes harder to sustain as headcount climbs.

Revenue

Revenue triggers two things. First, ransomware operators run economic targeting: they look at who can pay. The 2025 Verizon DBIR found 99% of small business breaches were financially motivated. Second, revenue brings enterprise customers, and enterprise customers send security questionnaires that explicitly ask about EDR coverage.

If a Fortune 500 customer sends the questionnaire before you've thought through EDR, the process gets harder. Better to have the controls running and the evidence ready before the question arrives. Compliance is an operating posture, and the controls have to stay deployed, configured, and enforced before the questionnaire arrives and between audits.

Industry

Some industries cross the threshold earlier regardless of headcount. Healthcare, fintech, and any business handling sensitive consumer data face endpoint protection expectations from regulators and major frameworks alike. SOC 2 CC6.8 requires controls against unauthorized or malicious software, HHS's Health Industry Cybersecurity Practices names endpoint protection as Practice #2, and the FTC's Start with Security guide calls out "EDR/XDR tools" by name.

These frameworks and customer requirements only help if the underlying controls are actually running. For teams pursuing SOC 2, signing Business Associate Agreements (BAAs), or answering enterprise diligence, endpoint protections have to stay enforced continuously.

Who Doesn't Need EDR Yet

A very small consultancy with no personally identifiable information (PII) and no enterprise customers can often wait. Strong Mobile Device Management (MDM), multi-factor authentication (MFA) everywhere, managed Chrome, and good identity hygiene cover the realistic threats at that scale. There's only so much room in most security budgets, and a pragmatic risk portfolio means spending first where the exposure is highest.

What EDR Actually Catches (and What Antivirus Misses)

Ransomware was present in 88% of small business breaches in the 2025 DBIR, compared to 39% for large organizations. That asymmetry matters because it tells you where the threat is concentrated, and it tells you what your defenses need to stop. The defenses most small businesses already have aren't built for it.

Traditional antivirus scans files against known signatures, which works against known malware. Attackers route around it by using legitimate tools, running code in memory, or moving with stolen credentials.

• Living-off-the-land attacks use built-in Windows tools that antivirus already trusts. CISA's Volt Typhoon advisory documented attackers maintaining access for five years this way, using PowerShell, WMI, and RDP without triggering alerts.
• Fileless attacks operate in memory. Nothing is written to disk, so the antivirus has no object to inspect.
• Lateral movement uses stolen credentials to move between machines. To an antivirus, this looks identical to a real administrator logging in.

EDR catches all three. Instead of scanning individual files or commands, it evaluates whether a sequence of behavior is suspicious. NIST's SP 1800-24C describes EDR as performing "behavioral analytics on endpoint events... to identify potentially malicious behavior." That behavioral layer catches the poisoned VS Code extension, the encoded PowerShell command, and the credential-theft chain that antivirus treats as normal administrative activity.

For companies pursuing SOC 2, handling HIPAA-covered data, or answering enterprise security questionnaires, EDR generates the kind of evidence auditors ask for across multiple controls. The agent produces continuous logs of what is executed on each device, alerts when something suspicious runs, and documents the response when an incident occurs. That evidence only shows up when the control is live in the environment every day.

What to Deploy: Selection Criteria That Matter for Lean Teams

Once EDR moves from "nice to have" to "deploy this quarter," the next question is which one. Picking EDR without a dedicated security team means optimizing for different things than an enterprise buyer would. What matters most is what the tool does by default, what it covers without configuration, and what happens at 2 a.m. when no one is watching.

Managed Detection Often Beats Unmanaged Detection

Lean teams usually need to decide whether to self-manage EDR or pair it with managed detection and response (MDR), providing 24/7 human monitoring and triage. NIST SP 800-172 explicitly acknowledges that "smaller organizations may employ third-party organizations to provide such a capability."

Team Type	Endpoints	Recommendation
Founder, no IT staff	Under 50	Fully managed MDR
Solo IT generalist	50 to 150	MDR with console access
Fractional CISO across clients	Varies	MDR with EDR console access
IT team of two to three	150+	Self-managed EDR with MDR escalation

The pattern across all four rows is the same: when there's no full-time analyst watching alerts around the clock, the MDR layer is what turns the EDR agent from a logging tool into actual protection. Without it, detection becomes a part-time job for whoever happens to be looking at the dashboard that week.

Cross-Platform Coverage on Every Device

CISA's StopRansomware Guide recommends EDR "on all assets," and for most small businesses that means a mixed fleet of Windows servers, Windows laptops, and macOS developer machines. Many EDR vendors ship Windows as the first-class product and macOS as a port, which leaves Mac users with feature gaps, slower threat coverage, or missing detection rules. Since developer machines are usually the most valuable target, as the GitHub incident showed, Mac parity is not optional.

Agent Self-Protection

Ransomware groups are increasingly using Bring Your Own Vulnerable Driver, or BYOVD techniques, to kill EDR agents before payload execution. These attacks load legitimate signed drivers with known vulnerabilities to terminate security processes from the kernel level. ESET has documented 54 EDR killers using this technique to abuse 35 vulnerable drivers. Confirm tamper protection is enabled by default, not buried in a settings page.

Integration with Your MDM and Identity Provider

The Australian Cyber Security Centre (ASD's ACSC) has documented personal-device infostealers as a confirmed corporate breach vector. Malware on an employee's compromised personal device harvests corporate credentials, and the attacker inherits authenticated access to company systems. Connecting EDR to your device management and identity provider platforms lets you block unmanaged devices from accessing company resources in the first place.

Each of these criteria narrows the EDR options. None of them matter if the deployment is wrong.

How to Configure: The Detection-to-Prevention Path

Picking the right EDR is the easy part. Configuring it correctly is where most small business deployments fall short. Skipping any of the standard steps creates the "installed but not protecting" gap CISA has documented across multiple assessments.

Step 1: Plan Your Host Groups Before Installing Anything

Before deploying anything, segment your fleet into host groups so each machine type gets the right starting policy. Mixed policies prevent the false positives that erode trust in the agent and the disruption that gets prevention rolled back later.

Host Group	Starting Policy	Why
Standard workstations	Detection-only	Baseline observation
Developer machines	Detection-only, longer soak	Build tools trigger false positives
Critical servers	Detection-only, longest soak	Highest disruption risk
Web-facing servers	Detection-only	Exposure-driven prioritization

Developer machines deserve special attention. Build tools, package managers, and IDE extensions look like malicious activity to EDR by design, and they also become the malicious activity vector when an extension goes bad, which is exactly what happened in the GitHub incident. That dual nature is why developer host groups need their own policy rather than the standard workstation profile.

Step 2: Deploy the Agent via MDM

Push the agent through your MDM, such as Jamf on macOS or Microsoft Intune on Windows. Two platform-specific gotchas trip teams up at this step. On macOS, the configuration profile must land on the device before the sensor package, or the installation stalls. On Windows, the endpoint firewall must permit sensor traffic, or the agent installs silently with zero telemetry, exactly the failure mode that looks like 100% coverage in the dashboard.

Step 3: Run a Detection-Only Soak Period

Start in detection-only to capture telemetry and surface false positives without blocking legitimate work, and plan a longer soak for developer machines where build and code-signing workflows trigger detections that resemble malicious activity.

Step 4: Transition to Prevention

Enable prevention one host group at a time, starting with standard workstations. Two CrowdStrike capabilities are off by default and leave real gaps even after prevention is on: File System Containment (blocks ransomware propagating over SMB network shares) and kernel attack prevention (blocks BYOVD). Both require manual enablement.

For developer machines, use a separate prevention policy with ML sensitivity (how aggressively the tool blocks suspicious behavior) set lower while keeping detection enabled.

Step 5: Maintain the Deployment

Sensors need updates, prevention policies need periodic review, and exclusion lists need auditing. Allowlist entries added for valid reasons accumulate into blind spots attackers can route through if nobody revisits them. Controls drift after deployment, and if you're using EDR to support SOC 2, HIPAA, or customer diligence, that maintenance between audits is the work.

What Changes When You Don't Run This Yourself

Every step above is correct. The question is who's going to do them, and who's going to keep doing them when the auditor isn't looking. For lean teams without a dedicated security operator, that's the real decision.

Zip closes that gap on CrowdStrike specifically. Volume pricing with licenses in the customer's name. Fleet-wide rollout in 14 days or less. The detection-to-prevention soak is handled per host group. Continuous agent health monitoring, so the silent-failure mode, where an agent stops reporting after an OS update, gets caught in real time instead of at audit. The MDR layer at Zip Advanced for 24/7 escalation. No multi-year lock-ins, no enterprise minimums.

In one case, this stack detected and blocked a Russian-linked malvertising campaign targeting an Observa client employee before it became a compromise. The agent was deployed, healthy, in prevention mode, and being watched. That combination is the difference between "we have CrowdStrike" and "CrowdStrike is protecting us."

What It Costs: Real Numbers for Small Businesses

EDR costs come in two layers. The license itself runs per device per year, and the total spend depends on whether you self-manage or pay someone to run it for you.

EDR License Costs

CrowdStrike's published pricing:

Tier	Price/Device/Year	EDR?
Falcon Go	$59.99	No
Falcon Pro	$99.99	Yes, EDR starts here
Falcon Enterprise	$184.99	EDR + XDR
Falcon Complete	Contact sales	Fully managed MDR

Falcon Pro is the floor for actual EDR. Falcon Go skips it entirely; Enterprise adds XDR for environments that need broader telemetry beyond endpoints. Most small businesses sit at Pro or Enterprise.

Total Annual Costs at Small Business Scale

The per-device price is the sticker. Once you factor in whether someone has to actively manage the agent, the picture changes.

Approach	50 Endpoints	150 Endpoints
Falcon Pro (self-managed)	$5,000	$15,000
Falcon Enterprise (self-managed)	$9,250	$27,750
Managed EDR service	Varies by provider	Varies by provider
Security analyst median salary	$124,910	$124,910

Managed EDR can provide 24/7 monitoring for your endpoints, while one person alone cannot cover every hour of the week without gaps. According to IBM's 2025 Data Breach Report, organizations with a high-level security skills shortage paid $5.22M per breach on average versus $3.65M for those with little or no shortage. The math often favors managed services at this scale. Zip's volume procurement brings CrowdStrike pricing down (BD Emerson documented a 40% reduction in CrowdStrike licensing for its clients through Zip) and includes the MDR layer in the same package.

Five Mistakes That Break EDR Programs at Small Businesses

Every step in the configuration path above has the same dependency: the agent isn't the program. Someone has to run the deployment, someone has to watch the alerts, and someone has to revisit the policy when the environment shifts. When that scaffolding around the technical control gives way, the five recurring mistakes below show up.

1. The Coverage Illusion (Process Gap)

Assuming EDR covers every device without verifying against a complete asset inventory. CISA recommends an asset management tool to confirm coverage matches the actual device count. The dashboard says 100%, but gaps in legacy environments and unmanaged devices tell a different story. This gap comes from missing operational processes.

2. Stuck in Detection-Only Mode (Process Gap)

Detection-only is the right starting point. Leaving it there permanently means EDR faithfully logs ransomware executing, lateral movement progressing, and credentials being stolen, without stopping any of it. The transition to prevention requires someone owning the milestone. Without that owner, the soak period becomes permanent.

3. Alert Fatigue Turning Into Ignored Alerts (People Gap)

High alert volumes can push lean teams into triage paralysis. CISA has documented the downstream version of this failure mode: in one CISA assessment, an EDR alert was generated and defenders "neither read nor responded to" it. For many smaller teams, MDR is a practical way to keep detections from going unread outside business hours.

4. Exclusion Sprawl (Process Gap)

Each allowlist entry has a valid reason at creation. Without periodic review, exclusions accumulate into detection blind spots that attackers can deliberately route through.

5. Configuration Drift Across Environments (Technical and Process Gap)

Emergency changes during incidents, settings reset by software updates, and ad hoc analyst actions that never get documented all add up. Policies configured correctly at deployment drift silently over time, and staying configured correctly takes ongoing work that nothing else in the environment will do for you.

That ongoing work is why year two gets harder. Between audits, the technical control can drift, the process cadence can fade, and the people who were supposed to review alerts, exclusions, and rollout milestones can change. If you're relying on EDR for compliance outcomes, it has to keep working after the first audit window closes.

Zip's automated enforcement handles this directly through continuous agent health monitoring and self-healing security, catching gaps before they surface at audit or during an incident.

Putting It Together

Four things matter most: cross-platform coverage with tamper protection, MDM-based deployment with proper staging, a detection-only soak before prevention, and MDR if no dedicated analyst is watching alerts. All four drift between audits without someone owning them.

Zip owns them for fractional CISOs, solo IT operators, and founders without a security team, delivering CrowdStrike at volume pricing, configured per the steps above, and monitored continuously so EDR is actively protecting your fleet instead of sitting on it.

Get a quote from Zip and see how fast a 14-day deployment really is.

FAQs About EDR for Small Business

Is antivirus enough, or do small businesses need EDR?

Antivirus catches known malware files. It misses fileless attacks and living-off-the-land techniques using built-in system tools. It also misses lateral movement with stolen credentials. These are common attack methods associated with ransomware and related endpoint compromises in small business environments.

What's the difference between EDR and MDR?

EDR is the software agent running on your endpoints that detects and blocks threats. MDR is a service layer on top: a team of analysts monitoring your EDR alerts 24/7, triaging them, and responding to real incidents. Without that service layer, smaller teams often struggle to keep alerts covered outside business hours.

Does SOC 2 require EDR?

SOC 2 CC6.8 is technology-neutral and requires controls to detect and act on malicious software. Organizations often use controls such as EDR to help satisfy CC6.8 because they support detection, behavioral analysis, and response.

How do I know if my EDR is actually protecting my devices?

Match agent deployment percentage against your full device inventory and the EDR dashboard. Confirm prevention mode is enabled and detection-only has ended. Verify that agents are actively reporting current telemetry. If you can't answer all of that from a single view, you likely have coverage gaps.

At what size does a company actually need EDR?

For many teams, somewhere between 50 and 75 employees is when EDR starts becoming worth the overhead. Earlier if you're in a regulated industry, selling to enterprise customers, or handling sensitive consumer data.

What does XDR mean?

Extended detection and response (XDR) refers to broader detection and response capabilities beyond endpoint telemetry alone. In this guide, the main distinction is that Falcon Enterprise includes EDR + XDR in the pricing table.