EDR vs MDR vs Antivirus: Which Does a UK Small Business Actually Need?
This EDR vs MDR vs antivirus UK comparison covers what you need to know. Here’s the uncomfortable truth most Edinburgh business owners don’t hear until after an incident: antivirus hasn’t been the answer to cyberattacks for over a decade. It blocks known threats. It doesn’t catch the ones that matter.
43% of UK businesses experienced a cyber breach in 2025 (DSIT Cyber Security Breaches Survey 2025). The overwhelming majority of those businesses had antivirus installed. It just wasn’t enough.
So you’ve heard about EDR and MDR. Vendors throw these terms around in ways that feel designed to confuse rather than clarify. This guide cuts through that. By the end you’ll know exactly what each layer does, what it doesn’t do, and – critically – which one your Edinburgh business actually needs based on one simple question about your team.
Cloud Security Guide Edinburgh
TL;DR: Antivirus blocks known threats but can’t detect novel attacks or respond to them. EDR adds continuous telemetry and detection but needs someone to act on the alerts. MDR adds a 24/7 human SOC that acts on your behalf. For most Edinburgh SMEs without an in-house security analyst, MDR is the answer. 71% of SMBs now prefer bundled prevention, detection, and response (OpenText Cybersecurity 2025 Global Managed Security Survey).
What Does Antivirus Actually Do – and Where Does It Stop?
Antivirus protects against known threats using signature matching, according to the DSIT Cyber Security Breaches Survey (2025). It compares files against a database of malware patterns and blocks matches. Traditional antivirus catches what it recognises. The problem is that 85% of breached UK organisations were hit by phishing (DSIT 2025) – and modern phishing payloads are engineered specifically to evade signature detection.
That’s the first gap. Antivirus works well against commodity malware that’s been circulating for months. It struggles against attacks that use legitimate tools, fileless techniques, or novel ransomware variants that haven’t yet made it into any signature database.
The second gap is response. Even “next-gen” antivirus products that add behavioural detection don’t include anyone who investigates what they find. They log it. They might quarantine a file. Then they wait for you to notice.
Ransomware has doubled year-on-year from under 0.5% to 1% of UK businesses (DSIT Cyber Security Breaches Survey 2025). In most of those cases, the attacker was inside the environment for days or weeks before deploying the ransomware payload. Antivirus didn’t catch the early stages because the attacker used legitimate Windows tools – PowerShell, WMI, scheduled tasks – to move quietly through the network.
Antivirus covers signature-based malware detection but has a fundamental response gap. According to DSIT’s Cyber Security Breaches Survey 2025, 85% of breached UK businesses were hit by phishing – an attack vector that typically delivers novel or slightly modified payloads specifically designed to bypass signature-based defences.
Typical antivirus cost: £3-5 per endpoint per month (market rates, 2025).
Antivirus is the right choice if: your risk appetite is low, your data has minimal breach value, and you accept that detection and response must be handled manually.
Antivirus alone is not sufficient if: you hold client financial data, legal files, health records, or process payments above £10,000 per transaction.
What Is EDR – Detection and Telemetry Without the Response?
Forrester (2025) found that EDR – Endpoint Detection and Response – is the significant upgrade from antivirus. Instead of checking files against a signature list, EDR installs a lightweight agent on every device that continuously records process activity, network connections, registry changes, and file operations. This telemetry streams to a cloud SIEM (security information and event management platform), where AI models analyse it for anomalous patterns.
Microsoft Defender for Business (included in M365 Business Premium) is EDR Plan 1. SentinelOne, CrowdStrike Falcon Go, and Sophos Intercept X are standalone EDR products. All of them give you a console where you can see exactly what happened on any device – what process ran, what files it touched, what network connections it made.
What is Ongoing Cloud Endpoint Monitoring
The catch is in the name: Detection and Response. EDR does the detection. It gives you the data. The response part still requires a human analyst who sees the alert, understands what it means, and takes action.
This is the operational gap that catches Edinburgh SMEs out. An EDR console showing a high-severity alert at 3am on a Saturday is only useful if someone is watching it and knows what to do. For most businesses under 100 employees, that someone doesn’t exist in-house.
That’s not a criticism of EDR as a technology – it’s genuinely excellent. It’s a recognition that the tool and the operational capability to use it are two different things.
UK organisations with AI security automation save £670,000 per breach compared to those without (IBM Cost of a Data Breach 2025). EDR platforms increasingly incorporate AI-driven automated responses – isolating an infected device, blocking a malicious process – but complex investigation and threat-hunting still requires a human. EDR automates the capture; it doesn’t automate the judgement.
Typical EDR cost: £5-8 per endpoint per month (market rates, 2025).
EDR is the right choice if: you have an in-house IT manager or security analyst with the time and expertise to monitor the console daily, triage alerts, and respond to incidents within hours of detection.
What Is MDR – the 24/7 SOC Layer That Acts on Your Behalf?
Forrester (2025) shows that MDR – Managed Detection and Response – is what happens when you take an EDR platform and add a Security Operations Centre (SOC) staffed by human analysts around the clock. You still get the telemetry and detection capability. But now there’s a trained analyst who sees the alert, investigates it, determines whether it’s a genuine threat, and either responds directly or contacts you with a clear action.
The critical difference from EDR isn’t the technology. It’s the operational model. MDR providers offer co-managed or fully managed SOC services with defined response SLAs – typically 15-60 minutes from alert to analyst review.
Why does this matter for Edinburgh SMEs? Because the median EMEA threat dwell time is 22 days (Mandiant M-Trends 2025). Attackers are inside the average European organisation for more than three weeks before anyone notices. Without someone actively hunting for anomalous behaviour, the alerts sitting in your EDR console are just noise that nobody processes.
OpenText Cybersecurity Cloud review
MDR providers like Sophos, OpenText Core MDR, and CrowdStrike Falcon Complete include threat-hunting – proactive searches for attacker behaviour that hasn’t yet triggered an automated alert. This is where MDR genuinely separates from EDR. An attacker using legitimate tools to move quietly through your network may not trigger any automated alert for days. A human threat-hunter knows what to look for.
71% of SMBs now prefer bundled prevention, detection, and response services rather than managing separate tools (OpenText Cybersecurity 2025 Global Managed Security Survey, n=1,019 MSPs). That preference reflects a practical reality: most small businesses don’t have the internal resource to run separate tools well.
Typical MDR cost: £8-15 per endpoint per month (market rates, 2025).
MDR is the right choice if: you don’t have a 24/7 in-house security analyst (i.e., virtually every Edinburgh SME under 200 employees), you hold sensitive client data, or your cyber insurance renewal is asking for evidence of active monitoring.
How Each Layer Handles Three Real Edinburgh Attack Scenarios
Theory is useful (the DSIT Cyber Security Breaches Survey, 2025). Scenarios are more useful. Here’s how antivirus, EDR, and MDR perform against the three attack types most commonly affecting Edinburgh professional services firms.
Scenario 1: A Phishing Payload Lands in Your Inbox
An Edinburgh accountant clicks a convincing invoice link. The page harvests their Microsoft 365 credentials. The attacker logs in from Eastern Europe 40 minutes later.
- Antivirus: May flag the landing page if it’s in a known blocklist. Won’t detect the credential theft. Won’t notice the foreign login unless you have conditional access policies configured.
- EDR: Detects the anomalous login (unusual geography, unusual time). Creates an alert in the console. Alert sits unreviewed until Monday morning.
- MDR: Analyst sees the anomalous login alert within minutes. Confirms it’s a genuine threat. Terminates the session, forces a password reset, and calls you – before the attacker has had time to exfiltrate anything.
Scenario 2: Ransomware – Stage 1 Reconnaissance
An attacker lands via an unpatched VPN client. They spend five days mapping your network using legitimate Windows admin tools. No malware is deployed yet.
- Antivirus: Nothing to detect. No malware signatures present. Completely blind.
- EDR: Telemetry records the unusual process chains – admin tools running from unexpected parent processes, lateral movement between devices, credential dumping from LSASS. Alerts fire. Nobody investigates them.
- MDR: Analyst reviews the lateral movement alerts on day one. Recognises the LSASS dump as a credential theft technique. Isolates the entry point and contacts you before ransomware is ever deployed.
Scenario 3: BYOL AI Data Exfiltration
Our view: Based on what we see across our client base, this aligns with the broader industry direction.
An employee at an Edinburgh law firm pastes a client contract into a personal ChatGPT account to summarise it. This is a data exfiltration event – client privileged data has just left your security perimeter. Antivirus can’t see it. EDR may log the browser session but won’t flag it as a security event. MDR combined with a CASB (Cloud Access Security Broker, already included in M365 Business Premium) can detect the upload and trigger a DLP alert. Without the CASB layer, all three tools are blind to this scenario.
This is the emerging threat that Edinburgh professional services firms aren’t prepared for. The fix isn’t MDR alone – it’s MDR plus the CASB controls in M365 Business Premium that most firms aren’t using.
Comparing AV, EDR, and MDR Across Five Dimensions
What’s the Price Difference – and Is MDR Worth It?
Forrester (2025) reports that the honest pricing picture for a 50-person Edinburgh business:
| Layer | Est. monthly cost (50 seats) | What you get |
|---|---|---|
| Antivirus only | £150-250/month | Signature detection. No response. |
| EDR only | £250-400/month | Full telemetry. Alerts. No 24/7 analyst. |
| MDR (bundled) | £400-750/month | 24/7 SOC. Active response. Threat hunting. |
These are indicative market rates for 2025. Actual pricing depends on the vendor and MSP.
The comparison that matters isn’t MDR cost vs zero. It’s MDR cost vs breach cost. The average UK data breach costs £3.29m (IBM Cost of a Data Breach 2025). MDR for a 50-person firm runs roughly £6,000-9,000 per year. You’d need one significant breach averted every 366 years for the maths not to work in MDR’s favour.
For most Edinburgh SMEs, the real question is whether they can absorb the operational disruption of a ransomware incident – even if the financial loss is manageable.
Three Questions to Find Your Level
Our experience: Our Edinburgh client engagements consistently show this pattern in practice.
We’ve found these three questions reliably identify which layer an Edinburgh client actually needs:
Question 1: Do you have someone watching security alerts 24 hours a day?
If the answer is no, EDR alone creates a false sense of security. You have the data but nobody acting on it. That gap is exactly what attackers exploit.
Question 2: Does your cyber insurance policy require evidence of active monitoring?
UK cyber insurers increasingly ask for documented monitoring as a condition of coverage – or use its absence to deny claims after an incident. If your renewal is coming up, check the policy wording now.
Question 3: Would a 22-day breach dwell time be acceptable to your clients or regulators?
For Edinburgh law firms, accountancy practices, and financial advisers, the answer is almost certainly no. A 22-day window of undetected access to client files is a material data breach with mandatory ICO notification.
Microsoft Defender for Business vs Sophos MDR
If you answered no, yes, and no to those three questions, you need MDR. That’s most Edinburgh professional services firms.
Which Option Is Right for Edinburgh SMEs – Under 50 vs 50-250 Seats?
Under 50 Seats
According to UK professional services research (2025), the budget concern is real. But the risk profile for a 30-person Edinburgh accountancy practice is not low. They hold client personal financial data, process tax returns, and maintain Companies House filing authority for clients. That’s a target.
Our recommendation: MDR bundled with your endpoint protection. The OpenText Secure Cloud Platform, Sophos MDR, and Microsoft Defender for Business with a managed SOC partner all offer pricing that works at this scale. The co-managed model means the MSP’s SOC handles 24/7 monitoring; you handle day-to-day IT. You’re not paying for a full in-house security analyst – you’re sharing one.
Cloud Security Assessment Edinburgh
50-250 Seats
At this scale, you’ve likely got an IT manager in-house. They probably have Defender for Business switched on as part of M365 Business Premium. The question is whether they have capacity to monitor the EDR console daily, respond to alerts within hours, and conduct proactive threat-hunting on top of their normal workload.
Realistically, most in-house IT managers at this scale are managing helpdesk tickets, onboarding, and infrastructure – not running a SOC. Our recommendation: use Defender for Business (already paid for) as your EDR layer and add Sophos MDR Complete or OpenText Core MDR as the SOC layer on top.
Cyber Security Guide Edinburgh
This gives you the best of both worlds – you’re not replacing your existing investment, you’re adding the 24/7 response capability that turns your EDR data into actual protection.
Frequently Asked Questions
Can antivirus alone protect an Edinburgh small business in 2027?
No – not against the threats most Edinburgh businesses face. 85% of UK breaches involve phishing (DSIT 2025), and modern phishing payloads are engineered to evade signature-based detection. Antivirus blocks known malware effectively. It doesn’t detect credential theft, lateral movement, or attackers using legitimate Windows tools. For businesses holding client data or processing payments, antivirus alone leaves too large a gap.
Does Microsoft Defender for Business count as EDR or MDR?
Microsoft Defender for Business (included in M365 Business Premium) is EDR – specifically EDR Plan 1. It provides endpoint telemetry, automated investigation, and alerts. It does not include a 24/7 SOC or active threat response. To get the MDR layer on top of Defender, you need either Microsoft Defender for Endpoint Plan 2 plus Microsoft Sentinel, or a third-party MDR provider (Sophos, OpenText Core MDR) that ingests Defender telemetry and adds human analyst response.
How much does MDR cost for a 50-person Edinburgh firm?
Indicative pricing for a 50-seat Edinburgh business in 2025 is £400-750 per month depending on vendor and MSP. That range covers bundled endpoint protection plus 24/7 co-managed SOC services. Sophos MDR Complete runs approximately $70-80 per user per year (roughly £55-65); OpenText Core MDR is priced via MSP quote. Most MSPs bundle MDR into a managed security service rather than offering it as a standalone line item.
Do I need MDR for Cyber Essentials certification?
Cyber Essentials does not specifically require MDR. The scheme covers five technical controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. However, Cyber Essentials Plus requires a hands-on technical audit, and organisations aiming for ISO 27001 or facing FCA operational resilience requirements will find MDR is increasingly expected as a baseline control. Many cyber insurers are also moving toward requiring active monitoring as a condition of SME policies.
The Honest Recommendation
Antivirus was the right answer in 2010, according to Forrester (2025). EDR is the right answer if you have someone to watch it. For the vast majority of Edinburgh SMEs under 250 employees, MDR is the right answer in 2027 – and the co-managed model means it doesn’t require hiring a security analyst.
The 22-day EMEA dwell time isn’t an abstract statistic. It’s the average time an attacker spends inside an organisation like yours before anyone notices. Without 24/7 monitoring, that window stays open.
Start by establishing what you have. If you’re on M365 Business Premium, Defender for Business is already running – you just may not have anyone watching the alerts it generates.
Book a Free Cloud Security Assessment
Start by establishing what you have. A 30-minute conversation with an Edinburgh IT specialist can establish your current coverage, identify the gaps, and give you a practical next step.
Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and enterprise AI architecture.