Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
TRUSTED BY CANADIAN BUSINESSES SINCE 2012
Toronto law firms · Hamilton manufacturers · Metro Vancouver tech firms · GTA professional services · Healthcare clinics · Construction GCs
CISSP-led since 2012 · Microsoft Solutions Partner · 4.9★ / 48 verified Google reviews · Canada’s 50 Best Managed IT (2024)
The dashboard was green. Every endpoint reporting healthy, every alert acknowledged, every backup verified. It was 9am Monday and the IT manager I was meeting with had spent the last eighteen months building exactly the stack everyone tells Canadian SMBs to build. Next-gen firewall, EDR on every laptop, MFA on Microsoft 365, immutable backups, an annual penetration test. He had the green dashboard to prove it.
The same console was still green at 3am Tuesday when somebody walked into a finance account, copied an Outlook signature, and started a wire-fraud thread with their largest client.
IBM’s 2025 Cost of a Data Breach Report puts the average time to identify and contain a breach at 241 days, the lowest figure in nine years and still eight months of undetected access. That number does not exist because Canadian SMBs are buying the wrong tools. It exists because nobody is watching the right ones at 3am.
I’m a CISSP-certified MSP founder. What follows is the practical 2026 guide for Canadian SMBs trying to figure out whether managed detection and response (MDR) belongs in their cybersecurity stack, what it actually does, what it costs, and how to evaluate a provider without falling for the marketing acronym soup.
Key Takeaways
- MDR is an operating model, not a product: a vendor-run SOC that monitors existing security tools around the clock and takes response action on confirmed threats.
- IBM’s 2025 Cost of a Data Breach Report puts the average time to identify and contain a breach at 241 days, the lowest in nine years; best-in-class MDR providers cut median response to under 20 minutes (Expel 14 min, SentinelOne 18 min).
- Gartner projects 60 percent of organizations will be using MDR by 2026, up from 30 percent in 2023. Canadian SMB growth is being pulled by cyber insurance renewal requirements, not enterprise demand.
- A 25 to 100 endpoint Canadian SMB should expect MDR pricing of C$2,500 to C$5,000 per month fully loaded, versus roughly C$1 million per year for true in-house 24/7 SOC coverage.
- MDR, EDR, and XDR are not competitors. EDR and XDR are what gets watched; MDR is who watches. Most Canadian SMBs need both.
Book a Free Cybersecurity Assessment
Why security tools fail at 3am: the watching gap
Security tools fail at 3am because nobody is looking at them. Firewalls, EDR agents, and MFA generate alerts continuously, but those alerts only become a response when a human triages them. IBM’s 2025 Cost of a Data Breach Report shows the average breach still takes 241 days to identify and contain, the lowest figure in nine years but still eight months of undetected intrusion.
The stack you’ve already bought
Walk into any well-run Canadian SMB in 2026 and the security posture looks broadly the same. Next-gen firewall at the edge. Endpoint detection and response on every workstation and server. Email filtering on Microsoft 365. MFA enforced across the tenant. Immutable backups, ideally with a tested restore. An annual penetration test for cyber insurance.
The console says “green” on Monday morning. The vendors send monthly reports showing thousands of alerts triaged automatically and dozens of malicious files quarantined. The IT manager has done their job. The CFO sees the line items and feels protected.
The 3am problem
Look at the same console at 3am Tuesday. The same EDR agent is running, generating the same telemetry, and detecting the same lateral movement event the moment it happens. Nobody sees it until 9am when someone checks, or worse, until the ransom note lands at 11am. Alerts without eyes on them are just expensive logs.
Modern attackers know the calendar. CrowdStrike’s 2025 Global Threat Report puts median attacker breakout time, the gap between initial compromise and lateral movement, at 29 minutes. Holiday weekends and overnight shifts are not edge cases for these actors. They are the operating model.
According to IBM’s 2025 Cost of a Data Breach Report, the mean time to identify and contain a breach now sits at 241 days globally, the lowest figure in nine years. The year-over-year improvement is real, but eight months of undetected access is still a business-ending window for most Canadian SMBs, especially under PIPEDA’s notification timing rules.
For broader context on the layered defenses that produce this telemetry, see our overview of managed cybersecurity services and the role of different firewall types in the SMB stack.
Why 24/7 SOC coverage doesn’t pencil out for SMBs
True 24/7 security operations center coverage requires roughly five full-time analysts per seat, because you need three shifts with PTO coverage and burnout rotation. At Canadian salary rates, one security analyst runs C$300,000 fully loaded, which puts real around-the-clock coverage at over C$1 million per year. For any business under 500 employees, the math simply does not work.
The analyst math: why one person is not 24/7
One full-time security analyst covers about 40 hours of the 168 hours in a week. To put a continuous warm body on a SOC seat, you need roughly 4.2 to 5 FTEs per seat, and a SOC needs at least two seats during peak hours and one overnight.
Add a SOC manager, a detection engineer, and a tier-3 escalation analyst, and you are at seven to ten heads before you have hired the people who make the SOC actually work: incident responders, threat hunters, the after-hours on-call.
At 2026 Canadian salary bands, a fully-loaded security analyst sits around C$300,000 once you include benefits, training, tooling licences, and recruiting. The total run-rate for an in-house 24/7 SOC sits comfortably north of C$1 million per year, and that assumes you can actually hire and retain the team.
Most Canadian SMBs cannot, and most who try churn the talent inside eighteen months.
Why the tools are not the bottleneck
The EDR you bought in 2024 is generating the right alerts. The SIEM you bought, if you bought one, is correctly correlating them. What you do not have is the person on shift at 3am Tuesday to act on them.
This is why the dwell-time number stays stubborn. IBM’s 2025 report shows modest improvement against 2024 (down three days) but the trajectory is a slope, not a step-change. Tools plateau. Staffing is the lever that moves dwell time from months to minutes.
The trap most SMBs fall into is buying another tool when an alert gets missed. Better EDR. Better SIEM. A new XDR platform. Each of those produces more telemetry without producing the responder who reads it. The shelf gets fuller. The dashboard stays green. Nothing changes at 3am.
According to IBM’s 2025 Cost of a Data Breach Report, organizations with high AI and automation usage identified and contained breaches 108 days faster than peers without. The productivity lift is real, but it only activates if someone is on the receiving end of the automation’s output. Automation multiplies a responder; it does not replace the responder.
Most SMBs think about this question alongside their broader IT cost structure. We cover the financial framing in IT budget planning for Canadian small business and how it interacts with virtual CIO services for strategic security decisions.
What managed detection and response actually is
Managed detection and response (MDR) is a cybersecurity operating model where a third-party security operations center monitors a client’s existing security tools around the clock, investigates alerts, and takes documented response action on confirmed threats. MDR is not a new product or tool. It is the human team layered on top of the tools a business already has, sold as a subscription service.
Operating model, not product
The biggest source of confusion in the category is the word “managed.” A managed product is software a vendor configures for you. MDR is something different: a service contract for the human watch and response, layered on top of whatever telemetry stack you already own. This is why “MDR vs EDR” framings miss the point. One is a service model. The other is a telemetry layer. They are not alternatives. They are dance partners.
What’s included vs what’s your responsibility
Typical MDR scope includes 24/7 monitoring, alert triage, threat hunting, incident response, forensic artifacts, and detection-rule tuning. Typical scope does not include patching, user awareness training, identity governance, backup testing, or vulnerability management. The line moves between providers, which is why the first thing to ask any MDR vendor is for their scope statement in writing, not in marketing copy.
According to Gartner’s 2025 Market Guide for Managed Detection and Response, MDR services provide remotely delivered security operations centre functions that allow organizations to perform rapid detection, analysis, investigation, and response through threat disruption and containment. The definition explicitly frames MDR as service-delivered, not product-delivered. For Canadian SMBs evaluating whether MDR fits their stack, the practical implication is that the buyer is contracting for an outcome (containment within minutes), not for a tool.
For the upstream assessment that determines what MDR scope a Canadian SMB actually needs, see our cybersecurity assessment and the broader portfolio of managed cybersecurity services.
MDR vs EDR vs XDR vs SIEM: who watches what
EDR, XDR, SIEM, and MDR are not four alternatives to the same problem. EDR and XDR are what produces security telemetry (endpoint or cross-domain). SIEM is where logs are stored and correlated. MDR is the service model that watches all of them and responds. Most Canadian SMBs need at least one telemetry layer, optional SIEM, and MDR over the top.
EDR and XDR are tools
EDR (endpoint detection and response) collects telemetry from laptops, servers, and other endpoints, correlates it locally, and supports response actions on those endpoints (isolation, kill-process, registry rollback). XDR (extended detection and response) follows the same pattern across endpoint plus identity plus email plus cloud plus network. Both are software you buy and licence per endpoint or per user. Both produce alerts and require somebody to read them.
SIEM is a log layer
SIEM (security information and event management) ingests logs from everything in the environment, correlates them with detection rules, and stores them for compliance and hunting. SIEM is strong for compliance reporting (because the logs are searchable for auditors) and for retrospective hunting (because the data is there). SIEM is weak without somebody writing the detection rules, tuning the noise, and investigating the alerts. A SIEM with no analyst is a very expensive log archive.
MDR is the operating model
MDR can manage EDR, XDR, or SIEM telemetry on a client’s behalf. It is orthogonal to the tool-layer decision. The question MDR answers is not “which telemetry layer do I buy.” The question is “who watches it once I do.” MSSP (managed security service provider) is the previous generation of outsourced security: alert forwarding, less response authority, legacy framing. Most 2026 vendors using the “MSSP” label have effectively become MDRs or are positioning to.
| Layer | What it is | What you buy | Who watches |
|---|---|---|---|
| EDR | Endpoint telemetry plus local response | Software | You (unless MDR covers it) |
| XDR | Cross-domain telemetry | Software | You (unless MDR covers it) |
| SIEM | Log aggregation plus correlation | Software plus storage | You (unless MDR covers it) |
| MDR | 24/7 SOC plus triage plus response | Service subscription | Provider |
| MSSP | Legacy outsourced security | Service subscription | Provider (usually alert-forwarding) |
According to CrowdStrike’s MDR overview, the distinction between these layers is scope of coverage: EDR is endpoint-only, XDR extends across the stack, and MDR is who watches either. Safe Security’s 2026 analysis adds that MDR is orthogonal to the EDR-vs-XDR decision: the real question is whether you have a team, not which tool.
For Canadian SMBs without a security analyst on payroll, the answer is the same regardless of whether they buy EDR or XDR.
For the related question of whether MSSP and MDR are the same thing, see our explainer on what an MSSP is and how the category has shifted since 2020.
Not sure where your watching gaps are? Book a free cybersecurity assessment →
Want a fully-mapped IT and security stack review? Get a custom 30-minute IT assessment →
“Fusion identified a misconfigured endpoint that was generating quiet alerts for two weeks before they took the call. The SOC isolated it inside ten minutes of detection, looped our insurance broker on the response report, and the matter was closed without anyone in our office finding out it had happened. That report carried the renewal.”
How MDR works: the 5-step workflow
MDR works as a five-step cycle: collect telemetry from existing security tools, detect anomalies using correlation and threat intelligence, triage alerts through human analyst review, respond with documented containment actions, and report forensic artifacts back to the client. The cycle runs continuously, with the output of step five feeding tuning back into step two.
Collect, Detect, Triage, Respond, Report
Take the 3am lateral-movement scene from the opening of this article. Here is how it actually plays through an MDR workflow.
Collect. The EDR agent on the compromised endpoint logs an unusual PowerShell command running under a finance user’s context. Telemetry streams into the MDR’s SOC platform within seconds.
Detect. Correlation rules flag the PowerShell command against a known TTP for credential harvesting, and identity telemetry shows the same user account just authenticated from a new geo. The system raises a high-severity alert.
Triage. A SOC analyst on the overnight shift picks up the alert, confirms it is not a false positive (the user normally works from Toronto, the new sign-in is from outside Canada), and escalates inside the SOC.
Respond. Under pre-documented response authority, the SOC isolates the endpoint from the network, disables the user account, and revokes active sessions. The client’s on-call contact is notified by phone and Slack.
Report. A forensic timeline is documented overnight, with IOCs, the containment actions taken, and the recommended remediation. The client’s leadership team has a complete report waiting at 9am.
Where AI and automation fit
Automation accelerates the Collect and Detect steps and compresses Triage. It suggests Response playbooks. It does not replace human response authority on anything material, because the cost of a false-positive containment (locking out the CEO at the worst moment) is too high to delegate.
IBM 2025 found that organizations with high AI and automation usage shorten their breach lifecycle by 108 days compared to those without, but the lift only activates when humans are on the receiving end of the automation’s output. Automation multiplies a responder. It does not replace one.
For the broader incident-response context that MDR plugs into, see our guide on incident response plan templates for Canadian SMBs.
Why 2026 made MDR non-optional for Canadian SMBs
Three forces converged in 2026 to make MDR functionally mandatory for Canadian SMBs: cyber insurance renewals now require documented monitored response as evidence, not just EDR purchase; PIPEDA breach-notification timing is incompatible with the 241-day average dwell time; and attacker breakout time has fallen to a median of 29 minutes, versus days for human-only response. Any one of the three is a forcing function.
Cyber insurance is now the biggest buyer
Canadian cyber insurance underwriters in 2026 require evidence-based audits, not policy attestations. They want logs, screenshots, backup test results, documented incident response runbooks, and proof of monitoring. “We have EDR” is no longer enough on a renewal application. “Here is the MDR provider’s monthly report showing investigations and response actions over the last twelve months” is. We have watched insurance broker conversations turn on this single document for three consecutive renewal cycles.
PIPEDA timing does not survive 241-day dwell
PIPEDA requires breach notification to the Office of the Privacy Commissioner of Canada and to affected individuals as soon as feasible after a real risk of significant harm has been determined. The clock starts when the breach is discovered, but the exposure window is the full dwell time.
Boards and insurers are now asking how a business would meet the timing obligation if it did not find out for eight months. MDR is the lever that compresses that window from months to minutes, which is why compliance counsel is increasingly listing it as a recommended (and increasingly required) control.
Attacker breakout is 29 minutes
CrowdStrike’s 2025 Global Threat Report puts median attacker breakout time, the gap between initial compromise and lateral movement, at 29 minutes. Human-only response measured in days is outside that window by three orders of magnitude. There is no version of this where a small IT team checking dashboards in business hours catches a competent threat actor in time. The math does not work, and the threat actors have read the math.
According to Gartner’s 2025 Market Guide for MDR, 60 percent of organizations will be using MDR services by 2026, up from 30 percent in 2023. The growth curve matches the 2022-2026 ramp in cyber insurance underwriting requirements, not a separate fashion cycle. By 2028, Gartner projects 50 percent of MDR findings will include threat exposure detail.
According to CrowdStrike’s 2025 Global Threat Report, median attacker breakout time, the gap between initial compromise and lateral movement, has dropped to 29 minutes. Human-only response measured in days is outside that window by three orders of magnitude. For Canadian SMBs, the breakout-time number is the single clearest argument for outsourced 24/7 monitoring.
For deeper coverage of the regulatory layer, see our overviews of PIPEDA compliance for Canadian small business, what 2026 cyber insurance underwriters are asking for, and the broader data security compliance landscape.
How to evaluate an MDR provider: an 8-point checklist
Evaluate an MDR provider on eight criteria: documented response-time SLA, human-in-loop analyst coverage, integration with your existing stack, Canadian data residency, included forensic artifacts, written response authority, reporting cadence, and off-boarding terms. Pricing for a 25 to 100 endpoint Canadian SMB ranges from C$2,500 to C$5,000 per month fully loaded, with per-endpoint rates varying 10x between tiers.
The 8 checklist items
- Response-time SLA for high and critical alerts. Target under 60 minutes for high-severity and under 15 minutes for critical. Ask for the SLA in writing, with penalty terms if the provider misses it.
- Human-in-loop, not just automation. Confirm analysts triage before alerts escalate to the client. Ask what percentage of alerts are closed inside the SOC without touching the client’s team.
- Integration with the existing stack. Microsoft Defender, SentinelOne, Fortinet, Cisco. Will they ingest existing telemetry, or do they insist on a rip-and-replace? The answer to this question reveals whether the vendor sells a service or a tool re-skinned as a service.
- Canadian data residency. Required for PIPEDA-regulated data. Ask where alerts and forensics are stored and processed, and require the answer in writing.
- Included forensic artifacts. Breach-response incidents must produce a timeline, indicators of compromise, and a containment report. Confirm these are included in the base service, not billed separately at incident time when the client has no room to negotiate.
- Written response authority. Can the provider isolate endpoints, disable accounts, or block IPs without client sign-off? The fastest MDRs have pre-documented authority for specific actions, agreed up front, with rollback procedures.
- Reporting cadence and tuning loop. Monthly reports showing alerts, investigations, response actions, and detection-rule changes. Detection rules should evolve with the environment, not stay frozen at month-one defaults.
- Off-boarding terms. Data portability, detection-rule ownership, and notice period. Cyber insurance renewals sometimes force a provider change, and the time to negotiate the off-boarding clause is the day you sign the contract, not the day you need to leave.
Pricing bands to expect
Per-endpoint pricing splits roughly into three tiers in 2026. Budget MDR runs C$5 to C$15 per endpoint per month, typically high-automation, light human triage, alert-forwarding leaning. Mid-market MDR runs C$15 to C$35 per endpoint per month, the sweet spot for Canadian SMBs at 25 to 100 endpoints. Enterprise-grade MDR runs C$35 to C$50+ per endpoint per month, with deeper threat hunting, dedicated analysts, and broader scope.
SMB bundles typically land between C$2,500 and C$5,000 per month fully loaded for 25 to 100 endpoints. The reason “MDR” pricing varies by 10x for the same acronym is that the eight checklist items above are where the real differences live.
According to Sophos’ published MDR SLAs, the vendor commits to a 60-minute MTTR for 90 percent of high-severity cases. Acronis publishes 15-minute targets for critical incidents. Expel reports a 14-minute median MTTR across all severities in their public 2025 transparency report. These numbers are contractual when written into the SLA; they are marketing copy otherwise. Canadian SMBs should ask vendors to commit to the published number in the master service agreement.
For the upstream cost framing that MDR fits into, see our pricing guides on managed IT pricing in Canada and the broader portfolio of managed cybersecurity services, plus the virtual CIO services that help Canadian SMBs sequence these decisions.
See How Fusion’s MDR Stack Fits Your Environment
How Fusion’s MDR stack works
Fusion Computing’s MDR stack pairs Huntress (24/7 SOC and managed EDR, rated 9.4 out of 10 on PeerSpot) with SentinelOne on endpoint, Fortinet on network, and Microsoft Defender across Microsoft 365 and identity. The service is CISSP-led, stores forensic artifacts in Canadian data centres, and integrates into Fusion’s managed IT service tiers.
The named stack
I’ll name the components rather than hide them behind “our proprietary platform.” Huntress is the MDR backbone, providing 24/7 SOC coverage and managed EDR with continuous human analyst review. SentinelOne handles full endpoint telemetry and local response, deployed across workstations and servers.
Fortinet covers network-layer visibility and intrusion prevention at the edge. Microsoft Defender handles Microsoft 365 and identity signals, which closes the most common SMB attack vectors (phishing, OAuth abuse, conditional-access bypass). Pre-documented response authority is in place for endpoint isolation and account disable, agreed at onboarding with a rollback procedure.
How it maps to the 8-point checklist
Under-60-minute SLA on high-severity, under-15-minute on critical. Human-in-loop triage via the Huntress SOC. Canadian data residency for forensic artifacts. Forensic reporting included on every incident, not billed separately. Documented response authority for endpoint isolation and account disable. Monthly reporting cadence with tuning notes. 30-day off-boarding with detection-rule export. The point of naming the stack is that it makes the eight checklist items something you can verify, not something you have to take on faith.
Fusion Computing helps Canadian SMBs deploy and run MDR across Toronto and the GTA, Hamilton, and Metro Vancouver.
Related Resources
- Zero Trust Security for Canadian SMBs: how zero trust and MDR complement each other
- PIPEDA Compliance for Canadian Small Business
- Cyber Insurance Coverage Checklist for 2026
- Incident Response Plan Template for Canadian SMBs
- Cybersecurity Awareness Training: the human layer MDR can’t replace
- Free Cybersecurity Assessment
- Managed Cybersecurity Services
Schedule Your Free Cybersecurity Assessment
Frequently Asked Questions
What is the difference between MDR and EDR?
EDR is endpoint-detection software that produces telemetry and supports local response actions. MDR is a 24/7 service run by a third-party SOC that watches EDR output and takes response action. EDR is the tool. MDR is the team. Most Canadian SMBs need both, because neither one closes the watching gap on its own.
Is MDR the same as managed SIEM?
No. SIEM is a log-aggregation and correlation layer. Managed SIEM is a service that operates the SIEM platform for you. MDR is broader: it operates whatever telemetry layer you have (EDR, XDR, SIEM) with active threat hunting and documented response. Many organizations run both, particularly when they need SIEM for compliance reporting and MDR for the response loop.
Do businesses still need antivirus if they have MDR?
Yes. MDR sits on top of endpoint tooling, not instead of it. Modern endpoint protection (EPP) and EDR produce the telemetry the MDR SOC watches; without that telemetry, there is nothing to watch. The right framing is that endpoint tooling is the eyes and MDR is the brain. You need both.
How much does MDR cost for a Canadian 50-person business?
Typically C$2,500 to C$5,000 per month fully loaded, or roughly C$30,000 to C$60,000 per year. Per-endpoint pricing ranges from C$5 to C$50 per month depending on tier, with most Canadian SMB bundles landing in the C$15 to C$35 per endpoint per month range. Pricing varies 10x for the same acronym, which is why the 8-point evaluation checklist matters more than the headline number.
What happens when MDR detects a threat at 3am?
The SOC triages the alert within minutes, contains the threat (typically by isolating the affected endpoint or disabling the compromised account under pre-documented authority), notifies the client’s on-call contact by phone and secure messaging, and documents the incident with forensic artifacts. The client’s leadership team has a complete report waiting at 9am, with the threat already contained.
How long does MDR deployment take?
Typical deployment runs one to three weeks for endpoint agents and initial telemetry ingestion. Full detection-rule tuning takes 30 to 60 days as the SOC learns the client’s baseline (which logins, processes, and access patterns are normal). The first 90 days produce the highest false-positive rate; mature MDR engagements drive that rate down through ongoing tuning.
Can MDR replace existing cybersecurity tools?
No. MDR augments existing tools by adding human analysis and 24/7 response. It does not replace firewalls, backups, identity controls, endpoint protection, or user awareness training. A common buyer mistake is treating MDR as a stack-replacement; the right framing is that MDR is the watch layer over the stack you already need.
Does MDR help with cyber insurance renewal?
Yes. Most 2026 Canadian cyber insurance underwriters require documented EDR or XDR plus monitored response as a renewal condition, and they want evidence (monthly reports, response action logs, forensic artifacts), not attestation. MDR provides both the monitored response and the monthly reporting evidence underwriters demand. Renewal premiums and coverage limits often improve materially when MDR is in place.
What kinds of alerts does an MDR escalate to a client at 3am vs handle silently?
Most MDRs operate on a tiered model. The SOC silently closes confirmed false positives, low-severity policy violations, and routine quarantines. They escalate to the client’s on-call only on confirmed high or critical incidents: lateral movement, identity compromise from outside-Canada geos, ransomware indicators, or anything that triggers a containment action. Typical Canadian SMB engagements escalate fewer than five percent of total alerts to the client overnight.
Can MDR work with Microsoft Defender as the primary EDR rather than SentinelOne or CrowdStrike?
Yes. Most modern MDRs are tool-agnostic and ingest Microsoft Defender for Endpoint telemetry as a first-class feed alongside SentinelOne, CrowdStrike, or Sophos. For Canadian SMBs already on Microsoft 365 E3 or E5 with Defender for Endpoint Plan 2, MDR over Defender is the cheapest path to monitored response because the EDR licence is already paid for. Confirm the vendor’s Defender connector is Microsoft 365 GCC-compatible if Canadian government or healthcare data is involved.
What documentation does a Canadian cyber insurance underwriter want after MDR is deployed?
Underwriters in 2026 typically ask for: the MDR vendor’s scope statement, the monthly response report for the last 6 to 12 months, the SLA terms (with response-time penalties), evidence of Canadian data residency for forensics, and a sample incident report showing containment within the contracted window. Most MDR providers package this as a renewal evidence pack on request. Ask the broker for the carrier’s exact requirement list before the renewal cycle starts.
Is MDR available for Canadian businesses with under 25 employees?
Yes, but the pricing model shifts. Below 25 endpoints, most MDRs sell flat-rate small-business packages of roughly C$1,500 to C$2,500 per month rather than per-endpoint. Coverage is typically the same as the mid-market tier, with the trade-off being less customization on detection rules and slower onboarding tuning. For very small Canadian businesses, the ROI usually justifies it once cyber insurance enters the picture or the business handles regulated client data.
