Device pillar cost: MDM, EDR, posture and mobile threat defence

The CISA Zero Trust Maturity Model v2.0 defines the device pillar (CISA originally called it Devices, occasionally written as Endpoint in vendor literature) across five capability areas: policy enforcement and compliance monitoring, asset and supply chain management, resource access (the access decision itself), device threat protection, and visibility and analytics. NIST SP 800-207 treats device state as one of the three primary inputs to the Policy Engine, alongside user identity and asset state. The principle is straightforward: a device that accesses corporate resources must be known to the organisation, configured to a minimum baseline, and continuously assessed for compliance.

The pillar has six cost-bearing components in practice. Mobile device management (often called UEM, unified endpoint management) handles enrolment, configuration, app deployment and certificate distribution. Endpoint detection and responsemonitors behaviour for signs of compromise and provides response actions. Mobile threat defence catches OS-level exploits, mobile phishing, and malicious apps. Posture management continuously assesses configuration drift, patch state, and vulnerability exposure. Mobile application management protects corporate apps on personal devices without requiring full device enrolment. Patch management deploys OS and application updates on a managed cadence. The six have different price points, and the pillar economics turn on which of them are already bundled into existing identity or productivity-suite licensing.

In budget terms, device is the smallest of the three foundation pillars (after identity and network) and the easiest to deploy well. Most organisations can reach CISA Initial-tier device maturity in 90 to 180 days at a per-endpoint cost that is a small fraction of the identity and network pillars. The challenge is not getting started but maintaining device hygiene as the estate changes: enrolment drift, ageing OS versions, agent conflicts, BYOD population growth, and the slow accumulation of un-enrolled devices that accumulate in any environment over time.

The single biggest cost variable in the device pillar is whether you already have Microsoft 365 E5 and therefore Defender for Endpoint Plan 2 (an EDR) and Intune (an MDR/UEM) included. For most Microsoft-centric mid-market and enterprise estates, the Defender for Endpoint P2 EDR is competitive with CrowdStrike Falcon and SentinelOne Singularity in detection efficacy as measured by MITRE Engenuity ATT&CK Evaluations, and is essentially free at the marginal cost level if you are already paying for E5. Buying a separate best-of-breed EDR on top of an E5 estate is common; whether it is justified depends on three factors.

Factor 1: Non-Windows estate share. Defender for Endpoint covers Linux and macOS but its tooling, threat-hunting queries, and analyst muscle memory are weakest on those platforms in our observation. If more than 25 to 30 percent of the estate is Linux or macOS, a vendor with stronger non-Windows coverage may pay back. Factor 2: SOC tier. A mature SOC team with existing CrowdStrike or SentinelOne expertise will move slower if forced to re-skill on Defender, which can negate the licensing-cost saving in the first eighteen months. Factor 3: Server population. Server EDR pricing scales differently across vendors; if servers dominate the endpoint count, the relative cost of Defender vs alternatives changes.

A useful sanity check: total annualised EDR spend across the estate. For a 500-user organisation with 600 endpoints, Defender for Endpoint P2 marginal cost (assuming E5 already paid) is roughly $5K to $15K in additional standalone licensing if you ever leave E5. CrowdStrike Falcon Pro list at $99 per endpoint per year is roughly $59K. SentinelOne Singularity Core list at $69 per endpoint per year is roughly $42K. The standalone-EDR premium over E5-bundled is $30K to $50K per year for this org size. That is a real number, but it is also less than 10 percent of total device-pillar spend, so it should not be the dominant decision criterion.

BYOD is the population most often left out of initial device-pillar scoping and then added back later at higher cost. The principle is the same as for corporate devices: a device that accesses corporate resources must be knowable, baseline-configured, and continuously assessed. The mechanism is different because the device is not owned by the organisation and full enrolment is often unacceptable to the user.

Three patterns work. Full enrolment with work profile. The personal device is enrolled in MDM, but the personal and corporate data is segregated using OS-level work-profile features (Android Work Profile, iOS user enrolment). Cost: full MDM-per-device pricing, roughly $4 to $9 per month per device. Mobile application management. The personal device is not enrolled, but the corporate apps on it (Outlook, Teams, etc) are protected at the app level with policies that prevent copy out of corporate data, require app PIN, and wipe corporate data on demand. Cost: $2 to $5 per user per month, roughly 60 to 70 percent of full MDM cost. Browser-based access only. The personal device gets access only via the corporate browser session (Citrix, Cameyo, or a ZTNA web-app proxy). Cost: $5 to $15 per user per month for the browser delivery infrastructure, but no per-device pricing. Each pattern has different friction profiles for end users; most mid-market organisations land on MAM for the general workforce and full MDM for privileged or executive populations.

Plan for 10 to 20 percent uplift on the base device-pillar budget to cover the BYOD population properly. Skipping BYOD entirely is tempting on a budget basis but does not survive contact with any incident-response review: a phished credential entered on an unmanaged personal device is the same risk as one entered on a corporate device, and the auditor will not accept "we de-scoped BYOD" as a control.

The device pillar buys two things that compound: dwell-time reduction (how long an attacker spends in the environment before being detected) and lateral-movement containment (how far they can move from the initial endpoint). The IBM 2024 Cost of a Data Breach report found organisations with mature endpoint detection capabilities identified breaches a median of 27 days faster than peers and contained them at lower cost. Mandiant's M-Trends reports consistently show median dwell time for organisations with comprehensive EDR coverage at roughly half the dwell time of organisations without.

On a unit-economics basis, device-pillar maturity is the second-highest ROI control after identity. A typical mid-market deployment spends $90K to $180K annually on the device pillar in steady state. Set against the IBM-reported $4.88 million average breach cost and a 2 to 4 percent annual breach probability, the device-pillar contribution to risk-reduction value is roughly $25K to $50K per year, with the rest of the value coming from operational improvements (faster incident triage, less manual investigation, fewer escalations to tier-3 analysts). The pillar pays back against breach risk over three to five years.

The most common over-spend in the device pillar is buying a separate EDR while already paying for Defender for Endpoint P2 via M365 E5. Audit existing licensing before signing any endpoint contract. The second most common over-spend is buying full MDM for a BYOD population that only needs MAM, which over-shoots licensing on the BYOD share by roughly 40 percent.