Expel MDR Cost in 2026: Per-User Pricing for Cloud-Heavy Orgs

The cloud-first orientation

Expel was founded in 2016 with a specific bet: the future of security operations would be cloud-heavy, and the existing MDR vendors (built around endpoint-first detection) would struggle to adapt. That bet has largely played out. By 2026 the dominant attack surface for most organisations is cloud (AWS, GCP, Azure control planes, cloud-hosted applications, SaaS) plus identity (Okta, Workforce Identity, Azure AD), with traditional endpoint a smaller fraction than it was a decade ago. Expel's detection content library reflects this orientation: deep on AWS CloudTrail attack patterns, GCP Audit Log misconfigurations, Azure activity anomalies, Okta identity threats, GitHub repository compromise, and SaaS application abuse, with traditional Windows-endpoint content as a supporting capability rather than the centrepiece.

The orientation shapes the entire product. The Expel Workbench integration roster leads with AWS GuardDuty, AWS CloudTrail, GCP Security Command Center, Azure Defender, Okta System Log, GitHub Advanced Security, M365 Audit, and Workday before getting to endpoint sources. The detection content covers cloud-specific threats (S3 bucket exposure, IAM privilege escalation, Azure subscription takeover, OAuth grant abuse) more thoroughly than competitors who treat cloud as an add-on layer. For SaaS, fintech, healthcare-tech, and cloud-native enterprise customers, this orientation usually delivers a meaningful operational improvement over MDRs designed for traditional enterprise architectures.

The flip side is that Expel is genuinely weaker for traditional on-premises Windows-heavy environments. A customer running a hospital system with thousands of legacy Windows servers, an SAP deployment with on-premises database tiers, and limited cloud footprint is better served by a Splunk-native MSSP (Trustwave, Deepwatch) than by Expel. The right matching is to the actual environment, not to the marketing tier the customer aspires to.

The Workbench transparency model

Most MDRs operate as black boxes from the customer perspective: alerts come in, investigations happen invisibly, escalations come out, and the customer sees PDF summary reports monthly. Expel's Workbench is meaningfully more transparent. Every alert is visible in real time with the Expel analyst's investigation notes, every decision is timestamped and attributed to a named analyst, and every escalation includes the full reasoning chain. The customer can audit any decision Expel made on any case.

The transparency is operationally useful in two ways. First, it builds trust faster than the black-box model: customers can verify that Expel is actually investigating rather than just routing alerts. Second, it supports audit and incident-response review: when something goes wrong, the customer can see exactly what was investigated, when, and what the conclusion was. For SOC 2 and HIPAA audit support specifically, the Workbench audit trail is significantly easier to defend than a PDF summary.

The trade-off is that the transparency model requires the customer to actually engage with Workbench rather than treat it as a black box. Customers who do not engage often miss the value proposition. The right customer profile is one with an internal security lead who can review Workbench weekly and feed back to Expel on triage decisions and detection content priorities.

Pricing detail by scope dimension

The multi-dimensional pricing is harder to estimate upfront than per-employee or per-host models, but it tracks cost to actual attack surface more accurately. A 500-employee SaaS company with 8 AWS accounts and 20 monitored SaaS apps has materially more attack surface than a 500-employee accounting firm with 1 cloud account and 5 SaaS apps; Expel's pricing reflects that difference, where per-employee models would charge both the same. For cloud-heavy customers, this is fair. For cloud-light customers, the per-employee competitors are usually cheaper.

Where Expel wins, where it loses

Expel wins competitive evaluations consistently in three customer profiles. First, SaaS and cloud-native technology companies (Series C through public stage), where the cloud-first orientation aligns with the customer's actual attack surface and the Workbench transparency aligns with the engineering-team culture. Second, mid-market financial-services and healthcare organisations with significant cloud migration, where the regulatory pressure for SOC capability meets the cloud-heavy infrastructure and Expel's compliance-evidence support is a meaningful procurement factor. Third, mid-market organisations with internal security leads who want a transparent operating partner rather than a black-box MSSP.

Expel loses competitive evaluations when the customer is heavily on-premises Windows-Server-centric (Splunk-native MSSPs win), when the customer has very small scope and wants the cheapest credible 24/7 monitoring (Huntress at $4-$7 per endpoint per month wins), or when the customer is genuinely enterprise-scale (above 10,000 employees with complex global infrastructure) and wants a co-managed model on their own SIEM (Critical Start, Deepwatch, ReliaQuest win). The cloud-first orientation is a strength in some segments and a weakness in others; the right match depends on the specific customer profile.

For broader MDR market context see the cross-portfolio MDR cost reference. For competitive alternatives see the Arctic Wolf, eSentire, and Secureworks pages.

Related pages

Frequently Asked Questions