PSA: MDE as a primary EDR will not run lower CPU and Memory on average when configured to Microsoft best practices when compared to CS/S1/Palo XDR. If you factor that in, it isn’t the cost savings you think it is. Purview will add more overhead.

I have been an E5 customer since 2021 in mid and then large enterprise. If you do not configure MDE to Microsoft recommended best practices and you get Ransomware'd Microsoft will throw the blame back at you (just open a ticket with support and ask for the Knowb4 Ransomware test). Here are all of the settings you need to run with MDE.

ASR (All sixteen rules in blocking or warning)

And here are all of the recommended settings per Microsoft (as of 2024 when I last did this from scratch).

When you do all of the above (add about 5% for every major MDE feature) expect 15-25% base load CPU from MDE, specifically real time protection, Zeek (NDR), and Web protection.

When compared with CrowdStrike and S1, you'll see closer to 5-10% with recommended settings in my experience.

See Microsoft's support threads on what's normal for MDE "However, if the MDE service's CPU usage is consistently higher than 30-50%, or if memory usage continues to grow and is disproportionate to other activities on the server, this may be a sign of abnormal behavior."