EDR

What is EDR (Endpoint Detection and Response)?

EDR, or Endpoint Detection and Response, is a security technology that continuously monitors activity on endpoints such as laptops, servers, virtual machines, mobile devices to detect threats that have already passed through perimeter defences.

Unlike antivirus, which blocks known bad files at the gate, EDR watches what happens after something lands. It records process execution, file changes, network connections, registry modifications, and user behaviour at the device level, then surfaces anomalies for investigation.

The problem it was built to solve is simple: attackers who get past the firewall can move quietly for weeks before anyone notices. EDR shortens that window by giving security teams a detailed, near-real-time audit trail of everything happening on every endpoint.

How EDR works

Continuous telemetry collection

An EDR agent installed on each endpoint streams activity data back to a central platform. Every process that spawns, every file touched, every outbound connection made, it all gets recorded. The data volume is high by design. You can't detect what you don't see.

Behavioural analysis and alerting

The platform applies detection logic (a mix of rules, signatures, and increasingly ML-based anomaly scoring) to that telemetry stream. When activity looks like a known attack technique such as, a living-off-the-land binary running PowerShell, or a process injecting into LSASS, it raises an alert. The good platforms correlate events across multiple endpoints to surface lateral movement patterns that no single device would show.

Investigation and response

When something fires, analysts get a timeline view of the attack chain. They can trace exactly which process spawned which child, which files were dropped, which accounts were touched. Most EDR platforms also give responders the ability to take action remotely: isolate a machine from the network, kill a process, pull a file for forensics.

Threat intelligence enrichment

Alerts get matched against known threat actor TTPs (Tactics, Techniques, and Procedures), usually mapped to the MITRE ATT&CK framework. That context is what separates "unusual PowerShell execution" from "Scattered Spider-style initial access" in your alert queue.

Where EDR adds the most value

EDR earns its place in 3 specific situations.

When your network perimeter has already failed

A phishing email got clicked. A contractor's compromised laptop connected. An attacker is now inside. EDR is the layer that catches what happened next, giving your SecOps team a forensic record to work from rather than a black box. The business outcome: faster containment, a credible incident report, and evidence for breach notification if it comes to that.

When you need to prove compliance posture to auditors

Regulations like PCI DSS, HIPAA, and SOC 2 require demonstrable evidence of endpoint monitoring and incident response capability. EDR platforms generate the logs and response audit trails that satisfy those requirements. The business outcome: cleaner audits, shorter questionnaire cycles, and less scrambling when a pen tester or external auditor asks for evidence.

When your team is dealing with alert fatigue from legacy tools

Traditional antivirus generates noise. EDR, when tuned well, gives you fewer, richer alerts with context already attached. The business outcome: analysts spend time investigating instead of triaging. Mean time to respond drops.

EDR use cases

Ransomware detection before encryption starts

Ransomware follows a predictable pattern: credential theft, privilege escalation, lateral movement, then mass file encryption. EDR can detect the earlier stages of that chain (suspicious process trees, unusual volume of file renames) before the payload fires. A well-configured EDR deployment can cut the time between initial compromise and containment from days to hours.

Insider threat investigation

A departing employee starts bulk-downloading files from shared drives. An analyst flags the behaviour in the EDR console, traces the exact files touched, and confirms the scope of the exfiltration within minutes. Without the endpoint telemetry, the team would be guessing. With it, they have a timeline and a clean handoff to HR or legal.

Supply chain compromise hunting

After a software vendor is breached (the SolarWinds pattern), security teams need to know which of their endpoints ran the affected build and what it did while it was running. EDR's historical telemetry makes that query possible. You can search backwards across your entire fleet, days or weeks into the past.

Red team exercise validation

Pen testers simulate an attack. The blue team uses EDR to confirm detection coverage: did every technique get caught? Which ones slipped through? The output isn't just a pass/fail score; it's a prioritised list of detection gaps to close before a real attacker finds them.

Forensics after a confirmed breach

When an incident has already happened and legal or cyber insurance is involved, EDR logs become the primary evidence source. They establish the timeline, the blast radius, and what data was accessed. Many cyber insurers now require EDR coverage as a condition of a policy.

EDR vs. XDR

EDR (Endpoint Detection and Response) focuses on endpoints. XDR (Extended Detection and Response) pulls telemetry from endpoints, network, email, identity, and cloud into a single detection platform.

EDR is the right choice when your primary concern is endpoint-level detection depth and forensics. XDR makes sense when you're trying to reduce the number of separate consoles your analysts work across. Many organisations run EDR as the endpoint component inside a broader XDR deployment.