What is EDR?
Endpoint Detection and Response (EDR) is a security technology that continuously records and analyzes activity on endpoint devices such as laptops, desktops, servers, and mobile devices to detect malicious behavior. The term was coined by Anton Chuvakin at Gartner in 2013. In practice, EDR installs a lightweight agent on each device that captures detailed telemetry about processes, files, network connections, and user actions in real time.
How is EDR different from traditional antivirus?
- Behavior, not just signatures: Antivirus matches files against a list of known malware, while EDR watches how a device behaves and flags attack patterns even if the technique has never been seen before.
- Catches stealthy attacks: It can spot fileless malware that runs in memory and attacks that abuse legitimate system tools, which leave no file for antivirus to catch.
- Layered, not replaced: Most modern EDR platforms still include signature-based detection underneath, so behavioral analysis is added on top rather than swapped in.
What can EDR do when a threat is found?
- Investigate: Gives analysts the visibility to see exactly what happened and trace how an attacker moved across the device.
- Respond directly: Supports actions like isolating a compromised device from the network, stopping a malicious process, or rolling back harmful changes before they spread.
How does EDR fit into broader security?
- Feeds XDR: Extended Detection and Response correlates EDR data with signals from networks, cloud, and identity for wider visibility.
- Powers MDR: Managed Detection and Response services pair EDR with human analysts who monitor, hunt, and respond around the clock.
- Integrates with SIEM: EDR telemetry can flow into a SIEM to give an organization-wide view of security events.