What is EDR? Endpoint Detection and Response Explained

EDR platforms deploy a lightweight agent on every endpoint. That agent runs at kernel level (or as close to it as the OS allows) to intercept and record system events before they can be concealed by malware. Every process launch, every file write, every network connection, every registry modification is recorded and streamed to a cloud-based or on-premises analysis backend.

The analysis backend applies two detection layers. The first is signature and indicator matching: known malware hashes, malicious IP addresses, and published indicators of compromise are checked in near-real time. This layer handles commodity threats quickly and cheaply.

The second layer is behavioral detection: rules and machine learning models that identify attack patterns based on sequences of system activity rather than static file attributes. A process that launches cmd.exe, runs whoami, then attempts to dump lsass.exe memory is exhibiting credential dumping behavior even if every individual binary involved is a legitimate Windows component. Behavioral detection is what separates modern EDR from legacy AV.

These terms are frequently conflated in vendor marketing. The distinctions matter operationally.

Antivirus (AV) relies primarily on file-hash signatures and heuristics to block known malware at execution. It has minimal visibility into post-execution behavior and is largely ineffective against fileless attacks, living-off-the-land techniques, and novel malware families. No serious enterprise should rely on AV alone.

EDR extends protection to behavioral detection and adds response capabilities: the ability to isolate a compromised host from the network, kill malicious processes remotely, and collect forensic artifacts from an endpoint during an active incident.

XDR (Extended Detection and Response) extends the EDR data model beyond endpoints to cover network, cloud, identity, and email telemetry in a unified correlation engine. XDR reduces the data-silo problem that requires analysts to pivot across multiple tools during an investigation.

MDR (Managed Detection and Response) is a service, not a product. An MDR provider operates detection tools (often an EDR plus SIEM) on your behalf with 24/7 analyst coverage. MDR is the right model for organizations that cannot staff a SOC but need enterprise-grade detection.

EDR platforms excel at detecting post-exploitation activity on endpoints: process injection, credential dumping, privilege escalation, persistence mechanisms (scheduled tasks, registry run keys, service creation), and lateral movement originating from or arriving at the endpoint.

Living-off-the-land (LoTL) attacks are the hardest detection challenge. When attackers use legitimate Windows tools like PowerShell, WMI, certutil, or mshta to execute malicious actions, the EDR must distinguish malicious usage from the millions of legitimate daily executions of those same tools. This requires deep behavioral context (what was the parent process, what command-line arguments were used, what network connection followed) and high-quality detection logic developed from real incident response cases.

EDR has limited visibility into network-level attacks that do not touch endpoints, cloud API abuse that bypasses endpoint agents entirely, and hardware-level attacks below the OS. These gaps are why XDR and network detection tools remain necessary complements.

Detection without response capability is an alerting system, not a security control. Evaluate EDR response capabilities on three axes.

Containment: Can the platform isolate a compromised endpoint from the network in seconds without requiring physical access? Does isolation block all traffic, or can you whitelist specific IPs to maintain analyst visibility? Is containment reversible from the console without a local technician?

Active remediation: Can analysts remotely kill processes, delete persistence mechanisms, and quarantine files from the console during an active incident? Can these actions be automated for high-confidence detections like ransomware encryption behavior?

Forensic collection: Can the platform retrieve memory dumps, process listings, file system artifacts, and timeline reconstructions from a remote endpoint without deploying additional tooling? The speed at which analysts can collect evidence during an active intrusion directly determines whether the attacker achieves their objective before containment.

EDR is the most important detective control for endpoint threats. It does not prevent initial access but dramatically reduces attacker dwell time by surfacing post-exploitation activity that legacy AV and perimeter controls cannot see. The choice between leading platforms (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) should be driven by your OS environment mix, your SOC's detection engineering maturity, and your tolerance for vendor platform consolidation.