Skip to content
cyber-security.eu
DEEN

Endpoint Detection and Response

EDR provides telemetry and response on endpoints. It is standard in many organisations today and extends classic endpoint protection with detection and response.

Who this page is for

IT and security leaders, SOC teams, procurement and anyone evaluating, rolling out or improving EDR.

What is EDR?

Endpoint Detection and Response collects detailed endpoint telemetry, detects suspicious behaviour and enables responses such as quarantine or network isolation, usually centrally.

Difference from classic antivirus

Antivirus mostly detects known patterns. EDR analyses behaviour, captures context across processes, network and files, and enables traceable investigation. Modern solutions combine both.

Typical capabilities

Telemetry: processes, command lines, network, files, scripts.

Behaviour analytics: chains of activity, not just signatures.

Isolation: cut affected devices from the network.

Response: kill processes, collect files, automated workflows.

Forensics: retrospective view of past activity.

Limits of EDR

EDR only protects where it is installed and allowed to collect telemetry. Servers without agents, third-party systems or unmanaged devices fall outside its view. Without analysis by a SOC or MDR, much of the value is lost.

Value for SOC and incident response

For a SOC EDR is often the most important log source because endpoints are the primary target. During an incident EDR provides telemetry for incident response and enables fast containment.

Checklist

  • EDR rolled out to all relevant endpoints
  • Server workloads included
  • Telemetry forwarded to SIEM or detection platform
  • Clear ownership of analysis
  • Playbooks for typical EDR alerts
  • Update and exception management defined

Frequently asked questions

+Do I still need classic antivirus?

Modern EDR usually includes classic protection. Stacking two products often causes more problems than benefits.

+Does EDR replace a SOC?

No. Without human analysis and context, value stays on the table. EDR provides the data, the SOC or MDR interprets it.

+How does EDR relate to XDR?

[XDR](/en/xdr) extends the endpoint view to further sources such as identity, mail and cloud.

Related topics

Extended Detection and Response

XDR combines telemetry from multiple sources to detect threats faster and with better context. This page positions the term beyond marketing.

Managed Detection and Response

MDR is an externally run detection and response service. For many organisations it is the pragmatic path to 24/7 detection without a full in-house SOC.

What is a SOC?

A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.

SIEM

A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.