GLOSSARY · TOOLING

EDR

Endpoint Detection and Response: an agent that records endpoint activity, detects suspicious behavior, and lets responders isolate or remediate machines remotely.

EDR replaced traditional antivirus as the primary endpoint security control. Where antivirus matched files against a signature database, EDR agents record a continuous stream of what is happening on the machine: processes spawned, files created, network connections made, registry keys modified. That telemetry feeds detection logic (rules, behavioral heuristics, sometimes ML models) that flags suspicious chains of activity rather than waiting to match a known bad file hash.

The “response” half of the name matters. An analyst who sees a suspicious process tree on a remote machine can isolate that machine from the network with a single action, preventing lateral movement while preserving the machine for forensic review. Scripted response playbooks can run automatically for high-confidence detections. That containment speed is what has made EDR a meaningful part of reducing dwell time (the interval between attacker entry and detection).

EDR is not a set-and-forget tool. Alerts require triage; false positives exist. Attackers who know an EDR vendor’s detection logic have developed techniques to evade specific products. Coverage gaps matter: unmanaged devices, network equipment, and cloud workloads that cannot run an agent are invisible. For organizations without a 24-hour security operations function, a managed detection and response (MDR) service that includes EDR monitoring may deliver more actual value than a self-operated platform.