In depth
Endpoint Detection and Response (EDR) is the modern descendant of antivirus. An EDR agent runs on every endpoint in scope (workstations, servers, in some cases mobile devices), continuously records granular telemetry — process creation, file system writes, registry changes, network connections, command-line arguments, parent-child relationships, loaded modules, script content — and ships it to a cloud-side analysis backend. Detection is then a combination of vendor-supplied behavioural analytics, custom detection rules, and threat-intelligence indicators applied to that telemetry stream. CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, and Carbon Black are the dominant commercial platforms; open-source coverage exists through projects like Wazuh and Velociraptor.
The "Response" half of the acronym matters as much as detection. A modern EDR can isolate an endpoint from the network at the kernel level (allowing the EDR backend to still reach in but blocking everything else), terminate processes, quarantine files, kill network connections, run custom remediation scripts, capture memory dumps and disk artefacts, and roll back ransomware-encrypted files (where supported). These response actions are typically callable from the SOAR playbook, which is how a phishing-click on a payroll laptop becomes an automatically-isolated host within seconds of the detonation.
EDR's strengths are visibility and response speed — the agent sees what a SIEM that only consumes Windows Event Logs cannot — and the ability to do retrospective threat hunting across weeks of historical telemetry when a new IOC drops. The weaknesses are agent footprint (CPU and memory overhead, plus the not-zero risk of agent-induced kernel panics, as the 2024 CrowdStrike incident illustrated), licence cost, and coverage gaps on unmanaged devices, BYOD, OT and certain server workloads where agent installation is not feasible.
EDR is now a near-universal control. PCI DSS v4.0 Requirement 5.2.2 (anti-malware), SOC 2 CC7.1, ISO 27001 Annex A.8.7 (Protection against malware), HIPAA Security Rule 164.308(a)(5)(ii)(B), and most cyber-insurance underwriting questionnaires effectively require it. See adversary simulation services for validating EDR coverage under realistic conditions.
The "Response" half of the acronym matters as much as detection. A modern EDR can isolate an endpoint from the network at the kernel level (allowing the EDR backend to still reach in but blocking everything else), terminate processes, quarantine files, kill network connections, run custom remediation scripts, capture memory dumps and disk artefacts, and roll back ransomware-encrypted files (where supported). These response actions are typically callable from the SOAR playbook, which is how a phishing-click on a payroll laptop becomes an automatically-isolated host within seconds of the detonation.
EDR's strengths are visibility and response speed — the agent sees what a SIEM that only consumes Windows Event Logs cannot — and the ability to do retrospective threat hunting across weeks of historical telemetry when a new IOC drops. The weaknesses are agent footprint (CPU and memory overhead, plus the not-zero risk of agent-induced kernel panics, as the 2024 CrowdStrike incident illustrated), licence cost, and coverage gaps on unmanaged devices, BYOD, OT and certain server workloads where agent installation is not feasible.
EDR is now a near-universal control. PCI DSS v4.0 Requirement 5.2.2 (anti-malware), SOC 2 CC7.1, ISO 27001 Annex A.8.7 (Protection against malware), HIPAA Security Rule 164.308(a)(5)(ii)(B), and most cyber-insurance underwriting questionnaires effectively require it. See adversary simulation services for validating EDR coverage under realistic conditions.