Reference

What is EDR? Endpoint detection and response explained.

A vendor-neutral definition. What endpoint detection and response actually collects, how it detects, and how each capability translates into a price line on the quote you will receive.

Last verified April 2026

Definition

EDR is a security category that combines four capabilities at the device layer: continuous endpoint telemetry collection, behavioural detection of attack techniques, threat-hunting tooling for proactive investigation, and automated or analyst-led response. The endpoint in EDR is the workstation, server, or mobile device. EDR is the layer of defense that sits at the device, complementing firewall, email, and identity layers above it.

The category was named by Gartner’s Anton Chuvakin in a 2013 blog post describing tools that recorded endpoint activity continuously, distinct from prevention-only antivirus. EDR has since expanded to bundle next-generation antivirus, automated response, and integration into broader extended-detection-and-response (XDR) platforms.

What EDR collects

An EDR agent on each endpoint collects a stream of system events. The exact set varies by product but typically includes: process execution (every binary that runs, with command-line arguments), file-system events (creation, modification, deletion in sensitive paths), registry changes (Windows persistence mechanisms), network connections initiated by the endpoint (which process, to which destination, on which port), authentication events (logons, privilege elevations), script-block content (PowerShell, WMI, JScript content as executed), and module loads (DLL injections, driver loads).

Most EDR products send a subset of these events to a cloud backend for retention and correlation, while keeping a richer event ring locally on the endpoint for short-term replay. Cloud retention windows are the biggest cost lever in this category: thirty days is common as a default, ninety days is a common mid-tier upgrade, and one-year retention is typically a premium SKU.

How EDR detects

EDR detection works on four overlapping mechanisms. Behavioural rules match observed event sequences against patterns of attack technique (a process spawning a script that opens a network connection on an unusual port, for example). Most products ship with thousands of vendor-authored rules and let customers add their own.

Machine-learning models classify processes, scripts, and binaries on richer feature sets than legacy AV, including memory layout and call patterns. Indicator-of-compromise matching flags any event involving a known-bad hash, IP, or domain from threat intelligence feeds. MITRE ATT&CK technique mapping tags every alert with the technique it represents (T1059 command-line interpreter, T1055 process injection, etc.), letting analysts evaluate detection coverage against a public taxonomy.

The qualitative shift from AV to EDR is from match this file to this sequence of events looks like an intrusion. The shift is the reason EDR detects fileless and living-off-the-land attacks that evade signature-based AV.

What EDR responds with

Response actions in EDR fall on a spectrum from automatic to analyst-led. Process termination kills a running attack tool. Network isolation cuts the endpoint off from everything except the EDR vendor backend, containing lateral movement. File quarantine moves a malicious artefact to a vault. Shell-level remediation lets an analyst run commands on the endpoint remotely. Automated playbooks stitch these into sequences (isolate the host, kill the process, copy the binary for analysis, ticket the analyst).

The line between automatic and analyst-led response is a major price differentiator. Tier-1 EDR products require a human to approve every response action. Tier-2 products run prebuilt playbooks autonomously on high-confidence detections. Tier-3 products run customised playbooks, integrate with external SOAR platforms, and provide audit trails of every action.

How EDR fits in the security stack

EDR sits above antivirus, which it usually replaces. Most modern EDR products include NGAV as the prevention layer; running both legacy AV and EDR is generally a wasted licence except where compliance mandates a separately-named AV product. EDR sits beside email security (Proofpoint, Mimecast, Microsoft Defender for Office), identity protection (Okta, Entra), and cloud workload protection (Wiz, Lacework, Aqua, Prisma) without overlapping their telemetry sources. EDR sits below XDR, which adds those telemetry sources into a single correlated platform.

Beside EDR is MDR, managed detection and response, which is a service wrapper. MDR providers monitor your EDR (or their EDR) twenty-four hours a day and respond on your behalf. MDR is not an alternative to EDR; it is an operational layer over the top. Our EDR vs MDR page works through the layered cost stack.

The cost consequence of the definition

Each capability has a price line. Telemetry retention is the largest variable cost in the category: doubling the retention window roughly doubles the cloud-side storage burden, and that burden shows up in the licence rate. Detection-rule management is what most increases internal operating cost: vendor-supplied rules cover commodity attacks, but environment-specific tuning is FTE work that compounds in year two. Response automation is often a higher-tier SKU; the SOAR-grade integration capabilities are gated.

The capability-to-cost map is the bridge to the rest of this site. The pricing models page walks through how these capabilities show up in vendor quote structures. The total cost of ownership page enumerates the five categories that make the licence figure misleading on its own. The budget calculator takes a quoted rate and produces a defensible year-one number.

Frequently asked questions about EDR

Is EDR the same as antivirus?
No. Antivirus is a sub-component of what EDR does. Legacy antivirus matches files against signatures. Next-generation antivirus adds machine-learning detection on file behaviour. EDR adds continuous endpoint telemetry (process, registry, network, command-line), behavioural detection mapped to MITRE ATT&CK techniques, threat-hunting tooling for proactive search, and response actions that can isolate or remediate the device. Most EDR products include NGAV as their prevention layer; you should not pay for both separately.
What does EDR stand for?
EDR stands for endpoint detection and response. The term was coined by Anton Chuvakin in a Gartner blog post in 2013 to describe a then-emerging category of tools that recorded endpoint activity continuously and supported analyst-led investigation, distinct from prevention-focused antivirus. The category has expanded since to include automated response, threat hunting, and integration into broader detection platforms.
How is EDR different from XDR?
EDR collects telemetry from endpoints only: workstations, servers, mobile devices. XDR adds telemetry from identity providers, email, cloud workloads, and network. The cost consequence is that EDR sits in the three to fifteen dollar per endpoint per month range; XDR starts at six to eighteen dollars per endpoint per month and adds per-workload and per-GB ingest line items. For most organisations under 500 endpoints with outsourced email and Microsoft-managed identity, EDR is sufficient. XDR is worth the premium when consolidating four or more separate point security tools or when the threat model genuinely requires cross-layer correlation.
Do I need EDR if I have a firewall?
Yes for most organisations in 2026. A firewall protects the network perimeter; EDR protects the endpoint. Endpoints are now the primary initial-access vector in published breach data (Verizon DBIR 2025). Firewall-only defense leaves you blind to phishing, credential abuse, supply-chain compromises, and any attack that traverses the perimeter through a legitimate channel like browser HTTPS. Cyber-insurance underwriters in 2026 expect both layers, not one.
Continue reading