Endpoint detection and response, commonly called EDR, is a cybersecurity technology that monitors laptops, desktops, servers, and other endpoints for suspicious activity. EDR tools collect endpoint telemetry, detect signs of compromise, support investigation, and give security teams ways to respond when malicious behavior is found.
EDR is used to identify activity such as malware execution, credential theft, suspicious PowerShell commands, privilege escalation, persistence, lateral movement, and unauthorized access attempts.
The goal of EDR is not only to block known threats. It is to give security teams visibility into what happened on an endpoint, how far the activity spread, and what action should be taken next.
EDR tools typically use an endpoint agent installed on each protected device. That agent collects activity from the device and sends telemetry back to a central platform. Security teams can then review alerts, investigate activity, isolate devices, stop processes, remove files, or take other response actions.
Common EDR functions include:
EDR is built to catch behavior that may not be obvious from a single file or alert. A login by itself may look normal. A script by itself may look normal. The value of EDR is that it can connect activity on the device and show when those actions start to look like an attack.
Common detections include suspicious process chains, credential dumping, malicious scripts, unauthorized remote access, persistence mechanisms, ransomware behavior, and unusual connections from a device.
Endpoints are one of the most common places where attacks begin. Users open attachments, click links, download files, connect from unmanaged networks, and use applications that attackers can abuse. Servers and workstations also contain credentials, sensitive data, and access paths into the rest of the environment.
Without EDR, security teams may not know when an endpoint has been compromised or how the attacker moved after the first action.
Traditional antivirus focuses mainly on preventing known malware. It usually relies on signatures, file reputation, and known indicators.
EDR goes further. It watches behavior, records activity, and supports investigation after something suspicious happens. This matters because many attacks do not look like a simple malicious file. They may involve stolen credentials, legitimate admin tools, scripts, or living-off-the-land techniques.
EDR focuses on endpoint telemetry. XDR, or extended detection and response, brings together telemetry from multiple security layers, such as endpoint, identity, email, network, cloud, and SaaS.
EDR answers what happened on a device. XDR tries to connect that device activity to a broader attack story.
Even strong EDR tools can leave gaps when they are not fully deployed or properly configured. Common problems include:
These gaps create a false sense of coverage. A company may believe it has endpoint visibility because it owns an EDR product, but ownership is not the same as protection.
When evaluating EDR, organizations should look beyond the feature list. Important questions include: