Endpoint Detection and Response — Technology Wiki

Overview

Direct Answer

Endpoint Detection and Response (EDR) is a cybersecurity platform that continuously monitors endpoint devices—such as desktops, laptops, and servers—to identify, investigate, and contain advanced threats in real time. It combines behavioural analytics with forensic capabilities to detect malicious activity that traditional antivirus solutions may miss.

How It Works

EDR agents installed on endpoints collect telemetry data including process execution, network connections, file modifications, and registry changes. This data is analysed against threat intelligence and behavioural baselines to identify anomalies. Upon threat detection, EDR platforms enable security teams to isolate affected devices, terminate malicious processes, and perform deep forensic investigation to understand attack scope and origin.

Why It Matters

Organisations require EDR because sophisticated attackers bypass signature-based defences; EDR's behavioural detection reduces detection time from hours to minutes, minimising breach impact. Regulatory frameworks increasingly mandate threat detection capabilities, and EDR provides the forensic evidence required for incident response and compliance audits.

Common Applications

Financial institutions deploy EDR to detect insider threats and data exfiltration. Healthcare organisations use it to protect patient data from ransomware. Manufacturing firms leverage EDR to identify industrial espionage and supply chain compromise attempts.

Key Considerations

EDR generates high volumes of telemetry requiring significant infrastructure investment and skilled analysts to investigate alerts; false positive rates vary significantly between platforms. Endpoint visibility is limited to managed devices, leaving unmonitored infrastructure and shadow IT exposure unaddressed.

Related in Defensive Security

Security Operations Centre

A centralised facility where security professionals monitor, detect, analyse, and respond to cybersecurity incidents.

Intrusion Detection System

A system that monitors network traffic or system activities for malicious activity or policy violations.

Next-Generation Firewall

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Security Orchestration Automation and Response

Technology that automates security operations by orchestrating tools and processes for incident response.

Incident Response Plan

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Digital Forensics

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

Honeypot

A decoy system designed to attract attackers and study their methods while protecting real systems.

Extended Detection and Response

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Security Orchestration, Automation and Response

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

Threat Hunting

The proactive search for cyber threats within an organisation's environment that have evaded automated detection, using hypotheses, threat intelligence, and advanced analytics.

More in Cybersecurity

Biometric Authentication

Identity & Access

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

Extended Detection and Response

Offensive Security

A unified security platform that integrates multiple security tools and data sources for comprehensive threat detection.

Supply Chain Attack

Offensive Security

A cyberattack targeting the less-secure elements of a supply chain to compromise a primary target.

Cyber Kill Chain

Offensive Security

A model describing the stages of a cyberattack from reconnaissance through data exfiltration.

SQL Injection

Offensive Security

A code injection technique that exploits vulnerabilities in database-driven applications through malicious SQL statements.

Man-in-the-Middle Attack

Offensive Security

An attack where the attacker secretly relays and potentially alters communication between two parties.

Blue Team

Offensive Security

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Attack Surface

Offensive Security

The total number of points where an unauthorised user can try to enter or extract data from a system.