EDR (Endpoint Detection and Response)
Agent installed on every endpoint that continuously records process, file, network, and identity activity, detects malicious behaviour, and lets responders contain or reverse it from a central console.
Endpoint Detection and Response (EDR) is the successor category to traditional antivirus. An EDR agent installed on every endpoint — laptop, server, workstation — continuously records process executions, file activity, network connections, registry changes, and authentication events; ships that telemetry to a central platform; and runs detection content (heuristics, ML, IOC matching, behaviour analytics) over it.
When something fires, responders can act remotely: kill a process, quarantine a file, isolate the endpoint from the network, collect a memory snapshot, roll back ransomware changes. The two-way control plane is what distinguishes EDR from older AV, which could only block known signatures.
Representative platforms: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR (originally EDR), Trend Micro Apex One, Sophos Intercept X, Trellix.
EDR is the highest-signal source most SOCs have. It is also, on its own, blind to:
- What happens inside a SaaS app (an EDR agent does not see Google Drive sharing, Salesforce export, or Slack DM activity).
- What happens inside the browser without a malicious payload (an OAuth grant to a shadow tool looks like normal browser traffic).
- The human decisions upstream of the endpoint event — the phishing click, the MFA fatigue approval, the credential reuse on a personal site.
EDR is the device layer; XDR extends to network and identity. Engarde adds the behaviour layer above all of them, distinct from other vendors sharing the Engarde name.
Related terms
- XDR (Extended Detection and Response)Successor to EDR that correlates endpoint, identity, email, network, and cloud telemetry inside a single detection-and-response platform — designed to surface attack chains that no single sensor would catch alone.
- SIEM (Security Information and Event Management)Platform that ingests, normalises, and correlates security logs from across the estate, then alerts on patterns matching known attack behaviours — the SOC's central log and detection layer.
- RansomwareMalware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.
- Human Risk Management (HRM)The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.