What is EDR (Endpoint Detection and Response)?

Endpoint Detection and Response (EDR) is the modern evolution of antivirus. Traditional AV uses signatures: a list of known-bad files. EDR uses behavioral analysis: it watches what processes actually do on your endpoints and flags suspicious patterns regardless of whether the underlying file is known.

Why EDR replaced traditional AV

Attackers stopped using known malware files. Modern attacks use:

• Living-off-the-land techniques — legitimate Windows tools (PowerShell, WMI, scheduled tasks) used maliciously
• Fileless malware — payloads that exist only in memory, never written to disk
• Custom binaries — one-off variants that no signature database has seen
• Stolen credentials — legitimate logins that AV has no signal to detect as bad

Signature-based AV catches almost none of this. EDR catches it by recognizing the behavior — PowerShell spawning network connections to unusual destinations, encryption operations on user files, credential dumping from LSASS, etc.

What EDR provides

• Continuous monitoring of process execution, file changes, network connections, registry changes
• Behavioral detection of attack patterns (MITRE ATT&CK techniques)
• Automated response — isolate infected endpoints, kill malicious processes, roll back ransomware encryption
• Forensic data — full timeline of what happened on an endpoint for investigation
• Threat hunting — the ability to retroactively search for indicators across the fleet

EDR platforms commonly deployed

SentinelOne, CrowdStrike Falcon, Microsoft Defender for Endpoint, Sophos Intercept X, Bitdefender GravityZone, and Huntress (which is technically MDR built on top of an EDR layer).