What is EDR?

What does it mean?

An "endpoint" is any device a person works on or that runs your workloads — a laptop, a desktop, a server, increasingly a cloud instance. These are where attacks usually land first, through a phished employee, a malicious download, or a stolen credential. EDR is the always-on agent sitting on each of those devices, and the difference from old-school antivirus is the second and third words in its name: not just detection, but response, and not just blocking known files, but watching behavior.

The useful mental model is a security camera with a detective attached. Traditional antivirus is a doorman with a list of known troublemakers — if your face is not on the list, you walk in. EDR records everything everyone does inside the building, so even a stranger who got past the door gets caught the moment they start picking locks. When something looks malicious, a responder can use the EDR console to isolate that one machine from the network, kill the offending process, and trace exactly what it touched.

Where the term came from

The term was coined by Gartner analyst Anton Chuvakin in 2013, originally as "Endpoint Threat Detection and Response," later shortened to EDR. It named a shift that had been building for years: signature-based antivirus, which matches files against a list of known-bad hashes, was losing badly to attackers who could trivially change a file enough to dodge the signature or avoid dropping a file at all. Defenders needed tools that watched what code actually did rather than what it looked like.

Since then the category has both broadened and blurred. Many products now ship as EPP (Endpoint Protection Platforms) that bundle prevention and EDR together, and the industry coined XDR (Extended Detection and Response) for platforms that stretch the same behavioral approach across endpoints, network, email, identity, and cloud — correlating across all of them rather than watching endpoints alone.

How it works

A lightweight agent on each endpoint continuously records telemetry — process launches, file changes, network connections, registry edits, command-line arguments. That stream is analyzed, partly on the device and partly in the cloud, against behavioral rules and machine-learning models tuned to spot attacker techniques: a Word document spawning a PowerShell process, a process injecting code into another, credential-dumping behavior. When a detection fires, the EDR raises an alert and offers response actions — isolate the host, terminate the process, roll back changes, collect forensic data.

EDR rarely operates in a vacuum. Its alerts flow up into a SIEM for correlation with other sources, and the analysts who act on them usually sit in a security operations center. The detections themselves are increasingly written against MITRE ATT&CK techniques, which is why a good EDR alert tells you not just "something bad happened" but "this looks like credential dumping, technique T1003."

When it matters

EDR matters the moment you have employees with laptops and data worth stealing — which is to say, almost immediately. It has become a baseline expectation in cyber-insurance questionnaires and enterprise security reviews, and it is one of the highest-leverage controls a growing company can deploy because endpoints are where most breaches begin. The important nuance is that deploying EDR and trusting EDR are different things. Skilled attackers actively work to disable, blind, or evade the agent, and a default configuration can leave gaps. The only way to know whether your EDR would actually catch and stop a determined intruder is to have a competent attacker try the techniques it is supposed to detect.

At QUANT LAB

We do not sell EDR licenses — we are the adversary that proves whether yours works. During a network or Active Directory engagement, we run the real techniques attackers use to operate on endpoints and move laterally, and we record exactly what your EDR detected, what it blocked, and what it let slide. Because we map every action to MITRE ATT&CK, you get a technique-by-technique view of your endpoint defenses rather than a vague reassurance that "the agent is installed." That distinction is the whole point: an EDR you have never tested is a smoke detector you have never checked the battery on. For the broader buyer's view of offensive security, read our founder's pentest guide.