Endpoint Detection and Response (EDR) is security technology that continuously monitors devices, known as endpoints, including laptops, desktops and servers, for suspicious activity. Unlike traditional antivirus software, which mainly blocks known malicious files, EDR analyses behaviour patterns to detect novel threats, provides detailed visibility for investigation, and can automatically contain a compromised device before an attack spreads further.
How Endpoint Detection and Response works
EDR software runs on each monitored device, continuously recording activity such as running processes, file changes and network connections. This data feeds into a central platform, often monitored by a Security Operations Centre or Managed Detection and Response service, which uses behavioural analysis to flag suspicious patterns that simple signature-based antivirus would miss. When a genuine threat is confirmed, EDR can isolate the affected device from the network automatically or on analyst command, containing the issue while investigation continues.
Endpoint Detection and Response in practice
- A business deploys EDR across all company laptops, detecting a previously unknown piece of malware based on its suspicious behaviour rather than a known signature, something traditional antivirus alone would have missed.
- An EDR platform automatically isolates a compromised laptop from the network the moment ransomware-like file encryption activity is detected, preventing it from spreading to shared drives.
- A managed security provider combines EDR data with SOC monitoring to investigate and respond to threats detected on client devices around the clock.
- A business uses EDR investigation tools to understand exactly how a security incident occurred after the fact, informing improvements to prevent a repeat.
How Advantage implements Endpoint Detection and Response
Advantage deploys and monitors EDR across client devices as part of its managed cyber security services, combining it with Managed Detection and Response to provide both the technology and the expert monitoring needed to act on what it detects.
Frequently asked questions
What counts as an endpoint?
An endpoint is any device that connects to a business's network or systems, including laptops, desktops, servers, and increasingly mobile phones and tablets. EDR tools are typically installed on each of these devices to monitor activity directly at the source.
Is EDR the same as antivirus software?
EDR builds on what traditional antivirus does but goes considerably further. Antivirus mainly blocks known malicious files based on signatures. EDR continuously monitors device behaviour, can detect novel and previously unseen threats based on suspicious activity patterns, and supports active investigation and response rather than simple blocking.
Can EDR stop an attack automatically without human intervention?
Many EDR platforms can take automatic containment actions, such as isolating a device from the network the moment certain high-confidence threat indicators are detected, even before a human analyst reviews the alert. This automatic response capability is one of the key advantages EDR has over traditional antivirus.
