EDR
An endpoint detection and response system that monitors process activity, file changes and network connections on devices to detect and stop threats.
What is EDR?
EDR (Endpoint Detection and Response) is a class of security solutions that monitor activity on endpoints - workstations, servers and mobile devices. Unlike traditional antivirus software, which relies primarily on signatures of known threats, EDR analyses process behaviour and detects suspicious activity patterns.
An EDR agent installed on a device records detailed information about what happens on it: launched processes, file modifications, system registry changes, network connections and memory operations. This data is sent to a central console where it is analysed for known attack techniques (e.g., mapped to the MITRE ATT&CK framework).
When EDR detects suspicious activity, it can automatically take action - isolate the device from the network, terminate a process, block a connection - or forward the alert to a SOC analyst for further analysis. This ability to respond automatically is particularly important in the case of fast-spreading threats such as ransomware.
Why does it matter?
Traditional antivirus solutions cannot keep up with modern threats - fileless attacks, Living-off-the-Land techniques and zero-day exploits. EDR fills this gap by providing real-time visibility into what is happening on devices across the organisation.
EDR is particularly important in the context of remote and hybrid work, where devices operate outside the traditional network perimeter. Combined with SIEM and NDR, it creates a comprehensive security picture of the organisation across multiple levels.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.