endpoint detection and response (EDR)

Contributor(s): Alex Gillis

Endpoint detection and response (EDR) is a category of tools and technology used for protecting computer hardware devices–called endpoints—from potential threats. EDR platforms are made from tools that focus on detecting possible malicious endpoint activities, commonly through employing continuous monitoring. Ideally, EDR provides an organization with endpoint visibility through collecting data from endpoint devices, and then uses that data to detect and respond to potential outside threats.

An organization will use an EDR platform to protect against hackers when they access an end user's device. An endpoint device may contain critical information such as network events, configuration changes, process actions or file access data. EDR provides a platform where an organization can continually monitor their endpoints and servers to spot potentially malicious behaviors. EDR tools can then detect and respond to these events.

EDR works by installing an agent on the end user device, which is used to continually monitor network events. These events are recorded to a central database. EDR tools can then analyze the data to either investigate and identify a past incident or use the data to look for similar threats. If a threat is found, an EDR tool can alert the end user. EDR tools will also provide management consoles which can be used for backend management.


While not every EDR platform share the same exact capabilities most tend to include capabilities such as:

  • The unification of endpoint data.
  • Increased visibility throughout a whole IT environment.
  • The ability to monitor endpoints, either online or offline.
  • The ability to detect malware and store endpoint events.
  • The ability to respond to an event in real-time.
  • Integration with additional security tools.
  • The use of blacklists and whitelists.

Some examples of capabilities which may be more rare include device and data encryption or privileged user and network access control.

EDR Tools

Three examples of EDR tools are Symantec Endpoint Protection, FireEye Endpoint Security and Cisco Advanced Malware Protection for Endpoints.

Symantec Endpoint Protection is an EDR tool by Symantec which includes features such as instant detection of attacks, the ability to detect new potential attack patterns and user notifications of attacks in progress. Symantec Endpoint Protection can also scale to thousands of nodes if needed.

FireEye Endpoint Security is another EDR tool which uses antivirus, remediation and behavior analytics for malware protection. Threat analysis and inspection are covered using a triage and audit viewer. FireEye Endpoint Security also provides other features such as a multi-engine agent and a security search function—which allows end users to quickly find suspicious activity.

Cisco Advanced Malware Protection for Endpoints is an EDR platform that can be deployed in the public cloud or on-premise. This EDR platform also uses 14 different detection techniques to detect threats.  Software and application vulnerabilities can also be detected using Advanced Malware Protection for Endpoints. Detected malicious activities can also be automatically quarantined.

This was last updated in June 2019

Continue Reading About endpoint detection and response (EDR)

Dig Deeper on Real-time network monitoring and forensics