Endpoint Detection and Response (EDR)

Security+ 🏆 • Security Operations 🛡️ Difficulty: premium

Definition

Endpoint Detection and Response is a security capability that monitors endpoints like laptops and servers for suspicious activity, helps analysts investigate what happened, and supports response actions such as isolating a device or removing malicious artifacts.

Examples

  • EDR flags a suspicious Office document launching PowerShell, then shows the full process chain so the analyst can see what ran and what it downloaded.
  • A SOC analyst isolates a compromised laptop to stop lateral movement while still collecting evidence through the EDR console.

Discover 🔎

Most real-world attacks touch an endpoint at some point, whether that is a user laptop, a server, or a virtual machine. Attackers execute code, steal credentials, establish persistence, and move laterally using endpoint tools and processes. Traditional antivirus mainly looks for known malicious files. EDR is designed to answer deeper questions like what happened, how far it spread, and what should we do next.

Remember: EDR is about visibility and response. It helps you investigate and contain, not just block a file.
Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.