Cyber Tool Stack
All categories
Endpoint & DeviceEDR/XDR

Endpoint & Extended Detection and Response

Records process, file, and network activity on laptops and servers so security teams can detect, investigate, and contain attacks that bypass preventive controls.

Antivirus asks "is this file known to be bad?" EDR asks a better question: "is this program behaving badly?" An EDR agent watches what actually happens on every laptop and server — processes spawning, files changing, network connections opening — and raises an alarm when the pattern looks like an attack, even one nobody has seen before.

Because the agent keeps a running record of that activity, it doesn't just block the bad moment — it lets an analyst rewind and see how an attacker got in, then act remotely: isolate the machine, kill the process, or restore encrypted files.

The problem it solves

A phishing email gets an employee to run something. It's brand new, so no antivirus signature exists yet. Traditional endpoint protection lets it through, and attacker code starts executing on that laptop, with a possible foothold into the rest of the network.

What matters at that point is not whether the file was previously known — it's what the program is doing right now. Is it disabling security tools? Reading credentials out of memory? Trying to spread to other machines with reused passwords? Those actions look suspicious regardless of whether the file was ever seen before, which is exactly the gap EDR closes: catching attacks by behavior instead of signature.

How it works

A small agent runs on every laptop, server, and virtual machine in scope. It continuously records low-level activity — processes starting, files created or modified, registry changes, outbound network connections — and streams that telemetry to a central analysis engine, usually hosted in the vendor's cloud.

That engine runs the stream through behavioral models and correlation rules looking for attack patterns: a document spawning a command shell, a process dumping login credentials, an unfamiliar program disabling logging. A match raises an alert with the full chain of activity attached, so an analyst doesn't have to reconstruct what happened from scratch.

From there, the analyst can act directly through the same console: isolate the endpoint, kill the malicious process, or roll back files ransomware encrypted. Some products also support threat hunting — proactively querying stored telemetry for signs of an intrusion that never triggered an alert — and some offer a managed option where the vendor's analysts triage alerts around the clock instead of the customer's team.

EDR vs XDR

EDR watches endpoints. XDR (extended detection and response) widens the lens: it correlates that telemetry with signals from identity, email, and cloud systems, so an attack touching multiple systems shows up as one connected story instead of several disconnected alerts.

In practice, most vendors sell one agent and platform that operates in either mode — "EDR" is the endpoint-only view, and enabling XDR correlation is often a licensing tier, not a different product. That correlation is only as good as how many other tools plug into the same platform; a pile of unrelated point products dilutes the benefit.

Choosing one

Team size and expertise matter more here than almost any other endpoint decision. A fully staffed security team can use a deep, configurable console with raw hunting queries well. A small IT team with no dedicated analyst is usually better served by a managed option, where a vendor's SOC reviews and acts on alerts — an unmonitored console full of unread alerts protects very little.

Also weigh what else is in the environment: if identity and cloud telemetry can be connected, XDR correlation pays off quickly; if the rest of the stack is siloed, plain EDR with strong response actions may deliver most of the value for less cost.

Capability taxonomy

What buyers typically evaluate when comparing tools in this category.

Behavioral detection
Flags malicious behavior patterns rather than known file signatures.
Threat hunting
Lets analysts query historical endpoint telemetry for signs of compromise.
Remote response actions
Isolate a host, kill a process, or pull files from an endpoint remotely.
Ransomware rollback
Restores files encrypted or modified by detected ransomware.
Cross-surface correlation (XDR)
Correlates endpoint signals with identity, email, and cloud telemetry.
Managed detection option
Vendor-operated 24/7 monitoring available (MDR).

Tools in this category

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.