Skip to content

Security term · last reviewed 2026-07-07

EDR

Also known as: Endpoint Detection and Response

EDR is security software on endpoints that records activity, detects malicious behavior, and lets responders investigate and contain threats, going beyond signature-based antivirus.

How it works

EDR (Endpoint Detection and Response) is security software that runs on endpoints (laptops, servers, workstations) to continuously record activity, detect malicious behavior, and let responders investigate and contain threats. Unlike traditional antivirus, which matches known signatures, EDR watches behavior (process launches, file changes, network connections) and flags suspicious patterns, keeping a detailed timeline so an analyst can see exactly what happened and roll it back or isolate the machine. Examples include CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne.

When it matters

EDR matters once your endpoints are a meaningful attack surface, which for most companies is well before they have a full security team, because laptops are where phishing and credential theft land. It is the endpoint half of a broader detection story; XDR extends the same idea across endpoints, network, identity, and cloud. For a very small team, encrypted laptops, automatic updates, and MFA cover the basics before a managed EDR becomes worth the spend.

Common misconceptions

  • "EDR is just antivirus." Antivirus matches signatures; EDR watches behavior and supports investigation and response.
  • "EDR and [XDR](/glossary/xdr/) are the same." EDR is endpoint-focused; XDR correlates across multiple telemetry sources.
  • "EDR runs itself." The value comes from someone (in-house or managed) triaging its alerts.

Related terms

← All terms