EDR
Security category: detects and responds to threats on individual endpoints.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for EDR
Trellix discloses 21-day-old breach of source-code repository
Cybersecurity: Threats and Defences- What is EDR in cyber security?
- EDR (Endpoint Detection and Response) is a security category that monitors endpoint devices for malicious activity, detects threats using behavioural analytics, and enables automated or analyst-driven response such as host isolation or process termination.
- What is the difference between EDR and antivirus?
- Antivirus uses signature matching to block known malware. EDR continuously records endpoint behaviour and detects threats based on patterns of activity, including fileless and living-off-the-land attacks that have no malware signature to match.
- What is the difference between EDR and XDR?
- EDR covers individual endpoints only. XDR (Extended Detection and Response) aggregates EDR telemetry with network, identity, email, and cloud signals to give security teams a unified, cross-domain view of attacks.
- Can EDR stop ransomware?
- EDR can detect and interrupt many ransomware attacks by identifying encryption behaviour and killing the process. It cannot stop ransomware commands issued via legitimate tools such as an MDM platform or a compromised admin account, because those actions appear authorised.
Background
Endpoint Detection and Response (EDR) is a security product category that continuously records activity on individual endpoints — laptops, servers, virtual machines — and applies behavioural analytics and threat-intelligence feeds to detect malicious patterns that signature-based antivirus misses. When a threat is confirmed, the platform can isolate the host, kill processes, roll back changes, and alert the security operations centre. Leading EDR vendors include CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne Singularity, Trellix XDR, Sophos Intercept X, and VMware Carbon Black.
EDR emerged in the 2013-2016 period as attackers shifted from malware-dropping to living-off-the-land techniques that exploit legitimate system binaries. The category matured into the dominant enterprise endpoint security architecture through the 2020s, displacing legacy antivirus. The adjacent category, Extended Detection and Response (XDR), aggregates EDR telemetry with network, identity, and cloud signals to give analysts a cross-domain picture.
In the U#3 briefing, Trellix — an EDR vendor formed from the McAfee Enterprise and FireEye merger — disclosed a 21-day breach of its source-code repository . Source-code access by a threat actor is particularly damaging for an EDR vendor: detection logic, evasion countermeasures, and telemetry collection patterns are exposed, potentially enabling adversaries to tune payloads to evade the platform before Trellix can patch its detection rules.