EDR
Security category: detects and responds to threats on individual endpoints.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for EDR
Trellix discloses 21-day-old breach of source-code repository
Cybersecurity: Threats and DefencesWhat is EDR in cyber security?
What is the difference between EDR and antivirus?
What is the difference between EDR and XDR?
Background
Endpoint Detection and Response (EDR) is a security product category that continuously records activity on individual endpoints — laptops, servers, virtual machines — and applies behavioural analytics and threat-intelligence feeds to detect malicious patterns that signature-based antivirus misses. When a threat is confirmed, the platform can isolate the host, kill processes, roll back changes, and alert the security operations centre. Leading EDR vendors include CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne Singularity, Trellix XDR, Sophos Intercept X, and VMware Carbon Black.
EDR emerged in the 2013-2016 period as attackers shifted from malware-dropping to living-off-the-land techniques that exploit legitimate system binaries. The category matured into the dominant enterprise endpoint security architecture through the 2020s, displacing legacy antivirus. The adjacent category, Extended Detection and Response (XDR), aggregates EDR telemetry with network, identity, and cloud signals to give analysts a cross-domain picture.
In the U#3 briefing, Trellix — an EDR vendor formed from the McAfee Enterprise and FireEye merger — disclosed a 21-day breach of its source-code repository . Source-code access by a threat actor is particularly damaging for an EDR vendor: detection logic, evasion countermeasures, and telemetry collection patterns are exposed, potentially enabling adversaries to tune payloads to evade the platform before Trellix can patch its detection rules.