EDR

Traditional antivirus works by signature matching — comparing files against a database of known malware. EDR goes further by monitoring behavior: what processes are running, what network connections are being made, what files are being modified, and whether any of that looks like an attack in progress.

Where AV asks "is this file known bad?", EDR asks "is this behavior consistent with an attack?" A process encrypting thousands of files in rapid succession looks like ransomware even if the malware binary has never been seen before. EDR catches this; AV doesn't.

What EDR provides

Real-time detection — alerts when behavior matches attack patterns, including living-off-the-land techniques that use legitimate system tools for malicious purposes.

Investigation capability — a timeline of what happened on an endpoint: every process launched, file touched, network connection made. Essential for understanding the scope of a compromise.

Response actions — isolate a compromised endpoint from the network, kill processes, quarantine files, roll back changes — all remotely, without touching the device.

Threat hunting — proactively search for indicators of compromise across all endpoints.

Common EDR platforms: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black. MDR (Managed Detection and Response) adds a human operations team that monitors alerts and responds on your behalf — the right answer for organizations that don't have dedicated security staff.