What is EDR?
Endpoint Detection and Response
An endpoint security platform that continuously monitors endpoint activity, detects suspicious behavior, and provides investigation and response capabilities for threats that bypass preventive controls.
EDR agents run on endpoints (laptops, servers, workstations) and collect telemetry on process execution, file system changes, registry modifications, network connections, and user activity. This telemetry is analyzed locally and in the cloud using behavioral detection rules, machine learning models, and threat intelligence to identify malicious or suspicious activity that signature-based antivirus would miss.
When a detection fires, EDR provides the tools to investigate: process trees showing parent-child relationships, network connection timelines, file hash lookups, and often the ability to remotely isolate the endpoint from the network to contain a threat. Advanced EDR platforms include automated response playbooks that can kill processes, quarantine files, or roll back changes without analyst intervention.
EDR is complementary to SASE/SSE, not a replacement. SASE inspects traffic in transit; EDR monitors activity at the endpoint. The integration point is device posture: EDR health status (agent running, definitions current, no active threats) feeds into the ZTNA policy engine as a posture signal. If EDR detects a compromise on an endpoint, the SASE platform can automatically restrict or revoke that device's access to corporate resources.
A security platform that correlates telemetry across endpoints, network, cloud, email, and identity sources to detect multi-stage attacks and provide unified investigation and response.
The real-time assessment of an endpoint's security health, including OS version, patch level, disk encryption, EDR status, and compliance state, used as an input to access control decisions.
An access model that grants users connectivity to specific applications, not networks, based on identity and device posture, verified continuously per session.
A security model that eliminates implicit trust based on network location, requiring continuous verification of identity, device posture, and context for every access request.
One email per publish. Unsubscribe anytime.