What is EDR? The Complete Guide to Endpoint Detection and Response

How EDR Works: The Technical Foundation

EDR platforms operate through a lightweight software agent deployed on every managed endpoint — laptops, desktops, and servers. That agent runs continuously in the background, recording a comprehensive stream of system events: every process that starts or stops, every file that is created or modified, every network connection that is established, every registry key that is changed, every user account that is accessed. This stream of telemetry is transmitted in near-real-time to a cloud-based analysis platform.

The analysis platform applies two detection mechanisms. The first is signature-based detection — matching known malware patterns against a continuously updated database of threat indicators. This catches commodity threats: known ransomware families, documented malware variants, previously analyzed malicious files. It is fast and reliable against threats that have been seen before.

The second mechanism is behavioral detection — the actual differentiator between EDR and older antivirus technology. Rather than matching files against a known-bad list, behavioral detection looks for patterns of activity that indicate an attack in progress, regardless of whether the specific tool or technique has been seen before. LSASS process memory being read by an unexpected parent process suggests credential dumping. A legitimate administrative tool spawning an unexpected child process suggests living-off-the-land attack technique. A large number of files being encrypted in rapid succession suggests ransomware staging.

The Three Pillars: Detect, Investigate, Respond

EDR platforms provide three core capabilities. Detection is the continuous monitoring and alerting on suspicious activity. Investigation is the ability to trace an attack backward and forward in time — seeing exactly how an attacker gained access, what they did, what systems they touched, and what data they may have accessed. Response is the ability to take action: isolate an endpoint from the network, kill a malicious process, rollback file changes, or quarantine a suspicious file.

The detection and investigation capabilities are provided by the platform. The response capability requires human judgment — someone needs to receive the alert, evaluate it, determine the appropriate response, and take action. This distinction is where most mid-market EDR deployments fail: they have the detection capability but not the operational structure to act on it meaningfully.

EDR vs. Traditional Antivirus: Why the Distinction Matters

Traditional antivirus software was designed for a threat landscape that no longer exists. It worked by maintaining a database of known malicious file signatures and scanning files on disk against that database. An attacker who wrote new malware that had not been catalogued could evade antivirus entirely by simply using a novel file. The arms race between antivirus vendors and attackers who created new malware variants led to an effective stalemate by the mid-2010s.

EDR emerged to address this fundamental limitation. By monitoring behavior rather than file signatures, an EDR platform can detect a first-seen piece of malware that exhibits the behavioral patterns of credential dumping — even if that specific malware has never been analyzed before. This behavioral approach is also why EDR can detect living-off-the-land attacks, where attackers use legitimate Windows tools like PowerShell, WMI, and certutil to conduct malicious activities, leaving no malicious files on disk for antivirus to scan.

What EDR Catches — and What It Misses

Understanding EDR's detection scope is as important as understanding its capabilities. Sophisticated buyers — PE operating partners evaluating portco security, CISOs building detection programs — need to know where EDR's coverage ends.

What EDR Detects Effectively

EDR platforms are highly effective at detecting malware execution on endpoints. Known ransomware families, remote access trojans, credential dumping tools, and post-exploitation frameworks like Cobalt Strike and Metasploit all generate behavioral patterns that mature EDR deployments catch reliably. Pre-execution detection — identifying ransomware staging activities like VSS shadow copy deletion, LSASS access, and lateral movement — is a genuine strength of platforms like CrowdStrike Falcon and SentinelOne, giving organizations the opportunity to contain an attack before encryption begins.

EDR is also effective at detecting insider threat activity that manifests in endpoint behavior: unusual file access patterns, large data copies to external drives, installation of unauthorized software, and suspicious process execution. And it provides the forensic investigation capability that turns a containment action into a complete understanding of what happened — critical for regulatory reporting, insurance claims, and preventing recurrence.

What EDR Misses — and Why This Matters

The most important blind spots in EDR coverage are the attack techniques most commonly used against mid-market organizations in 2026. Adversary-in-the-Middle phishing — the technique that bypassed MFA at MGM Resorts, Caesars, and dozens of other organizations — generates no endpoint signals. The victim opens a browser, enters credentials, and approves an MFA prompt. From the endpoint's perspective, this is indistinguishable from normal user behavior. CrowdStrike, SentinelOne, and Defender all miss it at the endpoint layer because there is nothing on the endpoint to detect.

Network-layer attacks, like the GRU campaign that harvested 18,000+ Microsoft 365 tokens through compromised routers in 2026, similarly bypass EDR entirely. The attack never touches an endpoint — it operates at the network infrastructure layer that EDR monitoring cannot see.

Unmanaged endpoints — contractor devices, personal devices used for work, older workstations that cannot run the agent — represent complete blind spots in EDR coverage. In most mid-market organizations, measured endpoint coverage is 70-85% of the actual endpoint population, meaning 15-30% of devices operate with no EDR protection at all.

The Configuration Gap: Why Default Deployments Fail

The most consequential limitation of EDR in practice is not a platform limitation — it is a configuration limitation. All three major EDR platforms ship with conservative default settings designed to minimize false positives and operational disruption. In default configurations, many behavioral detection rules are set to alert rather than respond, detection thresholds for living-off-the-land techniques are set conservatively, and Attack Surface Reduction rules that block specific attack vectors are disabled. A default Defender deployment and a properly tuned Defender deployment are not the same product.

Most mid-market organizations deploy EDR without the security engineering resources to tune it away from defaults. The result is a platform that generates alerts at a volume and fidelity level that creates analyst fatigue without providing the detection quality the vendor demos suggested. In Cloudskope's engagements, the most common finding in portco endpoint security is an EDR platform running on default configuration — capable of detecting far more than it is currently configured to catch.

What PE Operating Partners and CISOs Must Know

The Platform Is Not the Security Posture

The most dangerous misconception about EDR — the one that creates the most operational risk — is treating EDR platform deployment as equivalent to endpoint security maturity. A company that has deployed CrowdStrike Falcon and a company whose CrowdStrike deployment is tuned, monitored 24/7 by analysts who understand the environment, and integrated with identity and network signals are not at the same security posture. They are separated by the investment in operating the platform.

When evaluating a portco's endpoint security, the questions that matter are not which platform they use. They are: What is the actual endpoint coverage rate? Who receives alerts? What is the mean time to respond to high-severity alerts? Has the platform ever been validated against the attack techniques actually used against organizations like this one? When was the last time a detection engineer reviewed and updated the behavioral rules?

Due Diligence Questions for EDR Assessment

In M&A cyber due diligence, Cloudskope evaluates EDR deployment across five dimensions. Coverage — what percentage of endpoints actually have the agent installed and reporting, verified against an independent asset inventory. Configuration — are Attack Surface Reduction rules enabled, are automated response policies active, is the platform connected to a SIEM or security data lake for cross-signal correlation. Monitoring — who watches the console, at what hours, with what response time targets. Validation — has the detection been tested against realistic attack techniques, not just compliance benchmarks. Integration — is EDR telemetry correlated with identity logs, network logs, and cloud activity logs to catch the attack classes that endpoint signals alone cannot detect.

The Operating Model Question

The decision that has the most impact on EDR effectiveness is not the platform selection — it is the operating model. An organization with a 24/7 managed detection and response service wrapping a mid-tier EDR platform will outperform an organization that purchased an enterprise EDR license and left it running on defaults with alerts going to an inbox nobody monitors out of hours.

For organizations without dedicated security operations capacity — which describes most PE portfolio companies between 50 and 500 employees — the right question is not which EDR to buy. It is which MDR provider will run it at the maturity level needed, using the platform already deployed, without requiring a migration that disrupts operations.