What is Endpoint Security?

Endpoint Security Technology Generations

Antivirus and EPP

First-generation endpoint security used signature-based antivirus to detect known malware by comparing files against a database of known malicious signatures. Endpoint Protection Platform products added behavioral heuristics, sandboxing, and web filtering. EPP remains necessary for detecting known malware efficiently but is insufficient against modern attacks that use fileless techniques, obfuscated payloads, and novel malware not yet in signature databases.

EDR: Endpoint Detection and Response

EDR platforms continuously record endpoint activity — every process execution, network connection, file modification, registry change, and user action — and apply behavioral analytics to identify malicious patterns. Unlike antivirus that scans for known bad, EDR detects suspicious behavior regardless of whether the specific malware is known. CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, and Palo Alto Cortex XDR are the dominant enterprise EDR platforms.

XDR: Extended Detection and Response

XDR extends EDR's detection capability across endpoint, network, identity, and cloud telemetry, correlating signals across domains to detect sophisticated attacks that individual telemetry sources cannot identify in isolation. EDR is the foundation; XDR is the integrated view across the entire security environment.

What Makes Endpoint Security Effective

Deployment coverage matters more than platform selection. An EDR platform deployed on 85% of endpoints leaves 15% of the environment unmonitored — and attackers specifically target the unmonitored segments. Coverage verification through asset inventory correlation confirms that every managed endpoint has functioning security software before treating the environment as protected.

Alert response operationalizes endpoint security. An EDR platform that generates alerts nobody reviews provides no security value. The analyst capacity to review, investigate, and respond to EDR alerts — either internal or through an MDR provider — determines whether endpoint security translates into actual protection.

Endpoint Security for PE Portfolio Companies

Endpoint security assessment should evaluate: Is EDR deployed on all endpoints including servers, or only on workstations? What is the coverage percentage, verified against asset inventory? Are alerts reviewed by internal analysts or an MDR provider? Is the EDR platform updated with current threat intelligence? Have endpoint security controls been validated against realistic attack techniques, or only compliance standards? These questions reveal whether endpoint security provides genuine protection or compliance documentation.

Real-World Example: CrowdStrike Detects North Korean Attack in Progress

CrowdStrike has publicly documented multiple cases where Falcon EDR detected and contained nation-state attacks in real time. In one documented case, Falcon identified the Lazarus Group — North Korea's primary cyber threat actor — attempting to establish persistence on an endpoint through a novel technique. Falcon's behavioral detection identified the post-exploitation activity and killed the malicious process before the attacker could establish a foothold. The detection occurred within minutes of initial compromise, before any data access or lateral movement occurred.