Safeguard
Best Practices

What is EDR (Endpoint Detection and Response)

What EDR actually detects, how it differs from antivirus, XDR, and MDR, and why supply chain attacks like XZ Utils and 3CX slip past it entirely.

James
Principal Security Architect
7 min read

Endpoint Detection and Response (EDR) is security software that continuously monitors laptops, servers, virtual machines, and containers for signs of compromise, then gives responders the tools to investigate and contain an attack in real time. Unlike traditional antivirus, which blocks known malware by matching file signatures, EDR watches behavior -- process trees, registry edits, network connections, memory injection -- and flags patterns that match attacker tactics even when the payload has never been seen before. Gartner analyst Anton Chuvakin coined the term "endpoint threat detection and response" in July 2013 to describe this emerging category, and it has since grown into a market anchored by products like CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne Singularity. For most SOC teams, EDR is the primary control for catching an intrusion after initial access but before it becomes a full breach.

How does EDR actually work?

EDR works by installing a lightweight sensor on every endpoint that streams telemetry to a cloud or on-prem analytics engine, which correlates that activity against known attacker techniques and surfaces anything anomalous. A typical sensor records process creation events, file and registry writes, DLL loads, network socket activity, and command-line arguments, then forwards that data continuously rather than on a fixed scan interval. The analytics backend maps events against frameworks like MITRE ATT&CK, which as of its v15 release (October 2024) catalogs 14 tactics and more than 200 techniques observed in real intrusions. When a match crosses a risk threshold, the platform generates an alert with a visual process tree, and analysts can respond directly from the console: isolate the host from the network, kill a malicious process, quarantine a file, or roll back a registry change. Retrospective search matters too -- most EDR platforms retain 30 to 90 days of raw telemetry, so once a new indicator of compromise surfaces, teams can query history to see whether the same technique already ran somewhere in the fleet.

How is EDR different from antivirus?

EDR is different from antivirus because it detects behavior instead of just matching known file signatures, which lets it catch malware that has never been cataloged. Traditional AV compares a file's hash or byte pattern against a signature database; if the file isn't in the database, it passes. That gap is exactly what enabled the SolarWinds Sunburst attack, disclosed in December 2020: the malicious code was embedded in a legitimately signed Orion software update, so it carried a valid digital certificate and no AV engine flagged it. What eventually exposed the intrusion -- and what a mature EDR deployment is built to catch -- was the anomalous behavior downstream: a compiled backdoor that stayed dormant for up to two weeks, then began low-and-slow DNS beaconing to attacker-controlled domains disguised as legitimate Orion traffic. AV asks "have I seen this exact file before?" EDR asks "does this process's behavior look like an attack technique?" -- a fundamentally different and more durable detection model.

How is EDR different from XDR and MDR?

EDR is scoped to endpoints alone, while XDR (Extended Detection and Response) correlates telemetry across endpoints, identity, email, and cloud workloads, and MDR (Managed Detection and Response) is a staffed service that operates EDR or XDR tooling on a customer's behalf. An EDR agent only sees what happens on the device it's installed on; XDR platforms, such as Palo Alto Cortex XDR or Microsoft Defender XDR, stitch that endpoint data together with signals like a suspicious Okta login or an anomalous S3 bucket access to reconstruct a multi-stage attack that no single data source would reveal alone. MDR exists to solve a staffing problem rather than a visibility problem: (ISC)2's 2023 workforce study estimated a global cybersecurity talent gap of roughly 4 million unfilled roles, and few internal teams can staff a 24/7 SOC to triage EDR alerts around the clock. An MDR provider layers human analysts and defined response playbooks on top of the EDR or XDR tooling a company already owns.

Can EDR stop software supply chain attacks?

EDR generally cannot stop a software supply chain attack before it causes damage, because EDR detects malicious behavior at runtime, and supply chain compromises are engineered to look legitimate until that runtime moment arrives. Take the XZ Utils backdoor, tracked as CVE-2024-3094: it was inserted into the build scripts of a widely used compression library over roughly two years of social-engineered maintainer trust, and it was discovered on March 29, 2024 not by any EDR alert but by a Microsoft engineer, Andres Freund, who noticed SSH logins were taking an extra 500 milliseconds. The backdoor lived in build artifacts and compiled binaries -- there was no endpoint to monitor until it was already inside production infrastructure. The 3CX desktop app compromise, disclosed in March 2023, followed a similar pattern: a trojanized installer was distributed to customers for weeks before endpoint telemetry picked up the malicious DLL beaconing out. And Sonatype's 2023 State of the Software Supply Chain report counted more than 245,000 malicious open-source packages published that year alone -- packages pulled into builds inside CI pipelines, not onto monitored laptops, meaning EDR never gets a chance to see them. By the time an EDR agent flags a reverse shell spawning from a vulnerable dependency, that vulnerable code may have shipped to production months earlier.

What should a security team look for when evaluating EDR?

A security team should look for an EDR platform's independent detection accuracy, response speed, and breadth of OS and cloud-workload coverage rather than relying on vendor marketing claims. MITRE Engenuity runs an annual ATT&CK Evaluation that publishes how each vendor's product detected and analyzed a scripted adversary emulation -- the round published in 2024 tested products against tactics modeled on China-nexus threat actors and is publicly comparable across vendors. Response speed matters concretely: the difference between a sensor that can isolate an infected host in under 60 seconds and one that takes several minutes can be the difference between containing one machine and losing an entire subnet, given that IBM's 2024 Cost of a Data Breach Report put the average time to identify and contain a breach at 258 days combined. Teams should also weigh integration depth with existing SIEM/SOAR tooling, support for Linux servers and container runtimes (not just Windows laptops), and published false-positive rates, since an EDR platform that buries analysts in noise degrades response time regardless of its detection engine.

How Safeguard Helps

EDR is built to catch attackers after they're already running in your environment -- Safeguard is built to shrink how much ever reaches that point. Safeguard's reachability analysis determines which vulnerable functions in your dependencies are actually called by your application code, cutting through the noise of theoretical CVEs so teams fix what's exploitable instead of chasing every advisory. Griffin AI, Safeguard's AI security analyst, triages findings across code, dependencies, and containers to prioritize the handful that pose real risk, then opens auto-fix pull requests that patch or upgrade the vulnerable package before it ever ships. Safeguard also generates and ingests SBOMs across your build pipeline, giving security teams the inventory visibility that incidents like XZ Utils and 3CX proved EDR alone can't provide. The result is fewer exploitable weaknesses reaching production in the first place -- which means fewer alerts for your EDR and SOC team to chase after the fact.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.