Endpoint detection and response combines endpoint telemetry, alerting, and response actions to help detect and contain suspicious activity on devices.
Endpoint detection and response, or EDR, is a security approach that collects endpoint activity data, looks for suspicious behavior, and supports response actions on the device. In plain language, it helps security teams see and react to threats on laptops, servers, and other endpoints after those systems are already in use.
EDR matters because many attacks eventually touch endpoints where users work, code runs, and credentials are used. Traditional preventive tools alone may not catch everything, so defenders need visibility into what devices are doing and a way to respond quickly when something looks wrong.
It also matters because endpoint incidents often move fast. The ability to isolate a device, investigate process activity, and review suspicious behavior from a central platform can reduce damage and improve response time.
EDR appears in SOC operations, incident response, managed detection programs, and endpoint-hardening strategies. Teams use it to monitor workstations and servers, investigate alerts, and take actions such as isolation or deeper review when malicious or risky behavior is suspected.
Security teams compare EDR with Antivirus and Extended Detection and Response when deciding how much endpoint visibility and broader cross-domain correlation they need.
A developer laptop starts running an unusual process chain shortly after opening an unexpected attachment. The EDR platform records the process activity, triggers an alert, and lets the security team isolate the device from the network while they investigate.
EDR is not the same as Antivirus. Antivirus traditionally focuses more on known malicious content and preventive detection, while EDR emphasizes broader telemetry, investigation, and response support.
It is also different from Extended Detection and Response, which tries to correlate signals across endpoints, networks, identities, and other sources rather than focusing mainly on endpoint data.