Endpoint Detection and Response is a category of security technology that continuously monitors endpoint devices (laptops, desktops, servers, and in some implementations mobile devices and cloud workloads) for suspicious activity, provides visibility into endpoint behavior, and enables rapid investi
Continue your mission
# Endpoint Detection and Response (EDR)
Endpoint Detection and Response is a category of security technology that continuously monitors endpoint devices (laptops, desktops, servers, and in some implementations mobile devices and cloud workloads) for suspicious activity, provides visibility into endpoint behavior, and enables rapid investigation and response when threats are detected.
EDR replaced traditional antivirus as the standard for endpoint protection because it addresses the fundamental limitation of signature-based detection: you cannot detect what you do not have a signature for. Traditional antivirus matches files against a database of known malware signatures. If the malware is new (zero-day), modified (polymorphic), or fileless (living off the land using legitimate system tools), signature-based detection fails. EDR monitors behavior, not signatures. It watches what processes do, not just what they look like.
The EDR market is dominated by several vendors: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, and Cybereason. The technology has matured into a commodity capability (every organization of any size should have EDR deployed), but the operational discipline of using EDR effectively (tuning detections, investigating alerts, maintaining coverage, executing response) remains the differentiator between organizations that have EDR and organizations that are protected by EDR.
EDR platforms provide four core capabilities:
Continuous monitoring and telemetry collection. An agent installed on each endpoint collects detailed telemetry: process creation and termination, file system modifications, registry changes, network connections, DNS queries, user authentication events, loaded modules, and inter-process communication. This telemetry is streamed to a central platform (cloud-hosted in most modern deployments) for storage, correlation, and analysis.
The telemetry depth is what distinguishes EDR from antivirus. Antivirus scans files. EDR records the complete behavioral history of every process on every endpoint. When an investigation is needed, the analyst can reconstruct exactly what happened: which process spawned which child process, what files were modified, what network connections were established, and what user context the activity occurred under.
Behavioral detection. Detection rules in EDR platforms match behavioral patterns rather than file signatures. A detection rule might trigger on: PowerShell executing an encoded command that downloads content from an external URL (common in initial access), a process accessing the LSASS memory space (credential dumping), a process creating a scheduled task for persistence, or a process encrypting files in rapid succession (ransomware behavior).
Behavioral detection catches attacks that signature-based detection misses because it monitors what the attack does rather than what the attack looks like. A novel ransomware variant with no known signature still exhibits ransomware behavior: mass file encryption, shadow copy deletion, ransom note creation. EDR detects the behavior.
Investigation and forensics. When a detection fires, EDR provides the context for investigation: the full process tree (what spawned the suspicious process, and what did it spawn), the timeline of events on that endpoint, related activity on other endpoints, and the ability to search historical telemetry across the entire fleet. This transforms investigation from "something happened on this machine" to "here is the complete chain of events across every affected system."
Response actions. EDR enables direct response from the console: isolate an endpoint from the network (it can only communicate with the EDR cloud), kill a malicious process, quarantine a suspicious file, collect a forensic memory dump, or initiate a remote shell for hands-on investigation. These capabilities enable the SOC to contain threats in minutes rather than hours, without requiring physical access to the endpoint.
The market has generated confusion around related terms:
EDR focuses on endpoints. It monitors and responds to threats on laptops, desktops, and servers.
XDR (Extended Detection and Response) extends the detection and response concept beyond endpoints to include network telemetry, cloud workload telemetry, email telemetry, and identity telemetry. XDR correlates signals across multiple data sources, theoretically providing better detection through cross-source correlation. In practice, XDR effectiveness varies widely by vendor. Some XDR platforms are genuinely integrated. Others are marketing rebrands of existing product bundles.
MDR (Managed Detection and Response) is a service model, not a technology. MDR providers operate the EDR (or XDR) platform on the client's behalf: monitoring alerts 24/7, investigating detections, and executing response actions. MDR addresses the operational gap: many organizations deploy EDR but lack the staff to monitor and respond to its output around the clock.
CDA's TID-C01 mission (Managed Detection and Response) provides this operational capability within the PDM framework. The distinction from commodity MDR providers: CDA's MDR integrates with the full PDM domain structure, which means detection context includes not just the endpoint event but the VSD (was this endpoint externally exposed?), IAT (whose credentials were used?), DPS (what data is on this endpoint?), and RGA (what compliance implications does this event carry?) dimensions.
Modern EDR deploys in a cloud-native architecture:
Endpoint agent. A lightweight software agent installed on each endpoint. The agent collects telemetry, executes local detections (for latency-sensitive rules), and communicates with the cloud platform. Agent resource consumption is a practical concern: an agent that consumes 5% of CPU and 500MB of RAM on a developer workstation generates complaints. Modern agents target less than 1% CPU and under 100MB RAM in steady state.
Cloud platform. Telemetry is streamed to a cloud-hosted platform (CrowdStrike's Threat Graph, SentinelOne's Singularity Data Lake, Microsoft's Defender backend) where it is stored, correlated, and analyzed. Cloud-native architecture enables cross-endpoint correlation (detecting lateral movement patterns across multiple endpoints) and fleet-wide threat hunting (searching historical telemetry across every endpoint simultaneously).
Console. The management interface where analysts view alerts, investigate detections, execute response actions, and manage policies. Effective consoles provide visual process trees, timeline views, and one-click response actions. Console design directly affects analyst efficiency and, therefore, MTTD and MTTR.
Most attacks begin on an endpoint. A phishing email delivers a payload to a user's workstation. A compromised credential is used to log into a laptop. A vulnerability in a VPN client is exploited on an employee's device. The endpoint is where the attacker establishes their initial foothold, and it is where the first detection opportunity exists.
An environment without EDR is an environment where the attacker's initial actions (process execution, credential access, lateral movement preparation) occur without observation. The attack is invisible until it produces externally visible symptoms: encrypted files, data appearing on a leak site, or a customer reporting fraudulent activity. By that point, the attacker has been operating undetected for days or weeks.
EDR's value is proportional to its coverage. An organization with EDR on 95% of endpoints has 5% blind spots. The attacker targets the 5%. This is not theoretical: sophisticated attackers specifically look for endpoints without EDR agents (legacy systems, IoT devices, contractor workstations, developer machines excluded from the standard image).
100% coverage is the target. Anything less is a known, quantified gap that should appear on the risk register. CDA's SPH-R02 mission (Configuration Baseline Assessment) specifically measures EDR coverage as a posture metric.
EDR generates alerts. Alerts require investigation. Investigation requires skilled analysts. Skilled analysts require operational processes (triage procedures, escalation criteria, response playbooks). Without this operational investment, EDR generates noise that nobody acts on, which is worse than no EDR because it creates the illusion of detection without the reality.
This is why CDA positions EDR as an SPH control (the technology is a posture and hygiene asset that must be maintained) that feeds TID operations (the telemetry and alerts are consumed by threat detection and response). The technology sits in SPH. The operational value is realized in TID.
EDR sits at the intersection of SPH (Security Posture and Hygiene) and TID (Threat Intelligence and Defense) in the Planetary Defense Model. As a deployed technology, it is an SPH asset: it must be installed, configured, maintained, and kept at full coverage, just like any other endpoint control. As a detection and response capability, it feeds TID: its telemetry flows into the SOC, its alerts are triaged by analysts, and its response capabilities are executed during incidents.
This dual positioning illustrates a core PDM principle: tools are not domains. EDR is a tool. It serves SPH (as a posture control) and TID (as a detection engine) simultaneously. Organizations that assign EDR to one team (the endpoint team) without integrating its detection output with another team (the SOC) lose half the value.
CDA's Autonomous Posture Command (APC) methodology governs EDR as a posture asset: "Your posture adapts. Your hygiene never sleeps." APC monitors EDR agent health, coverage percentage, detection rule currency, and policy compliance continuously. If an agent goes offline, APC detects the gap. If coverage drops below threshold, APC escalates. The EDR platform is only as good as its deployment discipline.
Three TOP missions connect directly to EDR:
The interaction with adjacent domains is direct. VSD benefits from EDR's ability to detect exploitation of endpoint vulnerabilities. IAT benefits from EDR's detection of credential theft techniques (LSASS access, Kerberoasting). DPS benefits from EDR's ability to detect data staging and exfiltration. RGA benefits from EDR's audit trail, which provides evidence of control effectiveness for compliance reporting.
CDA approaches EDR differently from vendors in one specific way: we treat EDR as an operational capability, not a product purchase. A vendor sells the license and provides a deployment guide. CDA deploys the agent (TID-B04), tunes the detections to the client's threat profile, integrates the telemetry with the SIEM (TID-B01), operates the alert triage (TID-C01), and measures coverage as a continuous posture metric (SPH-R02). The tool is the starting point. Operations are the value.
Word count: 2,054
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.