EDR (Endpoint Detection and Response)
A security solution that continuously monitors endpoints (laptops, desktops, servers, mobile devices) to detect, investigate, and respond to cyber threats in real time. EDR goes beyond traditional antivirus by using behavioral analysis, machine learning, and threat intelligence to detect fileless malware, living-off-the-land attacks, and advanced threats. Key capabilities include process monitoring, file integrity monitoring, network connection tracking, automated response actions (isolation, remediation), and forensic investigation tools. Leading EDR platforms include CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, and Carbon Black. EDR is a core technology for SOC operations and is tested in CySA+, CISSP, and Security+ certifications.
Why It Matters
In practice, EDR is critical because endpoints are where users interact with data and where most attacks ultimately execute, making endpoint visibility and response capability essential for modern security operations. Organizations that fail to deploy EDR rely on traditional antivirus that cannot detect fileless attacks, PowerShell abuse, and living-off-the-land techniques that bypass signature-based detection entirely. The evolution to XDR (Extended Detection and Response) integrates endpoint telemetry with network, cloud, and email data for cross-domain correlation and faster threat detection. EDR data is also invaluable for forensic investigations, providing detailed process execution histories and file modification timelines. On certification exams such as CySA+, CISSP, and Security+, expect questions about comparing EDR with traditional antivirus capabilities, understanding behavioral detection versus signature-based detection, evaluating automated response actions like endpoint isolation, and understanding how EDR integrates with SIEM and SOAR platforms in a SOC environment.
Practice this topic
Test your knowledge of EDR (Endpoint Detection and Response) concepts with exam-style practice questions.
Related Fundamentals terms
CIA Triad
The three core principles of information security: Confidentiality (ensuring data is accessible only to authorized parties), Integrity (ensuring data is accurate and unaltered), and Availability (ensuring systems and data are accessible when needed). The CIA Triad is the foundational model for designing security controls — every security measure addresses one or more of these principles. For example, encryption protects confidentiality, hashing protects integrity, and redundancy protects availability. Some frameworks extend this to include authentication, non-repudiation, and privacy. The CIA Triad is the most fundamental concept in cybersecurity and appears in every certification exam.
Defense in Depth
A layered security strategy that uses multiple independent security controls at different levels to protect information assets, so that if one layer fails, others continue to provide protection. Layers typically include physical security, network security (firewalls, IDS/IPS), host security (EDR, hardening), application security (WAF, input validation), data security (encryption, DLP), and administrative controls (policies, training). This approach originates from military strategy and recognizes that no single control is foolproof. Defense in depth is a guiding principle for security architecture and is a fundamental concept in CISSP, Security+, and CISM certifications.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats that helps organizations make informed security decisions, including indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and threat actor profiles. Threat intelligence is categorized into strategic (high-level trends for executives), tactical (TTPs for security teams), operational (specific attack campaigns), and technical (IOCs for automated tools). Sources include open-source feeds (MITRE ATT&CK, AlienVault OTX), commercial feeds, ISACs (Information Sharing and Analysis Centers), and dark web monitoring. Threat intelligence is central to CySA+, CTIA, GCTI, and CISSP Domain 1 certifications.
Patch Management
The process of identifying, acquiring, testing, and installing software updates (patches) to fix security vulnerabilities, bugs, and improve functionality across an organization's IT infrastructure. An effective patch management program includes asset inventory, vulnerability scanning, patch prioritization (using CVSS scores and exploitability data), testing in staging environments, deployment scheduling, and verification. Unpatched systems remain the most exploited attack vector — many major breaches (Equifax, WannaCry) resulted from failure to apply available patches. Patch management is required by PCI DSS, HIPAA, and other compliance frameworks and is tested in Security+, CySA+, and CISSP certifications.
Honeypot
A decoy system or resource designed to attract attackers and study their methods, tools, and techniques while protecting real production systems. Honeypots can be low-interaction (simulating services with limited functionality) or high-interaction (full operating systems that allow deeper attacker engagement). A network of honeypots is called a honeynet. Honeypots serve multiple purposes: early warning of attacks, intelligence gathering on new threats, diverting attackers from real targets, and collecting evidence for legal proceedings. Tools include Cowrie (SSH honeypot), Dionaea (malware capture), and T-Pot (multi-honeypot platform). Honeypots are covered in CEH, CySA+, and CISSP security operations topics.
Sandboxing
A security mechanism that isolates running programs, files, or code in a controlled, restricted environment to prevent them from affecting the host system or accessing sensitive resources. Sandboxes are used for malware analysis (detonating suspicious files to observe behavior), application testing, browser isolation, and mobile app security. Sandbox evasion is a cat-and-mouse game — advanced malware detects sandbox environments and alters behavior to avoid detection. Enterprise sandbox solutions include FireEye, Palo Alto WildFire, and Cuckoo Sandbox (open-source). Sandboxing concepts are tested in CySA+, CEH, and malware analysis certifications.