Skip to content
FortaRisks
Back to the glossaryAttacks and incidents

EDR

EDR (Endpoint Detection and Response) is a security technology that continuously monitors endpoints and servers to detect malicious behavior, alert and enable a response. Unlike signature-based antivirus, it relies on behavioral analysis to spot unknown attacks.

Updated on July 2, 2026

What is EDR?

EDR, for Endpoint Detection and Response, is a category of security tools deployed on endpoints (workstations, servers, laptops). It continuously collects data on what happens there (processes, connections, file changes) and analyzes it to detect signs of an attack.

Its value rests on three combined capabilities: detection, based on behavior rather than mere signatures; investigation, which lets you reconstruct how an attack unfolded; and response, which lets you act, for example isolating a compromised endpoint from the network.

Why it matters for your organization

Modern attacks bypass classic antivirus, notably through living-off-the-land techniques that use no malware. EDR meets this reality by focusing on behavior: an abnormal sequence of actions becomes detectable even without a suspicious file.

It also shortens reaction time. In an intrusion, the ability to quickly isolate a machine and understand what happened is the difference between a contained incident and a widespread compromise.

What an EDR provides

  • Behavioral detection of threats, including unknown ones.
  • Continuous visibility into endpoint activity.
  • Investigation and reconstruction of how an attack unfolded.
  • Response: isolation, blocking, remote remediation.
  • ATT&CK mapping of the techniques observed.

Where organizations most often fall short

The most common pitfall is deploying an EDR then leaving it on autopilot, with no team to handle the alerts: a tool that detects but that nobody acts on does not protect. The other mistake is forgetting that the EDR itself can be targeted or disabled by an attacker, hence the importance of protecting and monitoring the security tool as a critical asset.

Frequently asked questions

What is the difference between antivirus and EDR?

Traditional antivirus blocks known threats from signatures. EDR goes further: it continuously records endpoint activity, detects suspicious behavior (even without a signature), and lets you investigate and respond to an attack, for example by isolating a machine. One prevents the known, the other detects and handles the unknown.

What is the difference between EDR, XDR and MDR?

EDR focuses on endpoints. XDR extends correlation to other sources (network, email, cloud) for a unified view. MDR is not a technology but a service: an external team runs detection and response for you, often on top of an EDR or XDR.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.