Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Security Stack
›
EDR
Edr
Security Stack
Definition
EDR (Endpoint Detection and Response) tools monitor and record endpoint-level activities (process execution, file changes, registry edits, memory behavior) to detect and respond to threats in real time.
Explore More Terms
Ndr
Process_commandline
Phishing-Campaign
Lateral_movement
Take
Examples & Use Cases
## Why It Matters in Practice Most attacks eventually execute on endpoints. Even if an attacker bypasses perimeter defenses, EDR can catch what they actually do (e.g., spawning PowerShell, dumping credentials). ## How It Differs from Traditional Antivirus - Antivirus: signature-based, reactive - EDR: behavioral + contextual, proactive ## Key Points - Provides deep visibility into process chains - Enables rapid containment (e.g., isolate machine) - Critical for detecting fileless attacks - Supports threat hunting and forensic analysis ## How EDR is used - Monitoring parent-child process relationships - Detecting suspicious command-line usage - Memory scanning for injected code - Blocking malicious scripts (e.g., encoded PowerShell) ## Real-World Example A Word document spawns PowerShell → PowerShell downloads a payload → payload injects into another process. EDR flags this abnormal process chain immediately. ## Limitations - Can generate noisy alerts without tuning - Requires skilled analysts to interpret telemetry - May miss activity outside monitored endpoints ## Further Reading - [Crowdstrike - What is Endpoint Detection and Response (EDR)](https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/) - [Microsoft Learn - Microsoft Defender for Endpoint (MDE)](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint)
.png)
