Functions of EDR(Endpoint Detection and Response)

Han Solo
3 min readMar 31, 2021


In this blog post, we will talk about the function of EDR. Since you already know about Anti-virus which is also called Vaccine, I will compare it with EDR as below.

You may be unfamiliar with EDR because it is built mainly for large institutions and not for individuals yet. However, as the damage caused by security incidents can be severe to individuals, it is important to know the difference between EDR and Vaccine and how EDR will develop further in the future.

EDR has been developed for the purpose of responding to unknown malware. Therefore, it is very different from the traditional Anti-virus that only responds to known malware. In other words, Anti-virus merely compares, detects, and responds to known malware often after the damage has been done. However, if there is unknown malware, you have to spend lots of time and effort to detect it. EDR can solve the problems of Anti-virus which makes the EDR a special and intelligent solution that continues to evolve.

Gartner, the most recognized market research firm that predicts and analyzes information security trends around the world, cited four components of EDR.

  • Detection of security breaches: Detecting security incidents beyond those caused by file-based malware.
  • Security control: Controlling security incidents that are detected on endpoints
  • Security breach investigation: Investigating security incidents based on timeline and conducting threat hunting.
  • Endpoint treatment: Recovering endpoint to its pre-infection condition.

Similarly to Gartner’s, the following is how I organize the components of EDR for easy visualization.

  • Collection/Detection: Collecting endpoint event behaviors and files and detecting threats.
  • Threat analysis: Comparing information collected based on the rules (IOC, MITRE-based) with known malware information.
  • Threat response: Controlling malicious behavior based on analyzed results.
  • Threat management: Conducting cause analysis and providing information based on threat events.

EDR is the most advanced endpoint (e.g. computer, laptop, etc.) security product ever developed. It is in the early stage in the market with great potential to further develop and grow and is experiencing a significant change in functionality. The characteristics of information security products are constantly changing from an early stage to a mature stage, driven by the needs of the market and customers. Other products however are not changing or evolving, because their specifications are largely set.

After all, EDR doesn’t trust any files based on the principle of Zero Trust and continues to monitor and responds when threats occur.



Han Solo

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.