Endpoint detection and response (EDR) solutions—or EDR products—help security teams to block, identify and remediate malicious activity on corporate endpoints, including workstations, laptops, mobile and IoT devices, cloud systems, and servers.
To achieve this, EDR solutions monitor each endpoint in real-time for threats, aggregating and analyzing data—such as process execution, communications and user logins—to identify anomalous, suspicious and potentially malicious activities. The EDR product uses this data to initiate automated responses to contain or remediate threats, as well as help inform the security team’s threat investigation and response processes.
Implementing an endpoint detection and response solution empowers IT security teams to take a proactive approach to their cybersecurity. The right EDR product can enable organizations to minimize endpoint risk by gaining greater visibility into their network, carrying out more informed investigations into threats, and more efficiently and effectively remediating threats with automated response workflows.
In this article, we’ll explore the top EDR solutions designed to help you identify and remove threats to your network’s endpoints. These solutions offer a range of capabilities, including real-time endpoint monitoring, threat data analysis, automated threat response and centralized management. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
ESET is a market-leading provider of lightweight, highly effective cybersecurity solutions designed to protect both consumers and enterprises against today’s most prevalent known and zero-day threats.
ESET PROTECT Enterprise is their extended detection and response (XDR) platform, which combines endpoint security, full disk encryption, file server security, proactive threat detection, and facilitated response to enable businesses of all sizes to efficiently prevent, identify, and remediate threats in their digital environments.
ESET PROTECT Enterprise leverages machine learning algorithms, adaptive scanning, and behavioral analysis, alongside cloud-based behavioral analysis to identify and remediate zero-day threats in real time. Admins can then leverage root-cause analysis and system visibility insights from ESET Inspect to respond immediately to threats. Live response options include one-click isolations, as well as a full suite of Powershell remediation options, with risk scoring to help prioritize threats.
As well as identifying and remediating threats, ESET PROTECT Enterprise features robust endpoint security tools, such as mobile device management, brute force protection, ransomware shield, and cloud-based sandboxing technologies to help block sophisticated endpoint attacks. The platform also offers full disk encryption capabilities for Windows and Mac OS devices to help protect corporate data in the event of an attack and ensure compliance with data protection regulations.
ESET PROTECT Enterprise offers on-prem and cloud deployments and integrates easily with other security tools such as SIEM, SOAR, and ticketing tools via a public API, making it relatively quick to deploy and easy to manage. Existing users praise the solution for its friendly interface and powerful forensic analysis capabilities, as well as its ability to adjust alert sensitivity automatically to reduce false positives.
We recommend ESET PROTECT Enterprise as a strong solution for mid-sized to larger organizations looking to protect their endpoints and extended network against known and zero-day threats.
Heimdal™ is a cybersecurity provider that offers solutions that defend against email, endpoint, web, application, and identity threats. Heimdal™ Endpoint Detection and Response is their EDR solution designed to help organizations not only detect and remediate sophisticated malware threats, but also prevent these threats from taking root in the first place. To achieve this, Heimdal™ EDR includes next-gen antivirus, PAM, application control, patch management, DNS filtering and encryption capabilities. Each of these features is available as a module that can be accessed via Heimdal™’s holistic, unified dashboard, enabling customers to gain a comprehensive view of their security posture across all layers via one single source of truth.
Heimdal™ EDR uses machine learning-driven intelligence to monitor your environment for known and zero-day threats such as malware, vulnerability exploits, brute force attacks and social engineering. Each of the modules included in Heimdal™’s EDR solution leverage intelligence from one another to secure the entire environment. This enables the solution to detect and remediate exploits without having to integrate other threat intelligence tools or rely on security teams to aggregate data across multiple systems, providing a comprehensive, layered approach to threat detection. From the management console, admins can access threat intelligence data to help inform their remediation actions. They can also set up automated remediation workflows for certain threat types, such as patching third party applications.
Heimdal™ Endpoint Detection and Response deploys in the cloud, making it highly scalable and enabling businesses to easily add further module to their subscription, should they wish to. Users praise the platform for its intuitive interface and user-friendly dashboard, as well as the high-quality, reliable support offered by Heimdal™’s product team. We recommend Heimdal™ Endpoint Detection and Response as a strong solution for any-sized organization looking for a holistic threat prevention, detection and response platform that offers insights into threats across multiple vectors, automated remediation and – above all – ease of use.
The Symantec Cybersecurity Services unit of global software manufacturer and supplier Broadcom specializes in endpoint protection, data loss prevention (DLP) and web filtering solutions for business. Symantec Endpoint Security (SES) Complete is Broadcom’s EDR solution, which combines cloud-based protection with AI-driven threat hunting and guided management to help secure organizations against endpoint threats. SES Complete is available on a per-device subscription basis, with prices varying according to required features, and can be purchased via one of Broadcom’s resale partners.
SES Complete offers powerful threat-hunting functionality, as well as in-built anti-virus tools, to help prevent attacks as well as detect them. As well as gathering local data, Symantec’s Threat Hunter crowdsources global threat data from each of their customers, to expose zero-day attacks. When a threat is detected, SES Complete offers guided remediation to help security teams respond efficiently. The Adaptive Protection feature enables security teams to automatically customize security to their environment and automate policy updates so that they can reduce time spent on configurations. SES Complete also includes vulnerability and patch management, rogue device discovery, and device control. For an added cost, customers can benefit from a range of security integrations, including full-disk encryption and web content monitoring.
SES Complete supports on-premises, hybrid and cloud deployments. The platform is compatible with desktops, laptops, tablets, mobile phones and servers, and Windows, macOS, Linux, iOS and Android operating systems, making it suitable for organizations with a diverse device fleet. Customers praise the solution for its ease of use and its ability to respond to threats as well as detect them. We recommend Symantec Endpoint Security Complete as a strong EDR solution for organizations of all sizes looking to protect their endpoints—including mobile endpoints—against known and zero-day malware threats.
Cisco is a global technology provider that offers a wide range of hardware, software and telecoms technology, as well as security solutions designed to protect digital networks and infrastructures against cyberthreats. Cisco Secure Endpoint (formerly AMP for Endpoints) is their cloud-native endpoint detection and response solution that enables organizations to more effectively identify and remediate threats such as malware. Cisco Secure Endpoint is available via three plans: Essentials, Advantage, and Premier.
Cisco Secure Endpoint monitors the behavior of each protected device for malicious activities, ensuring that threats are identified quickly. When a threat is found, Secure Endpoint isolates the infected endpoint from the rest of the network, allowing security teams to mitigate the issue before it can spread to other machines. These process, according to Cisco, enable Secure Endpoint to reduce remediation times by as much as 85%. The solution’s Premier tier also offers proactive threat hunting via Cisco’s integrated SecureX platform, helping security teams to find threats more quickly with the help of Cisco’s security experts, as well as automate their remediation playbooks for faster incident response.
Cisco Secure Endpoint deploys in the cloud and integrates seamlessly with other Cisco products, making initial configuration simple. Users praise the platform for its fast remediation and the high levels of visibility Cisco provides into the security of each endpoint. We recommend Cisco Secure Endpoint to mid- to large-size enterprises looking for a robust EDR solution—particularly those already leveraging Cisco’s other security products.
Crowdstrike is a cybersecurity provider that offers cloud, endpoint security and threat intelligence solutions via a single agent, as well as breach response services. Falcon Insight is their unified EDR solution, which also offers optional antivirus, threat intelligence and threat hunting modules. The Falcon platform is licensed on a subscription basis per endpoint, and the Insight module is available via the Enterprise and Premium packages, which are priced at $15.00/endpoint/month and $18.99/endpoint/month respectively.
Falcon Insight applies behavioral analytics to continuously monitor each endpoint for threats and vulnerabilities, providing full real-time and historical visibility into the security status of each endpoint. This enables security teams to track the threat level of their organization over time. The platform’s streamlined notifications and incident triaging capabilities enable security teams to easily prioritize which issues to respond to first, ensuring faster remediation of serious threats. The platform maps security alerts according to the MITRE ATT&CK framework, which Crowdstrike reports helps reduce alert fatigue by 90%. Endpoints that are being attacked are isolated from the rest of the network, preventing the attack from spreading, while built-in remote execution commands enable security teams to remediate threats from anywhere.
Crowdstrike’s solution supports Windows, Windows Server, macOS and Linux endpoints, and deploys in the cloud, giving it the flexibility to scale as your organization does. It also offers a range of API-based integrations with other security tools, enabling greater cross-platform visibility into threats without having to manually sync threat data between management tools. Customers praise Falcon Insight for its ease of installation and ongoing management, as well as its powerful threat detection and analytics capabilities. While the solution offers protection for SMBs, it can be a little pricey, depending on required additional modules. As such, we recommend Falcon Insight as a strong EDR solution for mid- to large-size organizations looking for powerful protection that’s easy to deploy and manage.
Cybereason is a security provider that specializes in lightweight yet powerful endpoint security that detects and protects against malicious operations such as malware and viruses. Cybereason Endpoint Detection And Response (EDR) is a module available within the Cybereason XDR Platform, which also includes next-generation antivirus (NGAV), managed detection and response (MDR), and digital forensics. The platform is priced per endpoint according to the features required.
Cybereason EDR features a powerful threat detection and alert system, which combines its own EDR data with alerts from integrated firewalls and SIEM tools to quickly detect and provide a comprehensive overview of all threats across the endpoint network. Once alerted to a threat, security teams are guided through the remediation process with the in-built remediation dashboard, which allows them to isolate machines, kill process and quarantine files with one click via an intuitive interface. Finally, Cybereason’s threat analysis data enables security teams to dig deeper into the threats their organization is facing, so they can take measures to prevent them in the future. This data includes factors such as root cause, affected machines and the attack timeline for each incident.
Cybereason offers private cloud, on-premises and air-gapped deployment options to ensure all organizations can benefit from its protection, no matter their state of cloud migration. Cybereason EDR is praised by customers for the level of insight it provides into each malicious incident, including activities that occur before and after the attack itself. However, some customers warn that on-premises deployment is a difficult process. With that in mind, we recommend Cybereason EDR for mid-size to larger organizations that are looking for robust EDR with easy-to-manage remediation options, but with available resource they can dedicate to the initial deployment.
Palo Alto Networks is a global leader in enterprise cybersecurity solutions that leverage powerful machine learning engines, analytics and automation to protect against threats at every level. Cortex XDR is their extended detection and response solution that monitors threats across all endpoints, networks and clouds. The platform is available via two packages: Prevent offers next-gen antivirus and endpoint protection across all endpoints; Pro offers full EDR capabilities with optional managed threat hunting and threat intelligence modules, across all endpoints, networks, clouds and third-party data sources.
With its powerful machine learning engine, Cortex XDR continuously monitors endpoint, network and user behavior for malicious activities, aggregating data from multiple sources to eliminate blind spots. If a threat is identified, the endpoint is immediately isolated and Cortex runs the relevant response options as per configurations, to help contain the threat. The platform also offers root cause analysis, which security teams can use to identify how a threat entered the network and spread, so they can prevent repeat attacks. As well as its EDR capabilities, Cortex XDR offers next-gen antivirus, a host firewall, disk encryption and USB device control for further attack prevention.
Palo Alto Cortex XDR offers cloud and on-premises deployment options, and integrates seamlessly with Palo Alto’s other security technologies, including their firewall—however, it offers limited integrations with security products from other vendors. Customers praise the solution for its intuitive interface, as well as its incident triaging and endpoint isolation capabilities. We recommend Cortex EDR Pro as a powerful solution for any organization—and particularly existing Palo Alto customers—looking for EDR that extends beyond the endpoint to also offer network and cloud monitoring.
SentinelOne is a cybersecurity provider that specializes in endpoint and network security, offering solutions with a focus on automation and continuous, real-time intelligence. Singularity is their extended detection and response solution, designed to monitor endpoints for threats such as malware and proactively remediate those threats. The Singularity platform is available via three packages: Core ($6 USD/agent/month), Control ($8 USD/agent/month) and Complete ($12 USD/agent/month). Of these, the Complete package is the only one to offer full EDR capabilities, and is compatible with desktop and laptop endpoints, clouds and IoT devices.
Singularity leverages behavioral AI and next-gen antivirus tools to detect known and zero-day threats across an organization’s endpoints. Admins can configure automated remediation workflows, which the platform implements when certain security alerts are triggered, reducing the time it takes to mitigate threats and mitigating the need for any scripting. The platform’s Storyline technology offers deep real-time insights into the state of security of each connected endpoint and the timeline of any security incidents, including root cause analysis, all via a single, intuitive dashboard. The Complete package also offers network control, USB device control, Bluetooth device control and Ranger protection for IoT devices.
Singularity is a cloud-based platform, making it easy to deploy and highly scalable. Customers praise SentinelOne’s solution for its user-friendly interface and management, and the powerful automation of its response features. As such, we recommend Singularity as a strong EDR solution for all organizations—including those with smaller security teams or less dedicated security resource—with a user device fleet comprising laptops, desktops and IoT devices, rather than mobile devices.
Sophos is a cybersecurity provider that offers an expansive suite of endpoint, email, network, cloud and web security solutions, each of which utilize AI to protect against known and evolving threats in real-time. Intercept X is their EDR solution which combines traditional threat detection and response with additional anti-ransomware capabilities, including automated file recovery and incident analysis. Sophos also offers an Advanced package of the Intercept X platform, which extends its threat detection capabilities to aggregate network, email, cloud and mobile data sources.
Intercept X uses powerful deep learning technology to detect known and zero-day malware without relying on signatures. This enables the platform to automatically identify and triage threats. When a threat is detected, Intercept X synchronizes protection across all devices, preventing the threat from spreading across multiple endpoints. From the platform’s single, central management console, admins can manage their threat response workflows, as well as the other features offered by the platform. These include ransomware file protection and recovery, exploit prevention and credential theft prevention. Sophos also offers Managed Threat Response services, which enable organizations to hand over the threat remediation process to Sophos’ 24/7 threat analyst team.
Sophos has previously targeted a primarily SMB market, but the powerful combination of a cloud-native platform and intelligent deep learning technology make Intercept X highly scalable. In addition to this, the platform is compatible with all major operating systems across most devices, including desktops, laptops, mobile devices and servers. Because of this, we recommend Intercept X as a strong solution for any sized organization, including those with a large percentage of remote or hybrid workers, looking for robust endpoint detection and response.
VMWare is a provider of cloud computing and virtualization technologies designed to help build, streamline and secure digital workplaces. Carbon Black EDR leverages robust threat intelligence and granular customization options to help SOC teams secure online, offline, air-gapped and disconnected environments against sophisticated endpoint threats. The platform is available on a per-endpoint subscription basis, with the option to add further modules for an extra cost, including advanced threat hunting, vulnerability monitoring and patch management.
Carbon Black EDR’s anomaly-based threat detection engine discovers known and unknown threats on each endpoint by identifying unusual or suspicious activity. The solution continuously records endpoint activity data, giving security teams real-time visibility into the security status of each machine, which enables them to remediate threats more quickly and efficiently. This also allows attack timeline visualization for in-depth investigations post-remediation, to help identify root causes and prevent similar attacks in the future. When a threat is detected, security teams can respond remotely via a secure connection to infected hosts. Finally, the platform’s automated watchlist functionality ensures that security teams don’t have to respond to multiple instances of the same threat; once blocked, a threat cannot enter the network again.
Carbon Black EDR offers a range of integration via API, making it easier to deploy and build into an existing security stack. Customers praise the platform for its powerful protection against emerging threats as well as known threats, and its user-friendly interface and management. However, many also report a large number of false positives on initial deployment. Because of this, we recommend Carbon Black EDR as a strong endpoint detection and response solution to organizations of any size that have a dedicated, full-time security resource to monitor and manage alerts, or those who are able to outsource management to an MSP.
How Do EDR Solutions Work?
EDR solutions monitor a company’s endpoints—including desktops, laptops, mobile devices, cloud systems, and servers— in real-time for anomalous behavior that might indicate that the endpoint has been breached. When the solution detects anomalous or malicious activity, it either automatically responds to it as per admin-configured remediation workflows, or it alerts admins to the activity so that they can respond to it manually.
Some EDR products also offer threat intelligence features. These help SOC teams to identify the root cause of the attack so that they can fix the vulnerability and prevent any repeat attacks in the future.
There is a, seemingly, endless list of acronyms in the world of cybersecurity, so it is worth breaking down how EDR is different to MDR and EPP:
- EDR vs. EPP: EDR solutions differ from traditional endpoint protection platforms (EPPs), or endpoint security solutions, as they provide heightened threat intelligence and automated incident response.
- EDR vs. MDR: Managed detection and response (MDR) solutions offer the same functionality as EDR products, but the management of the solution—including the remediation of any threats it detects—is taken care of by a team of security experts external to your own company, who work for the MDR provider. This can be a strong option for businesses that don’t have the in-house resource to manage an EDR solution or respond to incidents themselves. Some EDR providers offer managed response as an add-on to their core EDR technology.
Do You Need An EDR Solution?
EDR solutions allow business to identify endpoint threats such as viruses, malware, fileless attacks, the use of illegitimate applications, and the misuse of legitimate applications. They also help you to remediate threats and provide in-depth analysis on how each incident began and spread, so that you can take steps to prevent future attacks.
Endpoint attacks are some of the most common threats—and in the case of ransomware, the most expensive—that business today are facing, so it’s important that you’re able to identify and remediate them when they do occur. Due to their frequency and severity, we recommend that every business invest in some type of endpoint security solution. However, you need to analyze the needs of your business when choosing which type of solution to go for.
If you don’t have too many endpoints to manage and your team has sufficient resource to respond efficiently to any incidents that they’re alerted to, then you may just want an endpoint protection platform.
If you have a large network with a diverse range of endpoints to monitor, and a security team that can dedicate their time to threat monitoring and incident response, you may wish to consider an EDR solution.
If you don’t have the in-house resource to investigate alerts and conduct incident response, however big or small your endpoint fleet is, an MDR solution might be better suited to your needs.
What Are The Top EDR Solution Features?
There are five main features that you should look out for when choosing an EDR solution:
- Effective threat detection. This is the “D” in “EDR”. Once you’ve deployed your EDR solution, it should use machine learning and behavioral analytics to create a baseline of “normal” activity for each endpoint, including user interactions such as logins and processes executions. The EDR solution can then use this baseline to highlight any anomalous (and therefore potentially malicious) activity across your endpoints. If an EDR solution can’t do this effectively, it isn’t an EDR solution.
- Automated threat response. There are several ways in which an EDR solution can offer incident response. “Guided remediation” usually means that the solution will give your SOC team suggestions on how to respond to a threat. “Automated incident response” usually means that your SOC team can create incident response workflows that enable the platform to automatically remediate or contain certain types of threat on your behalf. “Managed threat response” usually means that the EDR provider will also offer you a dedicated SOC team that will guide your own in-house team through the entire incident response process—though this often comes at an additional cost.
- Intuitive, prioritized alerting. No matter what your solution’s level of automated threat response is, it needs to alert your security team to any incidents it discovers. The best solutions also triage these alerts, so that your team knows which ones they need to prioritize. Ultimately, this helps them to reduce their mean-time-to-respond (MTTR) and the overall damage caused by the attack.
- Threat intelligence. This is one of the biggest differences between EDR and EPP solutions: an EDR solution should use the behavioral data it’s collected to create a full trail of the attacker’s activities within your network. This begins at the moment the account was breached, and all of their movements after that. This can help you prevent future breaches of the same nature and fix any vulnerabilities that enabled the attack to spread.
- Intuitive, customizable management. The best EDR solutions not only provide powerful protection but make it easy for your team to manage that protection by offering a user-friendly interface and high levels of customization. This not only enables security teams to gain clearer visibility into their endpoint data, but also to fine-tune the solution to their environment, which can help reduce false positives.