Resources · Guide · MDR · 1 min read

What is an EDR (Endpoint Detection and Response)

In short

An EDR (Endpoint Detection and Response) is a technology that monitors endpoints (PCs, servers, laptops), detects malicious behaviour with behavioural analytics and enables response actions such as host isolation and process kill. Unlike antivirus, which blocks known threats by signature, EDR also detects unknown attacks from their behaviour. But it remains a tool: someone has to operate it 24·7.

The endpoint, the first battlefield

The endpoint is where an attack becomes concrete: code execution, escalation, lateral movement. EDR was born to see what antivirus does not: not just known malicious files, but suspicious behaviour, even from threats never seen before.

What an EDR does

It continuously records endpoint activity (processes, network, files, registry), applies behavioural analytics, and enables response actions: isolate the host, terminate processes, collect artefacts. It is powerful, but it is a tool to be operated.

The limit: alerts do not handle themselves

An EDR produces signals; someone has to verify them and act, at any hour. This is where EDR alone is not enough and the managed service comes in: MDR operates the EDR with analysts 24·7, turning alerts into closed incidents. The service: Fortgale MDR.

Comparison

Antivirus vs EDR vs MDR

AntivirusEDRMDR
DetectsKnown threats (signatures)Also unknown (behaviour)EDR + identity, cloud, network + intelligence
ResponseFile blockHost isolation, process killManaged response 24·7
Who operates itAutomaticYour teamProvider analysts
Field-observed proof · beyond the alert

In Operation Storming Tide the technical signals were there: the difference was made by who interpreted them and contained the attack. An EDR without analysts stays a source of unhandled alerts.

Read the analysis →
FAQ

Frequently asked.

What is the difference between EDR and antivirus?

Antivirus blocks known threats by signature. EDR uses behavioural analytics to detect unknown attacks too and enables response (isolation, kill). EDR sees what antivirus does not, but it requires interpretation.

Are EDR and MDR the same thing?

No: EDR is the technology, MDR is the service that operates it with analysts 24·7 (and not only on the endpoint). See What is MDR and MDR vs EDR vs XDR.

Does EDR stop ransomware?

It can intercept the pre-encryption phases (lateral movement, offensive tools) if someone acts on the alerts in time. On its own it raises signals; you need a team that turns them into containment.

Do I need a team to run an EDR?

Yes. An EDR with no analysts watching it 24·7 produces alerts that go unheard, especially at night and on weekends, when most attacks happen. That is why MDR exists.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale MDR service.

Related resources: What is MDR · MDR vs EDR vs XDR

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.