What is EDR if MDR is about threat detection and response? Endpoint detection and response (EDR) is an acronym for endpoint detection and response. Again, the word “threat” is missing because the game’s name doesn’t detect the presence of endpoints. The difference between MDR and EDR is scope, which is sometimes referred to as ETDR (less commonly but more correctly). EDR is primarily concerned with threat detection and response in the endpoint environment. What exactly does that imply? EDR focuses on device activity rather than network activity – think laptops, servers, and critical business devices like POS systems.

To better understand what EDR is and isn’t, keep in mind that “detection and response” are only two elements of the cybersecurity framework Predict, Prevent, Detect, and Respond. For full disclosure, this is very similar to the NIST Cybersecurity Framework’s five functions of identity protect, detect, respond, and recover, in true cybersecurity fashion of competing and overlapping terminology. But bear with me and consider this in the context of the Predict, Prevent, Detect, and Respond framework.

Threats that have gotten past the Predict and Prevent functions are dealt with by EDR.