Glossary
EDR (Endpoint Detection and Response)
Endpoint Detection and Response (EDR) is a category of security software that continuously monitors endpoints — laptops, servers, and workstations — for malicious activity. EDR platforms collect telemetry, generate detections, and let security teams investigate and respond. Examples include CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, and Carbon Black.
In depth
EDR replaced traditional antivirus as the foundation of endpoint security. Modern EDR platforms continuously stream telemetry from a lightweight agent on each endpoint to a cloud backend, where machine learning and rule-based detections surface suspicious activity. Analysts can pivot from a detection to the full process tree, network connections, and file activity that surrounded it.
Critical EDR capabilities include real-time threat detection, behavioral analysis, host isolation (network containment), forensic timeline reconstruction, and integration with SOAR / SIEM platforms for automated response.
EDR and PocketSOC
PocketSOC connects to the two leading EDR platforms — CrowdStrike Falcon and Microsoft Defender for Endpoint — and gives responders a mobile-first interface for the most time-sensitive EDR workflows: triage, alert assignment, and host isolation.
Related terms
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.
Host Isolation →
Host isolation is the practice of cutting a compromised endpoint off from the network — typically by blocking all outbound and inbound traffic except a control channel to the EDR platform — so the threat cannot spread, exfiltrate data, or beacon out while the investigation continues.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.
SIEM →
A Security Information and Event Management (SIEM) platform centralizes logs and security events from across an organization — endpoints, network devices, cloud services, identity providers — and runs detection rules against the combined feed.