An endpoint detection and response (EDR) product provides detection, reporting, and remediation capabilities. The visibility these systems provide into the behavior of endpoints gives incident response teams the critical information they need to conduct forensic investigations. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are the core features of an EDR product.

Forensics are particularly important for some enterprises, which is why EDR products that focus on forensic investigation and continuous monitoring remain in demand. These products are not for everyone—proper utilization of an EDR system requires a team of forensic specialists. However, for organizations that are constantly under attack, an EDR product can save time and money. Organizations that are likely to be the target of advanced persistent threats (APTs) should deploy an EDR product, particularly those organizations that are deemed to be critical infrastructure.

EDR products are developed with different philosophies and capabilities. Some identify threats pre-execution, others contain technology that lends itself to the identification of threats during execution, and still others excel at identifying attacks post-execution. Most products have a mix of capabilities that enable detection pre-execution, during execution, and post-execution. However, this does not preclude the possibility of some performing better in one area than another, and these relative strengths and weaknesses are important to consider when evaluating EDR products for your organization.


NSS Labs’ Endpoint Detection and Response (EDR) Group Test evaluates market-leading EDR products on their effectiveness at detecting, logging, and reporting on various threats. The relative security and relative cost of these systems is evaluated using the NSS Labs EDR opex model. The test provides Comparative Reports and individual Test Reports to help enterprises make informed decisions to evolve and rationalize their cyber risk programs.