← ALL POSTS
CYBERSECURITY EXPLAINER

EDR, XDR, antivirus: what actually protects endpoints now

You bought antivirus for every computer in the office years ago. It renews automatically, the icon sits in the tray, and nobody has thought about it since. Then your insurance renewal form asks if you have "EDR deployed on all endpoints" and you have no idea if the thing you own counts. Usually it doesn't. Here's the difference, in plain terms.

Why old-school antivirus stopped being enough

Traditional antivirus works off signatures. Someone finds a piece of malware, writes a fingerprint for it, and pushes that fingerprint out to every customer. Your antivirus scans files and flags anything that matches a known fingerprint. That worked fine when malware was a file that sat on disk and looked the same on every victim's machine.

Modern attacks don't look like that. Attackers repack their malware so every copy has a different fingerprint. More often they skip malware entirely and use tools already on your computer: PowerShell, remote management software, scheduled tasks, the same utilities your IT person uses. There is no bad file to fingerprint. A signature scanner watches that whole attack happen and reports a clean system.

Signature scanning still catches the old commodity junk, and every modern product still includes it. But if it's the only layer you have, you're defended against 2012.

What EDR actually does

EDR stands for endpoint detection and response. Instead of just scanning files, an EDR agent records what's happening on the machine: which processes start, what launched them, what they touch on disk, where they connect on the network, what they do to the registry. Then it looks for behavior that adds up to an attack.

A concrete example. Word opens, which is normal. Word spawns PowerShell, which is weird. That PowerShell downloads something from an address nobody has ever connected to, then starts encrypting files in your shared drive at high speed. No single step matches a virus signature. The chain is obviously an attack, and behavior-based detection flags it as one.

The "response" half is the part antivirus never had. When EDR sees that chain, it can kill the process, quarantine the file, and isolate the whole machine from the network so the attack can't spread, while still letting your security tools talk to it. Someone investigating can pull the full timeline: what ran, when, what it touched. With plain antivirus, your response options are basically "delete the file and hope."

Real products in this space: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Sophos Intercept X, Huntress paired with Defender. Pricing lands in the range of a few dollars per computer per month for small-business tiers, more for the big enterprise names.

Where XDR fits

XDR is "extended" detection and response. Same idea, wider view. Instead of watching only laptops and servers, it also pulls in signals from email, Microsoft 365 or Google Workspace sign-ins, firewalls, and cloud apps, then correlates across them. So a suspicious login from another country, followed by a new inbox rule that forwards mail externally, followed by odd activity on that user's laptop, shows up as one connected incident instead of three alerts in three separate consoles.

For a small business, XDR is usually not a separate purchase. It's a tier of the product you already picked. If you're on Microsoft 365 Business Premium, Defender's XDR features are largely sitting there waiting to be turned on. The label matters less than whether anything is correlating your signals at all.

Detection beats prevention alone

Prevention still matters. Patch your machines, filter your email, require MFA. But every prevention layer fails sometimes, and vendors who promise 100% blocking are selling you something. The honest model is: block what you can, and detect fast what gets through.

The numbers that matter are dwell time and response time. An attacker who gets in and is kicked out within an hour is an incident report. An attacker who sits in your network for three weeks, mapping your backups and reading your email before pulling the trigger, is a rebuild-the-company event. EDR exists to shrink that window from weeks to minutes.

One catch: EDR generates alerts, and alerts need a human. An EDR console nobody looks at is barely better than no EDR. That's why small businesses usually pair the agent with a managed detection service (Huntress, or an MSP's SOC) where actual people triage the alerts around the clock. If nobody at your company will watch the console, buy the version where someone else does.

How to know you're covered

Run through this list:

If you can't answer those five, that's the gap to close. It's one of the cheaper fixes in security, and it's the one insurers, and attackers, check first.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Okta vs Microsoft Entra: picking an identity provider Explainer
Ransomware defense: the five layers that matter Explainer
Dark web monitoring: useful signal or scare tactic? Explainer
Do you still need a VPN? Explainer
The first 24 hours after a breach: what to do, in order Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston