The category boundaries
The naming is messy because vendors blur the lines for marketing. The honest taxonomy:
- Legacy antivirus (AV). Signature-based detection. File scanning. Match an inbound file against a database of known-bad hashes. Quarantine matches. The 1990s baseline.
- Next-generation antivirus (NGAV). Adds machine-learning detection on file behaviour, exploit prevention (DEP, ASLR-style memory protections), and basic behavioural rules. Better at unknown and fileless attacks than legacy AV. The 2015-era successor.
- Endpoint detection and response (EDR). Adds continuous endpoint telemetry collection (process, registry, network, command-line), behavioural detection mapped to MITRE ATT&CK techniques, threat hunting, and response actions like isolate-host and kill-process. The 2020-era category.
- Extended detection and response (XDR). Adds telemetry from identity, email, cloud workloads, and network. Cross-layer correlation. A different category, not the same site, see EDR vs XDR for that comparison.
Capability matrix
| Capability | Legacy AV | NGAV | EDR |
|---|---|---|---|
| Signature detection | Yes | Yes | Yes |
| Behavioural ML detection | No | Yes | Yes |
| Exploit prevention | Limited | Yes | Yes |
| Continuous telemetry collection | No | No | Yes |
| Threat hunting tooling | No | No | Yes |
| MITRE ATT&CK technique mapping | No | Partial | Yes |
| Response: kill process | No | Limited | Yes |
| Response: isolate host | No | No | Yes |
| Response: shell-level remediation | No | No | Yes |
| 30 to 365 day telemetry retention | No | No | Yes |
| Typical $/endpoint/month | $0 – $3 | $2 – $5 | $3 – $15 |
Detection on commodity malware is similar between modern NGAV and EDR. The qualitative difference is what you have after a detection: with EDR you have the telemetry to investigate; with NGAV or AV you have the alert and nothing else.
The cost gap
Legacy AV: often $0 if Windows Defender Antivirus or bundled into a Microsoft 365 plan; $1 to $3 per endpoint per month for paid enterprise AV products. NGAV: $2 to $5 per endpoint per month for purpose-built NGAV products. Sometimes bundled with EDR. EDR: $3 to $15 per endpoint per month for cloud-managed platforms; mid-market typical $5 to $8.
For a 200-endpoint SMB the annual licence gap between Windows Defender Antivirus (free) and mid-tier EDR ($6 per endpoint per month) is $14,400 per year. The premium buys telemetry, response, threat hunting, and longer retention.
The premium is not detection-quality on commodity malware. Modern NGAV and EDR detect similar percentages of common attacks. The premium pays for the 5 percent of incidents where you need to investigate, not the 95 percent where you need to block. If your incident probability is low and your ability to investigate is also low (no analyst, no SOC), the premium is wasted; AV with strong patching and outsourced incident response is sometimes the better posture.
When AV or NGAV is sufficient
Honest acknowledgment: not every organisation needs EDR. The cases where NGAV or AV is genuinely sufficient:
- No regulatory or insurance requirement for EDR. Genuinely rare in 2026 because most cyber-insurance carriers now require EDR or equivalent, but there are unregulated industries where it remains optional.
- Homogeneous Windows-only environment with disciplined patching. Patch latency under one week reduces the dependency on advanced detection because the attack surface for unpatched-vulnerability-driven intrusions is small.
- No remote workforce. Desktop-only on-premises environments behind a strong perimeter have lower risk than remote-first.
- No internal team capable of using EDR data. The capability has to be matched to the analyst capacity. Buying EDR with no analyst is buying a black box: the alerts arrive, no one triages them, and the value is unrealised.
- No high-value target profile. Manufacturing or services that are not credit-card-rich, healthcare-regulated, or specifically targeted by ransomware crews.
For these organisations, NGAV ($2 to $5 per endpoint per month) plus an outsourced IR retainer for the occasional incident is sometimes the better posture than EDR-with-no-analyst. The retainer covers the actual incident workload; the NGAV covers the prevention layer; nothing pretends to do investigation you cannot consume.
When EDR is necessary
The cases where EDR is genuinely necessary in 2026:
- Cyber-insurance underwriter requires it. Most carriers do as of 2026. Coalition, Corvus, Beazley, Embroker, Cowbell publish EDR or equivalent endpoint detection in their underwriting questionnaires. Without it, premium is materially higher or coverage is excluded. Full cyber-insurance interplay.
- Compliance framework requires logged endpoint detection. PCI DSS, SOC 2, HIPAA, and ISO 27001 increasingly require evidence of behavioural detection with retained logs. Standalone AV does not satisfy these requirements.
- Recent breach in your industry. A peer-organisation incident shifts your risk profile; EDR investment is often justified post-event even if it was not pre-event.
- Internal team has analyst capacity. If you have someone who can use EDR data, the capability is realised. If not, consider MDR (managed) instead.
- Remote workforce. Endpoints leave the network. Perimeter controls are insufficient. Endpoint-side detection becomes the primary line of defense.
- Ransomware-targeted industry. Healthcare, manufacturing, municipal government, education. Ransomware affiliates target these sectors disproportionately and EDR is the most effective specific defense.
Do you still need separate AV with EDR?
For most modern EDR products: no. EDR includes NGAV as its prevention layer. Running both legacy AV and EDR is duplication and is generally a wasted licence. The exceptions are: rare compliance regimes that mandate a specifically-named AV product, and EDR products that genuinely do not include NGAV (verify this on the SKU sheet during evaluation).
For Microsoft Defender for Endpoint specifically, the prevention layer is Microsoft Defender Antivirus running on the endpoint. They are integrated; you do not pay for AV separately. This is the dominant deployment pattern in Microsoft 365 environments.