EDR Features Explained
Updated 26 March 2026
Endpoint detection and response platforms provide four layers of capability: prevention, detection, investigation, and response. Understanding each layer helps you evaluate which features justify higher pricing tiers.
Prevention
Next-generation antivirus (NGAV)
Machine learning-based file scanning that replaces signature databases. Detects known malware variants and novel threats without requiring a signature update.
Exploit prevention
Blocks memory-based attacks including process injection, heap spraying, and return-oriented programming (ROP) chains that traditional AV cannot detect.
Application control
Allowlist or blocklist specific applications from running. Prevents unauthorised software execution including unsigned scripts and macros.
USB and device control
Restricts or monitors removable media to prevent data exfiltration or malware introduction via physical devices.
Detection
Behavioural analytics
Monitors process trees, registry changes, network connections, and file system activity in real time. Detects attack patterns even when individual events appear benign.
Indicator of Attack (IoA)
Pattern-based detection of attacker techniques mapped to MITRE ATT&CK framework. Flags anomalous sequences such as credential dumping followed by lateral movement.
Fileless attack detection
Identifies attacks that live entirely in memory or abuse legitimate system tools (LOLBins) like PowerShell, WMI, and certutil without writing to disk.
Threat intelligence integration
Correlates observed events against external threat feeds to identify known attacker infrastructure, malware families, and campaign indicators.
Investigation
Attack timeline and process tree
Visual reconstruction of the full attack chain from initial access through execution, persistence, lateral movement, and impact. Critical for root cause analysis.
Telemetry storage and search
Raw endpoint telemetry stored for 30, 90, or 365 days depending on tier. Enables retroactive threat hunting and investigation weeks after an incident.
MITRE ATT&CK mapping
Automatically tags detections to ATT&CK technique IDs, helping analysts understand attacker intent and search for related activity across the environment.
Integrated threat hunting
Query interface for proactively searching telemetry for indicators of compromise (IOCs) or hunting for specific attacker behaviours across all protected endpoints.
Response
Remote isolation
Disconnect a compromised endpoint from the network with one click while maintaining the EDR management channel, allowing continued investigation without spreading the threat.
Process kill and file quarantine
Terminate malicious processes and quarantine files remotely without needing physical access or a separate remote access tool.
Automated response playbooks
Pre-configured response actions triggered automatically by specific detection rules. Reduces mean time to respond (MTTR) from hours to minutes.
Live response shell
Connect to a remote endpoint session for real-time forensic investigation, file retrieval, and manual remediation commands without deploying additional agents.
Feature to price tier mapping
| Feature | $3-5/ep | $6-9/ep | $10-15/ep |
|---|---|---|---|
| NGAV | ✓ | ✓ | ✓ |
| Behavioural detection | – | ✓ | ✓ |
| Fileless attack detection | – | ✓ | ✓ |
| 30-day telemetry retention | – | ✓ | ✓ |
| 90-day telemetry retention | – | – | ✓ |
| Managed threat hunting | – | – | ✓ |
| Automated response playbooks | – | – | ✓ |
| Live response shell | – | ✓ | ✓ |
| MITRE ATT&CK mapping | – | ✓ | ✓ |
| USB device control | – | – | ✓ |