Glossary · Endpoint Detection and Response
EDR
A tool that monitors endpoints — laptops, desktops, servers — for malicious behaviour and contains threats automatically, going beyond signature-based antivirus.
EDR (Endpoint Detection and Response) is the modern replacement for traditional antivirus. Rather than relying on signatures of known malware, EDR watches what processes are actually doing on each endpoint — file access, registry changes, network connections, command-line arguments — and flags or blocks behaviour patterns associated with attacks.
What EDR does that antivirus doesn’t
- Behavioural detection — catches novel threats and fileless attacks (PowerShell abuse, living-off-the-land techniques) that have no signature to match.
- Telemetry retention — keeps a forensic record of process activity so an analyst can reconstruct what happened after the fact.
- Automated containment — isolates a compromised endpoint from the network within seconds of high-confidence detection.
- Remote response — analysts can run commands, collect artefacts, and remediate without physical access to the device.
How Symsafe deploys EDR
Symsafe deploys SentinelOne EDR on every endpoint included in the Secure MSA plan — laptops, desktops, and servers. The agent’s behavioural detection feeds into the MDR service for analyst review: when SentinelOne identifies suspicious behaviour, the MDR platform’s analyst pool triages the alert and escalates confirmed threats to Symsafe engineers, who investigate and take the containment actions. EDR alone produces alerts; EDR plus MDR produces decisions.