Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" (e.g. a client device such as a mobile phone, laptop, Internet of things device) to mitigate malicious cyber threats. [1] [2] [3]
In 2013, Anton Chuvakin of Gartner coined the term endpoint threat detection and response to describe "tools primarily focused on detecting and investigating suspicious activities (and traces of such) and other problems on hosts/endpoints." Today, the concept is more commonly known as endpoint detection and response (EDR) and is often managed through endpoint protection platforms. [4]
According to the Endpoint Detection and Response - Global Market Outlook (2017-2026) report, the adoption of cloud-based and on-premises EDR solutions are valued at USD 6.5 billion in 2025 and is expected to grow to USD 50.5 billion by 2034. [5]
Endpoint detection and response technology is used to identify suspicious behavior and advanced persistent threats on endpoints in an environment, and alert administrators accordingly. It does this by collecting and aggregating data from endpoints and other sources. That data may or may not be enriched by additional cloud analysis. EDR solutions are primarily an alerting tool rather than a protection layer but functions may be combined depending on the vendor. The data may be stored in a centralized database or forwarded to a SIEM tool for cyber monitoring. [6] [7]
Every EDR platform has its unique set of capabilities. However, some common capabilities include monitoring endpoints in both online and offline modes, responding to threats in real time, increasing visibility and transparency of user data, detecting stored endpoint events and malware injections, creating blocklists and allowlists, and integrating with other technologies. [1] [6] Some vendors of EDR technologies leverage the free MITRE ATT&CK classification and framework for threats. [8]