The answers given by Presh and Akhil are all spot one so I wont touch on those aspects. The questions I would ask are:
1. What are the financials over the next 5 years (CAPEX and OPEX)? I found a lot of vendors will cut their margins to the bone for the sale and then make that discount up through their annual renewals etc.
2. How sure are they on the timelines to implement?
3. What level of demostrated and certified skill do they have readily available for the duration of the project / contract ?
4. Are those skills available everywhere you operate or located only in one location?
5. What is the time and financial investment required to training internal staff to operate the toolset?
Search for a product comparison in Endpoint Detection and Response (EDR)
SOC Analyst (Information Security Analyst) at a tech services company with 5,001-10,000 employees
User
Jun 24, 2020
That's true that there are many EDR solutions out there, According to me the most important features that an EDR should have are: 1. Behavioral Based Detection : EDR should not just have Signature based or files based detection but should also have behavioral based detection. 2. Detection at Rest : This is a topic of discussion and based on the requirements, Most of the EDR solution detects and prevents an activity at execution, but it's good to have a detection at Rest capability, If a user downloads a malicious file and don't click on it, but it's good for an EDR solution to detect the file at rest. 3. Threat Intelligence : This is important for all kind of activities, if the EDR vendor is incorporating threat intelligence database and is comparing all the endpoint activities with the IOCs from the database, this provides a good value to the company and you can detect many malicious activities within the environment. 4. Provide access to Endpoint : The EDR sensor should provide remote shell to the machine, sometimes Security analyst need to get access to the machine to mitigate a malicious activity, this includes network isolation, and remote access etc. 5. Custom Alerts: Most of the EDR provides there inbuilt alerts and detection policies, but it's good to have capability of writing custom alerts for endpoints. Sometimes some of the alerts or policies are not general and is important for a particular business, so writing custom alert gives the freedom to write policies and alerts specific to that business.
Good Questions to Ask vendors are: 1. About the sensor of their product, how much CPU power and other resources the sensor needs. 2. How frequently the sensor sends the data to the central location (Heartbeat of the sensor) 3. Do they have capability of sending all the endpoint logs to a third party tool or not : Sometime companies need to ingest all the endpoint data into their SIEM for correlation purposes. 4. Retention period of the data : For How long they store the data. 5. Data transfer and Storing technique: How they are storing and processing the data is it safe or not, are they using SSL for sending data from Endpoint or not. 6. Can you create separate groups of machines in their platform : Companies need to have separate groups like HR, Finance, IT etc. because they want to apply separate policies to separate groups. 7. Do they have feature for manually banning the hash of a file: For zero day vulnerabilities or known bad files it's always good to collect IOCs and manually ban them in the environment.
I hope this will help you with your question. Let me know if you have any other question or if you have any feedback for me.
Excellent points from all contributors. I would add the following.
EDR can generate a lot of alerts and events. If you have a small team and limited cyber analysts then you should consider outsourcing to a SOC or even a NOC i.e. MDR
The benefit of an outsourced SOC is that they will monitor your entire organisation 24/7 and investigate 100% of your events and alerts. They will only contact you out of hours when they detect a critical issue.
Jason Stevens mentioned Bitdefender who can provide a complete MDR solution including SOC however, some MDR providers will monitor everything on your network rather than just the endpoints.
According to Gartner, "By 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.”
The most important features of an EDR solution is that it is an XDR (eXtended Detection and Response) solution. EDR is slowly migrating into XDR to take into analysis and AI processing more capture and analysis of network and other traffic such as email, logs and user behavior. Bitdefender is in the process of merging their NTSA product into their cloud security EDR and Gravity Zone solution. Trend Micro already has an XDR solution. Cynet 360 is an XDR solution built from the ground up. Endpoint protection is good and needed but traditional EPP does not detect bad actors who have breached internally or internal network threats and horizontal / lateral attacks and malicious activity. XDR is the future for a fully secure and protected network.
An important question to ask or feature to review are remediation capabilities. Most EDR/XDR solutions only can isolate an endpoint. However more advanced XDR solutions like Cynet 360 have far more advanced remediation capabilities such as disabling local and AD user accounts and a host of other actions and playbooks.
Most EDR's can trace and plot out the start to finish activity of an event however many just are looking at the local endpoint. XDR forensic analysis also tracks and plots out endpoint to endpoint activity and can map out an attack across the entire network. This is invaluable when trying to locate and track down the point of entry of the intrusion or infection.
Clearly the best features should be around detection and remediation but beyond that, key is how the information is displayed, depth of the forensic information, retention etc.
Find out what your peers are saying about CrowdStrike, Microsoft, SentinelOne and others in Endpoint Detection and Response (EDR). Updated: December 2025.
Endpoint Detection and Response (EDR) is a cybersecurity solution that focuses on detecting, investigating, and mitigating advanced cyber threats at the endpoint level. Organizations use EDR solutions to enhance their threat detection capabilities and respond effectively to security incidents.
EDR solutions combine real-time continuous monitoring and collection of endpoint data with rule-based automated response and analysis capabilities. This enables organizations to rapidly identify and...
The answers given by Presh and Akhil are all spot one so I wont touch on those aspects. The questions I would ask are:
1. What are the financials over the next 5 years (CAPEX and OPEX)? I found a lot of vendors will cut their margins to the bone for the sale and then make that discount up through their annual renewals etc.
2. How sure are they on the timelines to implement?
3. What level of demostrated and certified skill do they have readily available for the duration of the project / contract ?
4. Are those skills available everywhere you operate or located only in one location?
5. What is the time and financial investment required to training internal staff to operate the toolset?
That's true that there are many EDR solutions out there,
According to me the most important features that an EDR should have are:
1. Behavioral Based Detection : EDR should not just have Signature based or files based detection but should also have behavioral based detection.
2. Detection at Rest : This is a topic of discussion and based on the requirements, Most of the EDR solution detects and prevents an activity at execution, but it's good to have a detection at Rest capability, If a user downloads a malicious file and don't click on it, but it's good for an EDR solution to detect the file at rest.
3. Threat Intelligence : This is important for all kind of activities, if the EDR vendor is incorporating threat intelligence database and is comparing all the endpoint activities with the IOCs from the database, this provides a good value to the company and you can detect many malicious activities within the environment.
4. Provide access to Endpoint : The EDR sensor should provide remote shell to the machine, sometimes Security analyst need to get access to the machine to mitigate a malicious activity, this includes network isolation, and remote access etc.
5. Custom Alerts: Most of the EDR provides there inbuilt alerts and detection policies, but it's good to have capability of writing custom alerts for endpoints. Sometimes some of the alerts or policies are not general and is important for a particular business, so writing custom alert gives the freedom to write policies and alerts specific to that business.
Good Questions to Ask vendors are:
1. About the sensor of their product, how much CPU power and other resources the sensor needs.
2. How frequently the sensor sends the data to the central location (Heartbeat of the sensor)
3. Do they have capability of sending all the endpoint logs to a third party tool or not : Sometime companies need to ingest all the endpoint data into their SIEM for correlation purposes.
4. Retention period of the data : For How long they store the data.
5. Data transfer and Storing technique: How they are storing and processing the data is it safe or not, are they using SSL for sending data from Endpoint or not.
6. Can you create separate groups of machines in their platform : Companies need to have separate groups like HR, Finance, IT etc. because they want to apply separate policies to separate groups.
7. Do they have feature for manually banning the hash of a file: For zero day vulnerabilities or known bad files it's always good to collect IOCs and manually ban them in the environment.
I hope this will help you with your question. Let me know if you have any other question or if you have any feedback for me.
Thanks.
Most Important feature is Prevention – First, this means Effectiveness, Simplicity and Performance.
Additional Question to be ask to ERD solution provider.
Excellent points from all contributors. I would add the following.
EDR can generate a lot of alerts and events. If you have a small team and limited cyber analysts then you should consider outsourcing to a SOC or even a NOC i.e. MDR
The benefit of an outsourced SOC is that they will monitor your entire organisation 24/7 and investigate 100% of your events and alerts. They will only contact you out of hours when they detect a critical issue.
Jason Stevens mentioned Bitdefender who can provide a complete MDR solution including SOC however, some MDR providers will monitor everything on your network rather than just the endpoints.
According to Gartner, "By 2025, 50% of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment capabilities.”
The most important features of an EDR solution is that it is an XDR (eXtended Detection and Response) solution. EDR is slowly migrating into XDR to take into analysis and AI processing more capture and analysis of network and other traffic such as email, logs and user behavior. Bitdefender is in the process of merging their NTSA product into their cloud security EDR and Gravity Zone solution. Trend Micro already has an XDR solution. Cynet 360 is an XDR solution built from the ground up. Endpoint protection is good and needed but traditional EPP does not detect bad actors who have breached internally or internal network threats and horizontal / lateral attacks and malicious activity. XDR is the future for a fully secure and protected network.
An important question to ask or feature to review are remediation capabilities. Most EDR/XDR solutions only can isolate an endpoint. However more advanced XDR solutions like Cynet 360 have far more advanced remediation capabilities such as disabling local and AD user accounts and a host of other actions and playbooks.
Most EDR's can trace and plot out the start to finish activity of an event however many just are looking at the local endpoint. XDR forensic analysis also tracks and plots out endpoint to endpoint activity and can map out an attack across the entire network. This is invaluable when trying to locate and track down the point of entry of the intrusion or infection.
Clearly the best features should be around detection and remediation but beyond that, key is how the information is displayed, depth of the forensic information, retention etc.