EDR (Endpoint Detection and Response) is a technical control that continuously monitors a single device (an endpoint) for suspicious behavior, alerts on threats, and can respond by isolating or stopping them. It's a more active layer of device security than basic anti-malware.
EDR stands for Endpoint Detection and Response. An "endpoint" is any device that connects to a network, like a laptop, phone, or server. EDR is software that lives on that device, watches what's happening on it, and steps in when something looks wrong.
Think of regular anti-malware as a guard checking IDs against a list of known criminals (signatures). EDR is more like a security camera plus a guard who notices when behavior looks shady, even if the person isn't on any list. It records activity, flags suspicious patterns, alerts a security team, and can automatically respond by quarantining files or cutting the device off from the network. That detection-plus-response combo is exactly what the name describes, and it builds on the device-protection tools you study in topic 4.3.
EDR lives in Unit 4: Securing Devices, specifically topic 4.3 Protecting Devices. It connects directly to AP Cybersecurity 4.3.B, which asks you to explain how anti-malware software makes a device more secure. EDR is the next step up from the signature-scanning model in EK 4.3.B.1 and EK 4.3.B.2, because it watches behavior in real time instead of only matching files against a database. It also overlaps with the host-based firewall idea in AP Cybersecurity 4.3.D, since both are software defenses running on one device to add a layer of protection if the network gets compromised.
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryAnti-malware / antivirus software (Unit 4)
Anti-malware catches threats by matching files to a database of known signatures. EDR adds the part signature scanning misses, watching live behavior and responding to threats that don't match any known signature yet.
Host-based firewalls (Unit 4)
Both EDR and a host-based firewall run on a single device to add protection even when the network around it is compromised. The firewall controls which traffic gets in or out; EDR watches what's actually happening inside the device.
Patches and updates (Unit 4)
Patching fixes known vulnerabilities before attackers use them (EK 4.3.C.1). EDR is the backup for when patching isn't enough, because it can catch an attacker exploiting a vulnerability you haven't patched yet.
EDR shows up in the device-security material of Unit 4, where you may be asked to compare technical controls that protect a single device. On multiple-choice questions, expect to distinguish EDR's behavior-monitoring-and-response role from plain anti-malware's signature matching, or to pick which control adds protection when a network is already compromised. For free-response, you'd more likely explain why a device needs layered defenses (anti-malware, host-based firewall, updates, and active monitoring together) rather than define EDR by itself. The move that earns points is connecting the tool to the threat it stops, not just naming it.
Anti-malware scans files against a database of known signatures and quarantines matches (EK 4.3.B.2). EDR goes further: it continuously monitors device behavior, detects suspicious activity even without a known signature, and can respond automatically. Anti-malware is mostly detect-and-remove; EDR is detect-monitor-and-respond.
EDR stands for Endpoint Detection and Response, software that monitors one device for threats and reacts to them.
An endpoint is any device on a network, like a laptop, phone, or server.
EDR goes beyond signature-based anti-malware because it watches live behavior, not just known malware signatures.
EDR fits under topic 4.3 (Protecting Devices) and supports AP Cybersecurity 4.3.B on making a device more secure.
Good device security layers EDR with anti-malware, host-based firewalls, and regular updates instead of relying on any one tool.
EDR (Endpoint Detection and Response) is software that runs on a single device to continuously monitor it for suspicious behavior, alert on threats, and respond by isolating or stopping them. It's a more active form of device protection than basic anti-malware, and it lives in Unit 4, topic 4.3.
No. Antivirus (anti-malware) mainly scans files against a database of known signatures and removes matches, while EDR continuously monitors device behavior and can detect and respond to threats even when there's no known signature. EDR is broader and more active.
A host-based firewall controls which network traffic gets into or out of a device using rules (an ACL), as described in EK 4.3.D.2. EDR doesn't filter traffic by rules; it watches what's happening inside the device and responds to threats. They're complementary layers, not the same thing.
Patching closes known vulnerabilities before attackers exploit them (EK 4.3.C.1), but it can't stop a threat that uses an unknown or unpatched flaw. EDR is the safety net that can catch and respond to that kind of attack in real time.
It maps to topic 4.3 Protecting Devices in Unit 4: Securing Devices, and it connects most directly to learning objective AP Cybersecurity 4.3.B about how anti-malware software makes a device more secure.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.