Endpoint detection and response (EDR) is a technical, device-layer security control that continuously monitors endpoints like laptops and phones for malicious activity, then detects, alerts on, and automatically responds to threats by isolating the device or stopping the malware.
Endpoint detection and response (EDR) is a security control that watches over your devices, the "endpoints" of a network, things like laptops, desktops, and phones. Instead of just scanning files once and walking away, EDR keeps watching. It looks for suspicious behavior, flags it, and can act on its own to shut the problem down.
Think of antivirus as a security guard who checks IDs at the door, and EDR as a guard who keeps patrolling the building, notices someone acting weird, and locks them in a room before they can do damage. When malware starts running on an employee's laptop, EDR can detect it and automatically cut that device off from the rest of the network so the attack can't spread. That makes it a technical control operating at the device layer, two ways the CED classifies security controls in topic 2.1.
EDR lives in Unit 2: Securing Spaces, under topic 2.1 Cyber Foundations. It supports [AP Cybersecurity 2.1.F] (identifying types of security controls) and [AP Cybersecurity 2.1.G] (explaining why defense in depth is necessary). EDR is one layer in a layered defense. It protects availability and integrity by stopping malware from corrupting data or knocking systems offline, and it directly counters the taking action, persistence, and lateral movement phases of a cyberattack from [AP Cybersecurity 2.1.C]. Knowing EDR matters because the exam loves asking you to match a specific threat to the most appropriate control, and EDR is the go-to answer when the scenario involves detecting malware on a device and responding automatically.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryDefense in Depth / Layered Defense (Unit 2)
EDR is one layer, not the whole wall. Defense in depth means stacking controls so that if a firewall or a network filter gets bypassed, EDR on the device still catches the malware. EDR is what "resilience" looks like at the device level.
Phases of a Cyberattack (Unit 2)
EDR fights back during the later attack phases. When an adversary has initial access and tries persistence, lateral movement, or taking action, EDR detects the malicious behavior and isolates the device to stop the spread.
CIA Triad: Availability and Integrity (Unit 2)
Every control protects at least one CIA principle. By stopping malware before it corrupts files or crashes a system, EDR defends both data integrity and system availability, the same framework you use to justify any control choice on the exam.
Risk Mitigation (Unit 2)
Deploying EDR is a textbook example of risk mitigation from [AP Cybersecurity 2.1.E]. You can't avoid using laptops, so instead you add a control that reduces the likelihood and impact of a malware infection.
EDR shows up in multiple-choice questions that describe a problem and ask for the most appropriate or most direct security control. A classic stem: a team needs to detect when malware is executing on an employee's laptop and automatically isolate the device from the network, which control fits best? The answer is EDR, because the key signals are "detect malware on a device" plus "automatically respond/isolate." Watch for the trap where a question gives a device-layer control that only detects and removes malware (that points toward antivirus or anti-malware) versus one that also responds and isolates (that's EDR). On free response, you'd use EDR as a concrete example when explaining a defense-in-depth strategy or recommending a mitigation for a specific threat.
Both are technical, device-layer controls, so they're easy to mix up. Antivirus is mostly about detecting and removing known malicious software. EDR goes further: it continuously monitors behavior, detects threats, AND automatically responds, like isolating the infected device from the network. If a question emphasizes automatic response or isolation, pick EDR. If it only mentions detecting and removing malware, antivirus is the safer answer.
Endpoint detection and response (EDR) is a technical, device-layer security control that monitors endpoints, detects threats, and automatically responds.
EDR's signature feature is automatic response, such as isolating an infected device from the network to stop malware from spreading.
EDR is one layer in a defense-in-depth strategy, so it backs up other controls if they get bypassed.
On the exam, EDR is the right answer when a scenario combines detecting malware on a device with automatically isolating or responding to it.
EDR mainly protects the availability and integrity of systems and data, and it counters the later phases of a cyberattack like lateral movement.
It's a technical, device-layer security control that continuously monitors endpoints like laptops and phones, detects malicious activity such as malware, and automatically responds, often by isolating the device from the network. It maps to topic 2.1 and supports the learning objectives on security controls and defense in depth.
Antivirus mainly detects and removes known malicious software. EDR adds continuous behavior monitoring and automatic response, like cutting an infected device off the network. On the exam, the word "isolate" or "automatically respond" points to EDR, not antivirus.
EDR is a technical control that operates at the device layer. It's software-based protection running on endpoints, not a physical control like a locked server room or a security guard.
Mainly availability and integrity. By stopping malware before it crashes systems or corrupts data, EDR keeps systems usable and keeps data trustworthy, which is the same CIA framework you use to justify any control choice.
Pick EDR when the scenario describes detecting malicious software running on a device AND automatically responding, such as isolating the laptop from the network. If the stem only says detect and remove malware with no automatic response, antivirus is the better fit.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.