This chapter covers the critical distinctions between Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and Managed Detection and Response (MDR) platforms. Understanding these differences is essential for the CS0-003 exam, as Security Operations (Domain 1) objective 1.4 explicitly requires you to compare and contrast these technologies. Approximately 10-15% of exam questions in the Security Operations domain will test your ability to identify the correct platform for a given scenario, recognize their capabilities, and understand how they integrate into a broader security architecture. By the end of this chapter, you will be able to differentiate EDR, XDR, and MDR with technical precision and apply this knowledge to exam scenarios.
Jump to a section
Think of EDR as a security camera inside a single office room. It records everything that happens in that room—who enters, what they do, and when they leave. The footage is stored locally, and if something suspicious occurs, the camera can alert you. However, it cannot see what happens in the hallway or outside the building. XDR is like a building-wide security system that integrates cameras in every room, access logs at every door, and motion sensors in the parking lot. All feeds are correlated by a central AI that can track a person's movement across the entire building. If someone enters a restricted area, the system cross-references badge swipes and camera feeds to detect anomalies. MDR is like hiring a professional security team to monitor the cameras and respond to incidents. The team actively watches the feeds, investigates alerts, and can dispatch guards to stop a break-in. They also tune the system to reduce false alarms. In this analogy, EDR gives you a camera in one room, XDR gives you the whole building's integrated sensors, and MDR gives you a dedicated security team that uses either EDR or XDR to protect you. For the exam, remember that EDR is endpoint-focused, XDR is cross-platform and cross-layered, and MDR is a managed service that leverages these tools.
What is EDR?
Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint devices (laptops, desktops, servers, mobile devices) for suspicious activity and provides automated response capabilities. EDR emerged to address the limitations of traditional antivirus (AV), which relies on signature-based detection and cannot detect novel or polymorphic malware. EDR solutions collect telemetry from endpoints—process creation, network connections, file system changes, registry modifications—and analyze it using behavioral analytics, machine learning, and threat intelligence to detect indicators of compromise (IOCs) and indicators of attack (IOAs).
How EDR Works Internally
An EDR agent is installed on each endpoint. The agent captures system events at the kernel level (e.g., via ETW on Windows, auditd on Linux) and sends them to a central server or cloud platform. The platform correlates events across endpoints, applies detection rules, and generates alerts. Key components include:
Telemetry Collection: The agent hooks into system calls, monitors process creation (e.g., via CreateProcess), file operations (ReadFile, WriteFile), registry changes (RegSetValue), and network connections (socket, connect). On Windows, it uses Event Tracing for Windows (ETW) providers like Microsoft-Windows-Kernel-Process and Microsoft-Windows-TCPIP. On Linux, it uses eBPF (extended Berkeley Packet Filter) or auditd.
Detection Engine: The cloud or on-prem server ingests telemetry and applies rule-based detection (e.g., Sigma rules), machine learning models (e.g., random forest for anomaly detection), and threat intelligence feeds (e.g., STIX/TAXII for IOCs). Alerts are generated when a threshold is exceeded (e.g., 5 failed logins in 10 minutes).
Response Capabilities: EDR can automatically isolate an endpoint from the network, kill malicious processes, delete files, or roll back registry changes. These actions can be preconfigured or initiated manually by an analyst.
Forensics and Investigation: EDR provides a timeline of events, process trees, and file reputation data to help analysts understand the attack chain.
Key EDR Values and Defaults
Telemetry retention: Typically 30-90 days for endpoints, depending on licensing.
Alert threshold: Default may be 3-5 suspicious events within 5 minutes to trigger a medium-severity alert.
Response actions: Common defaults include automatic isolation for critical severity alerts, manual approval for high severity.
Agent heartbeat: Agents check in every 30-60 seconds to report status.
What is XDR?
Extended Detection and Response (XDR) is a unified security incident detection and response platform that automatically collects and correlates data from multiple security layers—endpoints, network, email, cloud workloads, and identity—to detect and respond to threats more effectively than siloed tools. XDR is the evolution of EDR, expanding visibility beyond endpoints.
How XDR Works Internally
XDR integrates data from various sources via native connectors or APIs. It ingests telemetry from:
Endpoint: EDR agent telemetry (process, file, network, registry).
Network: Firewall logs, DNS logs, proxy logs, network traffic flows (NetFlow, IPFIX).
Email: Mail gateway logs, phishing detection, URL click tracking.
Cloud: Cloud API logs (AWS CloudTrail, Azure Activity Log), workload telemetry.
Identity: Active Directory logs, authentication events, Azure AD sign-ins.
The XDR platform normalizes this data into a common schema (e.g., OCSF - Open Cybersecurity Schema Framework) and performs cross-layer correlation. For example, a suspicious email attachment (email layer) that downloads a file (endpoint layer) that communicates with a known malicious IP (network layer) is correlated into a single incident. Detection uses a combination of signature-based, behavioral, and machine learning models. Response actions can be orchestrated across layers: isolate the endpoint, block the IP at the firewall, and disable the user account.
Key XDR Values and Defaults
Data retention: Varies by source; endpoints 30-90 days, network logs 7-30 days, email logs 30 days.
Correlation window: Typically 24-48 hours for events to be correlated into an incident.
Response orchestration: Playbooks can trigger across multiple layers (e.g., endpoint isolation + firewall block + user disable).
API rate limits: Typically 100-1000 requests per minute for third-party integrations.
What is MDR?
Managed Detection and Response (MDR) is a service that provides organizations with a dedicated team of security analysts who monitor, detect, and respond to threats using EDR, XDR, or other security tools. MDR is not a technology but a service model. The provider manages the technology stack, triages alerts, conducts investigations, and performs incident response on behalf of the customer.
How MDR Works Internally
MDR providers deploy their own EDR/XDR agents or integrate with existing tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint). The provider's Security Operations Center (SOC) analysts monitor alerts 24/7. The process includes:
Alert Triage: Analysts review alerts, filter false positives, and prioritize based on severity and context.
Investigation: Using the platform, analysts perform deep dives—process tree analysis, memory analysis, timeline reconstruction.
Response: Analysts execute response actions (e.g., isolate endpoint, terminate process, block IP) within agreed-upon response times (e.g., 15 minutes for critical incidents).
Hunting: Proactive threat hunting using hypothesis-driven queries (e.g., searching for suspicious PowerShell executions).
Reporting: Daily/weekly reports with metrics (mean time to detect, mean time to respond).
Key MDR Values and Defaults
Response time SLAs: Typically 15-30 minutes for critical incidents, 1-4 hours for high, 24 hours for medium.
Coverage hours: 24/7/365 is standard.
Technology stack: Often includes EDR (e.g., CrowdStrike), SIEM (e.g., Splunk), and threat intelligence feeds.
Customer responsibilities: Provide logs, approve response actions (if semi-managed), and patch vulnerabilities.
Interaction Between EDR, XDR, and MDR
EDR is a component of XDR. XDR extends EDR with cross-layer visibility.
MDR can be layered on top of EDR or XDR. Many MDR providers use EDR as their primary detection source.
Organizations may use EDR alone (small organizations), XDR alone (larger organizations with in-house SOC), or MDR (outsourced SOC).
Configuration and Verification Commands
While EDR/XDR are GUI-heavy, some platforms offer CLI tools. For example, CrowdStrike Falcon:
# Check agent status on Linux
sudo falconctl status
# Check agent version
sudo falconctl -g --version
# Trigger a test detection (simulate malware)
curl -s http://test-crowdstrike.com/triggerFor Microsoft Defender for Endpoint:
# Check service status
Get-Service -Name WinDefend
# Start a quick scan
Start-MpScan -ScanType QuickScan
# View detection history
Get-MpThreatDetectionFor XDR, verification often involves checking integration status in the console. For example, Palo Alto Cortex XDR:
# Check agent connectivity
sudo /etc/init.d/cortex-xdr-agent status
# View agent logs
tail -f /var/log/cortex-xdr-agent.logExam Relevance
On the CS0-003 exam, you will be asked to:
Identify which platform to use in a given scenario (e.g., "You need cross-layer visibility. Which do you choose?" -> XDR).
Understand that MDR is a service, not a technology.
Know that EDR focuses on endpoints, XDR expands to network, email, cloud, identity.
Recognize that MDR providers may use EDR or XDR as their underlying technology.
EDR Agent Installation
The EDR agent is deployed to endpoints via group policy, SCCM, or manual installation. The agent registers with the EDR cloud or on-prem server using a unique tenant ID and generates a heartbeat every 30-60 seconds. During installation, the agent may disable conflicting security software. It creates a kernel-mode driver to hook system calls. On Windows, it registers an ETW consumer. On Linux, it loads an eBPF program. The agent begins collecting telemetry immediately after installation, but detection rules may take 5-10 minutes to sync.
Telemetry Collection and Ingestion
The agent captures events such as process creation (PID, parent PID, command line), file writes (path, size, hash), network connections (source IP, destination IP, port), and registry changes (key, value, old data, new data). Events are batched and sent to the server every 1-5 seconds via HTTPS (TLS 1.2+). Each event is formatted in JSON and includes a timestamp, endpoint ID, and event type. The server normalizes events into a common schema and indexes them for search.
Detection and Alert Generation
The detection engine applies rules and ML models to the event stream. For example, a rule might trigger if a process named 'powershell.exe' executes with a command line containing '-enc' (base64 encoded command). The rule has a severity (e.g., high) and a MITRE ATT&CK technique ID (e.g., T1059.001). If the rule fires, an alert is created with a unique ID, timestamp, and list of related events. Alerts are deduplicated within a 1-hour window. The alert is then scored using a priority algorithm that considers severity, asset criticality, and threat intelligence matches.
Automated Response Execution
Based on the alert severity and preconfigured response policies, the platform may automatically execute a response action. For critical severity alerts, common actions include isolating the endpoint (blocking all network traffic except to the EDR server), killing the malicious process, and deleting the associated file. The response is logged with a timestamp and result. The analyst can override or roll back the action. For high severity alerts, the platform may require manual approval before executing the response.
Investigation and Remediation
An analyst reviews the alert in the console, examining the event timeline, process tree, and file reputation. They may run a live response command (e.g., gather a memory dump) or query the endpoint for additional IOCs. The analyst then determines the root cause and scope. Remediation may involve reimaging the endpoint, resetting user credentials, or blocking an IP at the firewall. The incident is closed with a summary and lessons learned. The platform may also create a new detection rule based on the IOCs found.
Scenario 1: Mid-Size Company with EDR
A mid-size company with 500 endpoints deploys CrowdStrike Falcon EDR to meet compliance requirements. The IT team of three manages alerts. They configure automatic isolation for any endpoint that triggers a 'Ransomware' detection. One day, an employee clicks a phishing link that downloads a trojan. Falcon detects the process executing with suspicious parent-child relationships and isolates the endpoint within 10 seconds. The IT team investigates, finds no lateral movement, and reimages the endpoint. The key pain point is alert fatigue: the team spends 2 hours daily triaging false positives (e.g., legitimate software updates flagged as suspicious). They tune detection rules by excluding known-good processes and adjusting sensitivity. Performance impact is minimal—agent CPU usage averages 2-5%.
Scenario 2: Large Enterprise with XDR
A large enterprise with 10,000 endpoints, 500 servers, and cloud workloads deploys Palo Alto Cortex XDR. They integrate firewall logs from Palo Alto NGFWs, email logs from Office 365, and cloud logs from AWS CloudTrail. A cross-layer correlation rule detects a user who received a phishing email, clicked a link, and then their endpoint made an outbound connection to a known C2 server. The XDR platform creates a single incident with all related alerts. The SOC team uses a playbook that automatically blocks the C2 IP at the firewall, isolates the endpoint, and disables the user's account. The mean time to detect drops from 24 hours to 10 minutes. However, integration complexity is high—ingesting cloud logs required custom API connectors and data normalization.
Scenario 3: Small Business with MDR
A small business with 200 endpoints has no in-house security team. They subscribe to an MDR service (e.g., Rapid7 MDR) that deploys its own EDR agent. The MDR provider's SOC monitors alerts 24/7. When a cryptominer is detected on a server, the SOC analyst calls the customer to confirm, then isolates the server and removes the malware. The customer receives a weekly report with metrics. The main challenge is response time: the SLA is 30 minutes for critical incidents, but the customer must approve actions, which can delay response. The business benefits from expert analysis without hiring staff. Cost is $5-10 per endpoint per month.
What CS0-003 Tests on This Topic
Objective 1.4: 'Given a scenario, apply the appropriate security solution to a given situation.' The exam specifically tests your ability to distinguish between EDR, XDR, and MDR. You must know that EDR is endpoint-only, XDR is cross-layer, and MDR is a managed service. The exam also tests integration points (e.g., which tools feed into XDR).
Common Wrong Answers and Why Candidates Choose Them
Confusing EDR with XDR: A question describes a scenario requiring cross-layer visibility (e.g., email + endpoint). Candidates choose EDR because they think 'detection and response' is enough. Wrong: EDR is endpoint-only. XDR is needed.
Thinking MDR is a technology: A question asks 'Which technology provides cross-layer detection?' Candidates choose MDR because it sounds advanced. Wrong: MDR is a service, not a technology. The correct answer is XDR.
Choosing SIEM over XDR: A question describes correlating logs from multiple sources. Candidates choose SIEM. While SIEM does correlation, XDR is purpose-built for detection and response with automated response. The exam expects XDR for this objective.
Assuming EDR replaces antivirus: Candidates think EDR alone is sufficient without AV. Wrong: EDR complements AV; many enterprises use both. The exam may test that EDR provides behavioral detection beyond signatures.
Specific Numbers and Terms
Telemetry retention: EDR typically 30-90 days; XDR may vary by source.
Agent heartbeat: 30-60 seconds.
Response SLAs for MDR: 15-30 minutes for critical incidents.
MITRE ATT&CK: Used for mapping detections in EDR/XDR.
OCSF: Open Cybersecurity Schema Framework for XDR normalization.
Edge Cases and Exceptions
EDR in cloud workloads: EDR agents can be installed on cloud VMs, but some providers offer agentless options (e.g., AWS GuardDuty is not EDR but can feed into XDR).
XDR without endpoints: Some XDR solutions focus on network and cloud, but the exam expects endpoints to be included.
MDR with SIEM: MDR providers may use SIEM as a component, but the core detection often comes from EDR/XDR.
How to Eliminate Wrong Answers
If the scenario mentions only endpoints, eliminate XDR and MDR (unless managed service is explicitly needed).
If the scenario mentions multiple layers (email, network, cloud), eliminate EDR.
If the scenario mentions a service provider or outsourced SOC, eliminate EDR and XDR (unless they are the technology used by the service).
If the scenario mentions automated cross-layer response, choose XDR over SIEM.
EDR is endpoint-only; XDR is cross-layer; MDR is a managed service.
On the exam, if a scenario mentions multiple data sources (email, network, cloud), choose XDR over EDR.
MDR is not a product but a service that uses EDR or XDR technology.
EDR telemetry includes process creation, file changes, network connections, and registry modifications.
XDR normalizes data using schemas like OCSF and correlates events across layers.
MDR response SLAs typically range from 15 minutes for critical incidents to 24 hours for low severity.
Common exam trap: confusing EDR with XDR when cross-layer visibility is needed.
These come up on the exam all the time. Here's how to tell them apart.
EDR
Monitors only endpoints (laptops, servers, mobile devices).
Telemetry sources: process, file, network, registry on endpoints.
Detection is endpoint-centric; may miss attacks that start in email or network.
Response actions limited to endpoints (isolate, kill process, delete file).
Easier to deploy and manage for small environments.
XDR
Monitors endpoints, network, email, cloud, identity.
Telemetry sources: EDR agents + network logs + email logs + cloud APIs + identity logs.
Cross-layer correlation detects multi-stage attacks (e.g., email -> endpoint -> network).
Response actions across layers (isolate endpoint, block IP, disable user, block email).
More complex deployment; requires integration with multiple data sources.
Mistake
EDR and XDR are the same thing.
Correct
EDR is endpoint-only; XDR extends to multiple layers (network, email, cloud, identity). XDR provides cross-layer correlation and response.
Mistake
MDR is a type of software you install.
Correct
MDR is a managed service provided by a third-party SOC. It uses EDR or XDR technology but is not a product itself.
Mistake
XDR replaces SIEM.
Correct
XDR and SIEM are complementary. XDR focuses on detection and response with automated actions, while SIEM provides long-term log storage and compliance reporting.
Mistake
EDR can detect threats across the network.
Correct
EDR only monitors endpoints. Network detection requires network-based tools (e.g., NDR) or XDR integration.
Mistake
MDR eliminates the need for an internal security team.
Correct
MDR augments or replaces a small team, but larger organizations often keep internal teams for strategy and oversight.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EDR (Endpoint Detection and Response) only monitors endpoints (laptops, servers). XDR (Extended Detection and Response) integrates data from endpoints, network, email, cloud, and identity. XDR provides cross-layer correlation and response, while EDR is limited to endpoint-layer detection. For example, if a phishing email leads to a malicious download, XDR can correlate the email and endpoint events into one incident; EDR would only see the download. On the exam, choose XDR when multiple layers are involved.
MDR (Managed Detection and Response) is a service. A third-party provider monitors your environment using EDR, XDR, or other tools. They triage alerts, investigate, and respond on your behalf. It is not a product you install. On the exam, if a scenario mentions outsourcing security monitoring, the answer is MDR.
Yes, EDR can detect ransomware by monitoring behavior such as mass file encryption, rapid file renames, and communication with known C2 servers. EDR uses behavioral analytics and machine learning to identify ransomware even if it is not signatured. It can also automatically isolate the infected endpoint to prevent spread.
Threat intelligence provides IOCs (e.g., malicious IPs, domains, file hashes) that EDR/XDR use to detect known threats. It also provides context (e.g., threat actor TTPs) to prioritize alerts. XDR may integrate multiple intelligence feeds and correlate them across layers. On the exam, threat intelligence enhances detection but is not exclusive to any one platform.
XDR normalizes telemetry from different sources into a common schema (e.g., OCSF). It then uses correlation rules or machine learning to link events that share common attributes like user ID, IP address, or timestamp. For example, an email with a malicious attachment sent to a user, followed by a process creation on that user's endpoint, and then a network connection to a suspicious IP, are correlated into a single incident based on the user's email address and endpoint hostname.
Typical retention is 30 to 90 days for endpoint telemetry. Some vendors offer longer retention at additional cost. For XDR, retention varies by data source: endpoints 30-90 days, network logs 7-30 days, email logs 30 days. On the exam, you may be asked to choose a solution based on compliance requirements for log retention.
Yes, many MDR providers integrate with your existing EDR (e.g., CrowdStrike, Microsoft Defender). They may also deploy their own agents. The provider's SOC uses your EDR console to monitor and respond. This is common for organizations that want to keep their current EDR investment but lack in-house SOC expertise.
You've just covered EDR vs XDR vs MDR Platforms — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?