If you have done any procurement in the past five years you have run into the EDR, XDR, MDR triangle and the increasingly familiar feeling that vendors are using the letters interchangeably. They are not interchangeable. Each tier solves a different defensive problem, costs differently, and fails differently. Knowing which is which is the first step to spending money on the right one.
What EDR is, precisely
Endpoint Detection and Response is the descendant of antivirus. It runs an agent on every endpoint, Windows laptops, macOS workstations, Linux servers, increasingly mobile and cloud workloads, and continuously records process executions, file modifications, registry changes, network connections, and parent-child process relationships. That telemetry is shipped to a cloud console where detection logic, both signatures and behaviour, raises alerts.
Three things distinguish EDR from legacy antivirus:
Behavioural detection rather than file-hash matching. EDR catches what files do, not just what they are. A signed binary running rundll32 to inject into LSASS is suspicious regardless of whether the binary itself is "known bad."
Forensic recall. The agent buffers historical telemetry so that when an alert fires you can ask "what did that process do, an hour earlier" and get an answer. This is what makes EDR useful for incident response, not just prevention.
Active response. EDR consoles let you isolate an endpoint from the network, kill processes, delete files, and run live remediation, remotely, at scale.
The credible vendors in 2026 are CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, Sophos Intercept X, and a small set of others. They are not equivalent in detection rates, public independent testing from MITRE Engenuity ATT&CK Evaluations is the best comparative reference, available at attackevals.mitre-engenuity.org.
What XDR adds
Extended Detection and Response is what happens when the same vendor extends its detection logic across the rest of your stack, email, identity, cloud workloads, SaaS, network. The "extension" is the value: a phishing email that drops a beacon on a laptop becomes a single correlated incident in XDR rather than three uncorrelated alerts in three different consoles.
XDR is sold in two flavours, native and open. Native XDR is one vendor’s complete stack ingesting only its own telemetry. Open XDR is a detection layer that ingests other vendors’ telemetry. Native is more polished. Open is more honest about the heterogeneous reality of most enterprise environments.
The skeptical view, which is correct: XDR is the endpoint vendor’s attempt to upsell into the SIEM and SOAR market. The hopeful view, also correct: SIEMs failed at correlation in practice and XDR is what correlation looks like when it is built around a single high-fidelity telemetry source rather than a swamp of low-quality logs.
What MDR adds
Managed Detection and Response is, fundamentally, "we will run your EDR or XDR for you." A specialist provider, Red Canary, Arctic Wolf, Expel, Sophos MDR, Mandiant, Kroll, embeds analysts who triage alerts twenty-four hours a day, escalate confirmed incidents, and execute initial containment. For organisations without a 24/7 security team, this is the only realistic way to operate detection technology that produces alerts at three a.m. on a Sunday.
MDR is the right answer for most mid-market and many large enterprises. The gap between owning EDR and operating it well is enormous. CISA has documented this pattern repeatedly in incident summaries: organisations were running EDR; the EDR generated the alert; nobody saw it for a week. Independent reporting from Sophos’s annual "State of Ransomware" survey (sophos.com/state-of-ransomware) shows the same.
Where every tier stops working
EDR fails when an attacker disables the agent, through tampering with the kernel driver, through valid-credential abuse to uninstall it, through bring-your-own-vulnerable-driver (BYOVD) attacks. The Lazarus and Scattered Spider groups have automated this in 2024–2025, and the response from EDR vendors has been hardware-rooted tamper protection that requires deliberate vendor cooperation to defeat.
XDR fails when telemetry is missing. If a SaaS application is not integrated, attacks that live entirely inside that application are invisible. The Microsoft 365 / Entra ID identity-only attacks documented by Mandiant in 2024 are the clearest example.
MDR fails when the analysts are working from playbooks rather than judgement. The good providers know the difference; the median provider is closer to a managed inbox than a security operation. The way to test this during procurement is to ask for the analyst-to-customer ratio and the median time-to-investigate. Numbers are usually 1:50 to 1:100 for ratio and under fifteen minutes for time-to-investigate at credible providers.
How to choose
Three rough rules of thumb apply.
If you have a working SOC and an analyst team that knows your environment, buy the best independent EDR you can and feed its telemetry into a SIEM you already trust. XDR from the same vendor is upsell unless you are ready to commit to that vendor’s whole platform.
If you have a small or no security team, buy MDR. It is more expensive than EDR alone but the alternative is paying for a tool that nobody answers. The MDR provider’s choice of underlying EDR matters more than the brand of MDR.
If you are running heterogeneous tooling and cannot consolidate, evaluate open XDR offerings, and accept that you will be doing more correlation engineering than the brochure suggests.
The deeper truth, well documented in the MITRE ATT&CK Evaluations: there is no detection technology that fully replaces a competent analyst who knows your environment. EDR, XDR and MDR move the bar; they do not eliminate the work. Plan accordingly.