Shopping Cart

No products in the cart.

Why Endpoint Detection and Response (EDR)?

Sophos offers a more expensive version of both Intercept X Advanced and Intercept X Advanced for Server with the addition of “EDR”. Since we are very often asked during purchase consultations what this “EDR” means exactly and whether the extra charge is worth it at all, I would like to go into more detail about the range of functions of EDR and the benefits in this article.

The EDR functionality, in addition to Intercept X Advanced, has been available for workstations for quite some time. Since May 9, the product is also available for servers.

What EDR can help with

Somewhat simply explained, Intercept X Advanced with EDR lets you get to the bottom of two essential things: What exactly happened after an attack and is there a risk that something else could happen in the near future.

1. what happened?

At first glance, to find out what happened after an attack, you don’t necessarily need to pay the extra price for EDR. Sophos has been offering you the Root Cause Analysis (RCA) function for some time now, which is included in the Intercept X feature set. However, the possibilities for analyzing an attack are significantly expanded by upgrading to Intercept X Advanced with EDR.

With EDR you can find out,

  • what really happened after an attack
  • Whether a threat has spread
  • what SophosLabs has gathered for insights about a specific program from all Sophos customers
  • whether there is still dormant malware in your company
  • whether you can give your boss the all-clear that no data has been stolen

With EDR, you get access to artificial intelligence methods to analyze a process or files even more accurately with machine learning. You can also temporarily isolate the affected computer during an analysis to buy yourself enough time.

2. will anything else happen?

A common tactic of attackers is to place a small program somewhere on your computer that does not do anything malicious at first and therefore does not appear suspicious. This harmless behavior can first of all undermine certain security mechanisms. At some point, however, this program will wake up and do some damage.

With Intercept X Advanced’s advanced search capabilities with EDR, such “dormant threats” can be searched for across the enterprise. Often, such programs have already spread on quite a few systems and hide behind fake file names. With EDR, Sophos offers the helpful function of searching all devices in the company for hash values. This allows you to quickly find out on which devices in the company a program has already been spotted and with whom it has communicated. In this way, you can, for example, detect command and control servers or locate servers to which data may have been leaked.

Where is the added value with EDR

When an attack occurs in a company, the first thing to do is to rely on the protection mechanisms of Sophos Intercept X Advanced. Afterwards, however, you should take a closer look at the data collected from the attack and find out whether any data has been stolen or whether the threat has spread to other systems, for example. This would normally require a horde of forensic experts who do nothing but sift through logs all day to draw any conclusions. Sophos, on the other hand, relies on artificial intelligence methods for its EDR solution. So processes on the network are analyzed with machine learning and the help of SophosLabs, rather than by humans. As a result, this job can now theoretically be performed by a person who doesn’t have to be an IT forensics expert. 😎

Do I need EDR or not?

The answer to the question of whether you should pay the surcharge for EDR or not depends on two factors:

Factor 1: Interest

Are you one of those people for whom it is enough if Intercept X Advanced writes in the log after an attack that the threat could be stopped and all data was cleaned? Then you don’t need EDR.

However, would you like to take a closer look at the attack and analyze the process in more detail? Want to know if there are more malicious programs lying around on computers or servers in the company that just haven’t shown up yet? Then I would say you should consider the extra charge for EDR.

Factor 2: Compliance requirements

EDR tools are needed at the latest when a company has to prove that no data was stolen after an attack. We are talking here about compliance requirements that must be ensured in certain areas, such as PCI (Payment Card Industry) or healthcare. Also in this area is the DSGVO (Basic Data Protection Regulation), which states that you have to protect your trusted data according to the state of the art.

Such a law naturally makes a company vulnerable. Instead of demanding a ransom to decrypt the company’s data, as in a ransomware attack, companies can now be blackmailed with even larger sums for a breach of the GDPR or compliance requirements.

Sophos’s EDR capabilities help you meet compliance requirements and prove whether or not data has been lost in an emergency. If you find such a tool useful for your business, then investing in Sophos Intercept X Advanced with EDR would definitely not be out of place here.

Try Sophos Intercept X Advanced with EDR

If you don’t already have a Sophos Central account, you can create one on the Sophos website and try all the features, including “Sophos Intercept X Advanced with EDR” for computers and servers, for free for 30 days.

If you already have a Sophos Central account and the 30-day trial period has expired, you can order a license for “Sophos Intercept X Advanced with EDR” in our store:


David is responsible for order processing in our online store so that products and licenses are delivered quickly and efficiently. He provides our customers with comprehensive support in selecting the right Sophos product. David has in-depth knowledge of all Sophos products and provides specialized support for the Sophos Central segment.

Subscribe Newsletter

We send out a monthly newsletter with all the blog posts for that month.