Cyber ProKnow AI Practice Test

EDR focuses on detecting and responding to threats on endpoints, and it does so by gathering rich telemetry from the devices themselves. This means it monitors things like how processes start, what files get created or modified, registry changes, script activity, and unusual network connections from the host. When something looks suspicious, it doesn’t just raise an alert; it can automatically contain the threat by actions such as quarantining a file, stopping a malicious process, or isolating the affected device from the network. After containment, it guides remediation—removing artifacts, rolling back changes, and restoring the device to a clean state—while providing detailed context to help security teams investigate and learn from the incident.

This is different from simply watching network traffic, which would be more in the realm of network security tools. It’s not primarily about managing user authentication tokens, which belongs to identity and access management. And while EDR often complements or even replaces traditional antivirus capabilities, it’s best understood as a broader approach that combines continuous visibility, advanced detection, and rapid response at the endpoint.