The short version
Antivirus was built for a world where malware was a file on disk with a known signature. That world ended around 2018. Today's attacks hide inside legitimate tools like PowerShell, Remote Desktop, TeamViewer and signed Microsoft binaries. A signature scanner never sees a "bad file" because there isn't one — there's a bad sequence of actions.
EDR watches those actions. Every process start, every registry write, every outbound connection, every PowerShell command gets recorded. When the behaviour matches a known attack pattern — for example, Office launching a PowerShell script that contacts a new domain and starts encrypting files — EDR isolates the machine from the network and flags it for review.
Antivirus vs EDR vs MDR — what's the difference?
Here's the plain distinction:
- Antivirus (AV) — signature and basic heuristic scanning. Stops known malware. Passive.
- EDR — AV plus continuous telemetry, behaviour analytics, investigation timelines and response actions (isolate, kill process, roll back). Active.
- MDR (managed detection and response) — EDR plus a 24/7 human team watching the alerts. You pay for the eyeballs.
- XDR (extended detection and response) — EDR data plus email, identity and cloud signals correlated in one place. The direction most vendors are moving.
For a 10-person accountancy in Horsham, EDR bundled into Microsoft 365 Business Premium covers the control properly. For a 50-person clinic storing patient data, MDR on top starts to make sense.
What EDR actually does on the day of an attack
A typical ransomware attempt in 2026 looks like this. A phishing email lands at 09:14. Someone clicks. A malicious document launches PowerShell at 09:15. PowerShell downloads a payload from an unknown domain at 09:16. The payload starts enumerating network shares.
Traditional antivirus sees none of this — the document is signed, PowerShell is a legitimate Microsoft tool, and the payload hasn't been seen before. EDR flags the behaviour chain at step two, isolates the laptop from the network at step three, and gives you a timeline showing exactly what ran, what was written and what was contacted. If files were encrypted, some products (Defender for Business, SentinelOne) can roll them back from shadow copies.
Does EDR meet Cyber Essentials?
Yes — when it's configured and monitored. Cyber Essentials v3.3 (the Danzell update, in force from 27 April 2026) requires malware protection on every in-scope device. A properly enabled EDR product with tamper protection switched on, definitions auto-updating and automated remediation enabled satisfies that control. The NCSC Cyber Essentials overview sets out the full requirements. What you cannot do is install it, never look at it, and tick the box. Auditors and insurers increasingly ask for evidence that alerts are being reviewed.
How much does EDR cost in the UK?
Three realistic price points for a UK SME in 2026:
- Included with M365 Business Premium — Defender for Business sits inside the £18.10/user/month Business Premium licence. No extra charge.
- Standalone EDR from a major vendor — SentinelOne, CrowdStrike Falcon Go, Bitdefender GravityZone: £3–£9 per device per month, billed annually.
- MDR (monitored EDR) — £8–£20 per user per month on top, for 24/7 eyes on the alerts.
For most of our clients, we deploy Defender for Business with a managed configuration — attack-surface-reduction rules, Conditional Access, automated investigation — as part of our cyber security service. The licence they already pay for does the job.
What to look for when buying EDR
- Centralised console for every device, not per-site logins
- Tamper protection on by default — ransomware will try to switch EDR off first
- Automated rollback of encrypted files (shadow-copy restore)
- Network isolation with one click — quarantine the machine, keep remote management
- 30+ days of telemetry retention for investigations
- Integration with your identity provider (Entra ID, Google Workspace)
Common mistakes we fix on day one
When we onboard a new client we usually find one of these: EDR licensed but not deployed to every device; Defender disabled because a third-party AV was installed and then uninstalled without cleanup; alerts landing in a shared inbox nobody reads; tamper protection off because "it was blocking something". All four are cheap to fix and all four turn a decorative security control into an actual one.
FAQ
Is EDR the same as antivirus?
No. Antivirus blocks known malware using signatures. EDR records what happens on the device, spots suspicious behaviour and lets a human investigate and roll back. Modern products bundle both under one agent.
Do small businesses actually need EDR?
Yes, if you handle client data, accept card payments, or want Cyber Essentials. Signature antivirus alone no longer stops the bulk of ransomware and phishing-led attacks — the NCSC has been explicit on this point since 2022.
How much does EDR cost per user?
Defender for Business is included with Microsoft 365 Business Premium at around £18.10 per user per month. Standalone EDR ranges from £3 to £9 per device per month depending on the vendor and volume.
Does EDR satisfy Cyber Essentials?
Cyber Essentials v3.3 requires malware protection on every in-scope device. A properly configured EDR product meets that control, provided it is enabled, updated and monitored. See our Cyber Essentials guide for the full list.
Can EDR stop ransomware completely?
Nothing stops ransomware completely. EDR dramatically shortens dwell time, isolates infected devices before the damage spreads, and — with rollback enabled — can undo file encryption on single machines. Pair it with tested backups.