EDR/XDR Fundamentals: CrowdStrike vs SentinelOne vs Defender

MDM tells you a device is configured correctly. EDR tells you whether something bad is happening on it right now. The two are complementary halves of endpoint security: configuration management hardens the device, while endpoint detection and response watches the device for the attacks that get through anyway. As a GRC Engineer, you need to understand EDR well enough to evaluate whether an organization's detection coverage is real — deployed everywhere, monitored, and tied to a response process — or whether it is a logo on a contract with blind spots no one is watching.

This lesson explains what EDR does that antivirus does not, untangles the EDR / XDR / MDR acronyms, and compares the three platforms you will see most: CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint.

When EDR isolates your laptop mid-demo

From antivirus to EDR

Traditional antivirus was signature-based: it compared files against a database of known-bad hashes and patterns. If the malware was in the database, AV caught it. If it was new, repacked, or fileless, AV missed it. Attackers learned to evade signatures trivially — change a byte, the hash changes, the signature no longer matches.

Endpoint Detection and Response is behavior-based. Instead of asking "is this file on my bad list?", EDR asks "is this process doing something an attacker does?" It continuously records endpoint telemetry — process creation, command-line arguments, network connections, file and registry changes, parent-child process relationships — and looks for malicious behavior: a Word document spawning PowerShell, PowerShell reaching out to an unknown IP and downloading a payload, a process trying to dump credentials from memory, mass file encryption in seconds.

That behavioral lens is why EDR catches things AV cannot:

Fileless attacks that live in memory and abuse legitimate tools (PowerShell, WMI, living-off-the-land binaries) leave no file to signature, but their behavior is anomalous.
Novel malware with no known signature still has to act — and the actions trip behavioral detections.
Hands-on-keyboard intrusions where a human attacker moves laterally show up as a chain of suspicious behaviors even when no single step is obviously malware.

Crucially, EDR adds the R — response. When something is detected, EDR can act: kill the process, quarantine the file, isolate the host from the network (so it can talk only to the EDR console), and on some platforms roll the device back to a pre-attack state. And every bit of telemetry is retained, so responders can reconstruct exactly what happened — the forensic timeline.

Why GRC cares about the recording

The continuous telemetry EDR captures is not just for the SOC — it is evidence. When SOC 2 CC7.2 (the system is monitored to detect anomalies) or an incident-response control is tested, the EDR's detection logs, alert timeline, and response actions are the proof that monitoring and response actually function. "We have EDR" is not the control; "EDR is deployed on 99% of endpoints, alerts route to an on-call queue, and here is the response timeline for the last incident" is the control.

EDR vs XDR vs MDR

These three letters cause endless confusion. They are not competing products so much as different scopes and operating models.

EDR — Endpoint Detection and Response. Scope is the endpoint: laptops, servers, sometimes mobile. It detects and responds to threats on the device.
XDR — Extended Detection and Response. Scope is broader than the endpoint: it correlates endpoint signals with identity, email, cloud, and network telemetry into a single detection surface. The value is correlation — a suspicious login (identity) plus a malicious process (endpoint) plus an odd outbound connection (network) become one linked incident instead of three disconnected alerts.
MDR — Managed Detection and Response. Not a different technology but a different operating model: a vendor's security team monitors and responds on your behalf, 24/7. Organizations without a round-the-clock SOC buy MDR so that a 3 a.m. alert gets a human response instead of sitting in a queue until morning.

The decision logic is about who watches and how broadly:

SCOPE  ───────────────────────────────────────────────►  broader

 EDR                         XDR
 ┌─────────────────┐         ┌──────────────────────────────┐
 │ Endpoint only   │         │ Endpoint + identity + email  │
 │ detect/respond  │         │ + cloud + network, correlated│
 └─────────────────┘         └──────────────────────────────┘

 WHO OPERATES IT  ─────────────────────────────────────►

 Self-managed                 MDR (vendor-operated)
 ┌─────────────────┐         ┌──────────────────────────────┐
 │ Your team gets  │         │ Vendor SOC monitors 24/7 and │
 │ the alerts      │         │ responds on your behalf      │
 └─────────────────┘         └──────────────────────────────┘

 A small company often = XDR delivered as MDR (broad scope, someone else watches).

EDR vs XDR vs MDR — scope and who operates it

Quick check

A 120-person company has no 24/7 security team. They deploy a strong EDR agent on every laptop, but alerts only flow into a Slack channel that nobody monitors overnight or on weekends. From a controls perspective, what is the primary gap?

No gap — deploying EDR on every endpoint fully satisfies the monitoring control

The detection capability exists but there is no response coverage outside business hours; detection without timely response is an incomplete control, and MDR (or an on-call rotation) is needed to close the 24/7 gap

The gap is that they chose EDR instead of XDR; only XDR satisfies any compliance framework

The gap is that Slack is not an approved security tool

The three platforms

You will most often encounter CrowdStrike, SentinelOne, and Microsoft Defender. All three are credible, modern EDR/XDR platforms; the differences are about ecosystem fit, operating model, and cost.

Platform	Model	Strengths	Watch-outs
CrowdStrike Falcon	Lightweight cloud-native agent; threat-intel-heavy; strong MDR (Falcon Complete)	Market-leading detection and threat hunting; excellent telemetry and incident reconstruction; broad OS coverage	Premium pricing; modular SKUs mean "CrowdStrike" can mean very different coverage depending on what was bought
SentinelOne	Autonomous on-agent AI; strong automated response including one-click rollback	Fast automated containment; ransomware rollback on Windows; works well where on-device autonomy matters (intermittent connectivity)	Heavier reliance on tuning to control false positives; ecosystem younger than CrowdStrike's
Microsoft Defender for Endpoint	Built into Windows; deep Microsoft 365 / Entra integration; part of the Defender XDR suite	Strong value if you already own the right M365 license; native XDR correlation across identity/email/endpoint; no extra agent on Windows	Best-in-class mainly inside the Microsoft ecosystem; licensing tiers (E3 vs E5 vs add-ons) are confusing and determine what you actually get

For a GRC Engineer, the product name on the contract matters far less than three operational questions, which apply to all three:

Coverage — what percentage of endpoints actually run the agent, and which are missing? Servers? Contractors' machines? The forgotten build server? Gaps in coverage are gaps in the control.
Operating model — self-managed or MDR? Who responds at 3 a.m.?
SKU/license reality — "we have CrowdStrike" or "we have Defender" can mean wildly different capabilities depending on the module or license tier. Confirm which features are actually licensed and enabled.

Coverage is the control

The most common real-world finding is not "the EDR is bad" — it is "the EDR is not everywhere." An endpoint without the agent is invisible to detection. Servers get forgotten. A contractor's laptop never gets enrolled. A new VM image ships without the agent baked in. Each one is a hole an attacker can operate inside without tripping a single alert.

So the headline metric is deployment coverage: agents installed and reporting, as a percentage of the known asset inventory. This is why endpoint security depends on having an accurate asset inventory in the first place — you cannot measure coverage against a fleet you have not fully enumerated. When you evaluate an EDR program, the first question is not "which vendor?" but "show me the coverage report against the asset inventory, and explain every gap."

Quick check

During an evidence review, the security lead reports '100% EDR coverage.' Pulling the data, you find the agent is on every employee laptop, but the production Linux servers and the CI/CD build hosts have no agent. How should you characterize this?

Accurate — laptops are where users are, so 100% laptop coverage is 100% coverage

A coverage gap on high-value assets: servers and build hosts are prime targets (data, lateral movement, supply-chain injection) and their absence from EDR is a material blind spot, even if laptop coverage is complete

Not a concern, because Linux servers do not get malware

Acceptable, since EDR is only meant for end-user devices

What an auditor wants to see

When detection-and-response controls are tested (SOC 2 CC7.1–CC7.4 on monitoring and incident handling; ISO 27001 controls on logging, monitoring, and response), the EDR program should be able to produce:

Coverage report — agents deployed vs asset inventory, with gaps explained.
Alerting and routing — where alerts go and who owns them, including off-hours.
Response evidence — for real detections, the timeline: detected at, triaged at, contained at, resolved at.
Tuning and review — that someone reviews detections and tunes noisy rules, so the system is actually watched rather than drowning in ignored alerts.

These artifacts are reusable across frameworks and feed directly into the incident-response work in later phases. The EDR is both a security control and an evidence generator — which is why understanding it pays off twice.

What to carry forward

EDR moved endpoint defense from "match known-bad files" to "detect malicious behavior and respond." XDR widens the lens to correlate across identity, email, cloud, and network; MDR adds a human team to operate it around the clock. CrowdStrike, SentinelOne, and Defender are all strong — what determines whether the control is real is coverage against the asset inventory, a response model that covers off-hours, and clarity about which features are actually licensed.

Next, you will look at the other half of endpoint hardening: configuring the operating system itself against CIS Benchmarks, so there is less for the EDR to catch in the first place.