Every laptop, phone, and desktop on your network is a door. Some are propped open. The question isn't whether attackers will try the handles — they will, automatically, thousands of times a day — it's whether the door does anything when they do.

The endpoint security market is crowded and the labels blur together. Here's what the categories actually mean, and where each one stops.

Antivirus (AV) — the floor, not the ceiling

Traditional antivirus matches files against a database of known-bad signatures. It's cheap, it's everywhere, and it catches commodity malware. But signatures only recognize threats someone has already seen and catalogued. Modern attacks are frequently fileless — they live in memory, abuse legitimate tools like PowerShell, and never drop a file for AV to scan. If antivirus is your whole endpoint strategy, you are defending against last year's attacks.

Endpoint Detection & Response (EDR)

EDR watches behavior instead of just files. It records what processes do — what they spawn, what they touch, where they reach on the network — and flags the patterns that signal an attack even when the payload is brand new. Crucially, the "R" is response: a good EDR can kill a malicious process, quarantine the machine, and roll back changes automatically, in the seconds that matter, without waiting for a human.

This is the layer most small and mid-sized organizations are missing, and it's the one that turns a breach from a company-ending event into a single reimaged laptop.

Managed Detection & Response (MDR / SOC)

EDR generates alerts. Someone has to read them. MDR is EDR plus a team of analysts — a Security Operations Center — watching the console around the clock so your staff doesn't have to. For most businesses without a dedicated night shift, this is the difference between a threat caught at 3 AM and one discovered on Monday morning after the damage is done.

How to actually choose

Skip the feature-checklist trap. Three questions cut through it:

Does it respond autonomously, or just alert? At 3 AM, an alert nobody reads is worthless. Autonomous response — kill, quarantine, roll back — is the whole point.

Who is watching it? If the answer is "we'll get to the dashboard eventually," you don't have detection, you have a log. Budget for MDR or accept that alerts will sit unread.

Does it fit the rest of your architecture? Endpoint protection is one layer. It stops what runs on the device. It does nothing about an attacker moving laterally across a flat network they reached through a stolen VPN credential. That's why we pair EDR with Zero Trust Network Access — the endpoint layer kills the payload, the network layer denies the movement.

The short version

Antivirus is table stakes and no longer sufficient on its own. EDR is the layer that actually stops modern attacks, and it's the one most organizations lack. MDR makes that EDR real by putting eyes on it 24/7. And none of it substitutes for controlling access in the first place.

We built the neverTrust bundle around exactly this pairing — SentinelOne's autonomous EDR for the endpoint, ZTNA for the network, one managed service, priced below buying either alone. If you want to see how the two layers cover each other, watch the breach walkthrough or price a bundle.