A while back I was helping a fintech team look into a machine that was behaving oddly. Their antivirus was green across the board. Every endpoint reported clean, the dashboard was calm, and on paper nothing was wrong. The problem was real though. Someone had been on that machine for the better part of a week, quietly, and the antivirus never had a thing to say about it.
That gap is the whole story. Antivirus did exactly what it was built to do. It just was not built for what actually happened.
What antivirus was built to do
Traditional antivirus works on signatures. A vendor sees a piece of malware, takes a fingerprint of it, and ships that fingerprint to every machine running their product. Your endpoint scans files, compares them to the list, and blocks anything that matches. Newer products dress this up with some machine learning and call themselves EPP, endpoint protection platforms, but the core idea is the same. Recognise the bad thing, stop the bad thing.
For a long time that was enough, because attacks looked like files. You downloaded something, it ran, and either the scanner caught it or it did not. Signatures are fast, cheap, and they still catch a lot of commodity junk. I am not going to tell you to throw antivirus away. It does a real job.
The trouble is that the job it does keeps getting smaller.
Where it stops working
Attackers worked out years ago that the easiest way past a signature scanner is to not have a signature. So they stopped relying on files.
A modern intrusion often never drops a malicious file on disk at all. The attacker uses tools that are already on the machine. PowerShell, the Windows scripting host, scheduled tasks, the same admin utilities your IT team uses every day. This is what people mean by fileless or living-off-the-land. There is nothing for antivirus to scan, because nothing new ever lands. The malicious part is the behaviour, not the file.
Then there are stolen credentials. If an attacker logs in with a real username and password, no scanner is going to flag that. It looks like a normal login because it is one. The account just happens to be in the wrong hands.
Here is the same idea laid out plainly. These are the things that matter once someone is actually trying to get in.
None of this is exotic. It is the default playbook now, not the advanced one.
Watch how it actually plays out
Let me walk through a fairly ordinary intrusion, the kind that does not make the news but happens constantly. Watch where the antivirus is paying attention and where it is asleep.
Notice the pattern. The antivirus is quiet for the entire part of the attack where you could still have done something cheap about it. By the time it finally lights up, the ransomware is already running and the attacker has been inside for days. A win that late is not really a win.
What EDR actually adds
EDR stands for endpoint detection and response, and the useful word in there is detection. Instead of only checking files against a list, an EDR agent records what the endpoint is doing. Which process started which other process. What connected to the network. When someone touched a sensitive part of the system.
That recording changes what you can see. The fileless PowerShell from earlier does not look like a file, but it does look like a browser quietly spawning a scripting engine that then reaches out to the internet. That chain is suspicious on its own, and an EDR can flag it without ever needing a signature for the payload.
The response half matters too. When something does go wrong, you are not stuck. You can isolate the machine from the network with one action, see exactly what the attacker touched, and go check whether they reached anywhere else. With plain antivirus, your answer to "what did they do" is usually a shrug and a reinstall.
Why the delay is so expensive
The reason any of this is worth paying for comes down to time. The longer an intruder sits undetected, the more it costs you, and the curve is not gentle.
Signature antivirus does nothing to shorten that window, because it is not watching for the behaviour that fills it. EDR is built for exactly that window. It is the difference between finding out you have a problem on day two versus finding out on day forty when the data is already gone.
EDR is not a magic box
Now the honest part. EDR is not something you install and forget. It produces alerts, and alerts need a human who knows what normal looks like in your environment and can tell a real problem from a noisy one. I have seen EDR rolled out, left unwatched, and turned into one more dashboard nobody opens. That is worse than useless, because now you are paying for visibility you are not using.
This is why most companies do not run it alone. They either build a team to watch it around the clock or hand that part to a managed detection service that does the watching for them. The tool gives you the signal. Someone still has to be listening.
If you are weighing this up, the practical question is not really antivirus or EDR. It is whether anyone would notice an intruder on your network before they finished the job. If you want the longer comparison, we wrote one up on antivirus versus EDR, and our managed SOC is where the watching part lives.