Why “we already have EDR” is not a risk management strategy

A reflection on detection, posture, and the illusion of security.

For years, enterprise cybersecurity has advanced by accelerating detection and response capabilities. Each new generation of tools promised earlier visibility, better alerting, and faster reaction.

However, this progress has given rise to a persistent myth: assuming that strong detection capability equals an effective security strategy.

Today, that assumption deserves to be revisited.

The context changed, but many assumptions did not

The way we understand technology—and, by extension, cybersecurity—has changed rapidly. Technological accessibility, shorter innovation cycles, and the constant evolution of attack techniques have shifted the context for which many current security controls were designed.

In this scenario, many controls do not become ineffective because they are poorly designed, but because they continue to operate under assumptions that no longer reflect operational reality.

Cybersecurity is not immune to this dynamic: models that worked well in the past now need to be reevaluated within a broader, continuous risk management approach.

What EDR solves—and what it never promised to solve

EDR emerged to address a specific need: improving detection and response at the endpoint. Its core value proposition was always clear:

When suspicious activity occurs, we can detect it and respond more quickly.

For years, this represented a significant advance over traditional antivirus. Endpoint visibility and response capability remain valuable components of any modern security program.

But here lies the critical point: quickly detecting an event is not the same as sustainably reducing risk.

The operational illusion of “we’re already covered”

In many organizations, EDR adoption has been accompanied by an implicit perception of sufficient coverage.

However, post-event detection alone does not address structural factors such as:

• insecure configurations that remain uncorrected for long periods,
• exposed attack surfaces that are not systematically assessed,
• and the progressive degradation of controls over time.

In practice, EDR operates as an alerting and response mechanism, not as a system for structural risk reduction. This is not a failure of EDR. It represents a mismatch between its original purpose and the strategic role it has been assigned.

The problem arises when it is expected to replace a comprehensive security strategy.

EDR and XDR have evolved—but the approach remains reactive

It is important to recognize that modern EDR and XDR solutions have evolved significantly, incorporating capabilities such as behavioral analysis, response automation, event correlation, and integrations with identity, cloud, and network environments.

This evolution has improved the operational efficiency of security teams.

But it has not eliminated a structural limitation of focus: they still operate primarily within the domains of detection and response.

They are not designed to continuously manage security posture or to prioritize exposures before they materialize into incidents.

Reacting better to events is not the same as managing risk continuously.

EDR without NDR: partial visibility in a distributed environment

Another implicit assumption that often goes unnoticed is the belief that endpoint visibility is sufficient to understand the real risk of the environment. In practice, EDR observes what happens on the asset, but not necessarily between assets.

In hybrid and distributed environments, a significant portion of malicious behavior—lateral movement, credential misuse, anomalous communications, gradual exfiltration—first manifests at the network level. Without Network Detection and Response (NDR) capabilities, EDR operates with incomplete context: it detects local effects but misses behavioral patterns that are only visible when traffic and relationships between systems are observed.

This does not make EDR an insufficient technology, but it does highlight a structural limitation: without NDR, detection becomes fragmented. The organization may react to isolated events on individual endpoints without fully understanding the attack dynamics or its true scope. From a risk management perspective, this translates into a false sense of control: isolated signals without a systemic view of exposure.

Why EDR—even with a SOC—cannot be the pillar of risk management

EDR remains a relevant component of the security stack. However, it has clear limits when used as the main axis of defense. Its value is activated, in most cases, after anomalous activity has already occurred; it does not autonomously correct persistent insecure configurations, it does not continuously prioritize risks based on impact, nor does it systematically reduce exposure without a complementary posture management framework.

A common counterargument is that EDR does not operate in isolation, but as part of a Security Operations Center (SOC) that continuously monitors, investigates, and responds to incidents. This is a valid observation: a mature SOC improves the speed and quality of response, optimizes triage, and reduces the operational impact of incidents.

However, even with a 24/7 SOC, most security operations remain reactive by design. The SOC operates on events and alerts; it responds when a signal has already been generated. Posture management, by contrast, focuses on conditions and exposures that exist before an event occurs and that, in many cases, do not generate immediate alerts.

In this sense, the SOC does not invalidate the need to manage posture; it complements it. While the SOC optimizes response to what happens, continuous posture management reduces the likelihood that those events occur in the first place. This helps explain why organizations with mature EDR, XDR, and SOC deployments continue to face incidents derived from known exposures or uncorrected configurations.

What frameworks indicate

Reference frameworks reinforce this point from a formal perspective.

The NIST Cybersecurity Framework 2.0 emphasizes that effective cybersecurity is not based on a single tool, but on continuous risk management across integrated functions: Govern, Identify, Protect, Detect, Respond, and Recover.

The emphasis is not solely on detecting better, but on evaluating, adjusting, and improving security posture on a recurring basis, recognizing that risk constantly changes and must be aligned with business context.

From this perspective, no technology—no matter how advanced—replaces a posture-based approach.

From reacting faster to reducing exposure

For years, much of the industry attempted to improve security by accelerating reaction.

Sustained risk reduction, however, occurs when:

• exposures are identified before they are exploited,
• insecure configurations are continuously corrected,
• real posture is measured, not just detected incidents,
• and actions are prioritized based on impact and likelihood.

This is why models such as CTEM (Gartner, 2022) have emerged, understanding security not as a static state, but as a constant and measurable practice.

Conclusion — From detection to business continuity

1. Reducing risk today is not only about reacting faster, but about operating with greater predictability and lower exposure over time.
2. In hybrid and distributed environments, business continuity depends on treating security as a continuous practice, integrated into operations, rather than as a fragmented flow of alerts or isolated tools.
3. Signals from EDR, XDR, and NDR provide critical visibility. Their true value emerges when they are contextualized, prioritized, and translated into decisions that impact risk posture.

To enable this approach, Batuta allows security posture to be managed in a living and continuous way, facilitating risk assessment and measurement to focus efforts where they truly matter to the business. When security stops being measured only by what is detected and begins to be managed by the exposure that is reduced, the organization gains operational clarity, strategic focus, and a stronger foundation to sustain business continuity.