29 June 2026

Antivirus, EDR, XDR, MDR: what they are, which one you need

Security's alphabet soup, explained: what each level adds and when you need it. How we apply it across more than 250 endpoints and some 50 servers.

If you’ve asked for cybersecurity quotes recently, you’ll have seen the alphabet soup: EDR, XDR, MDR… every proposal with more acronyms than the last, and all of them promising “total protection”. It isn’t just marketing: they are different levels of one and the same ladder. And the easiest way to understand it is to think about how a building is protected.

Antivirus: the lock. A modern antivirus — the industry calls it EPP, an endpoint protection platform, endpoint being the name for each of the company’s machines: laptops, desktops, servers — prevents and blocks what’s known: malware identified by signatures, reputation or heuristics. It’s indispensable, like a good lock. But on its own it’s no longer enough: today’s attacks steal credentials, hop from one machine to the next and abuse legitimate tools that belong to the system itself. The equivalent of an intruder coming in with a copy of the key — the lock doesn’t even notice.

EDR: the alarm that records. An EDR (endpoint detection and response) also watches behaviour: it continuously records what happens on each machine and spots the anomalous. And when something is triggered, it lets you investigate and act: which process started the activity? Which user? From which machine? Which others are affected? Do we isolate the machine? It’s the difference between knowing that “someone got in” and knowing where they got in, what they touched — and being able to shut the door on them remotely.

XDR: cameras across the whole building. XDR (extended detection and response) widens that surveillance by correlating several layers: endpoints, servers, email, cloud, identities. A real attack almost never touches a single piece — it comes in through an email, runs something on a laptop and goes after the server. Watching each camera separately doesn’t tell the story; XDR reconstructs it whole.

MDR: the alarm receiving centre. And here’s what almost nobody explains: everything above is a tool. An alarm nobody is listening to just makes noise. MDR (managed detection and response) adds the service: specialists monitoring 24/7, filtering out false positives, prioritising what’s serious and helping to contain the incident — on a Saturday at four in the morning too. The tool, with nobody watching it, doesn’t respond on its own.

Which one does your business need? That depends on your risk and your obligations. Modern, well-managed endpoint protection — advanced antivirus, sandboxing (suspicious files are detonated in an isolated environment before they reach the user) and a central console — is already a huge leap from a standalone antivirus on each PC. But if you work with the public sector, carry cyber insurance, go through audits or the Esquema Nacional de Seguridad (ENS, Spain’s national security framework) applies to you, the conversation starts at EDR and usually ends at MDR: increasingly, it’s the insurers and the auditors themselves who ask what detection and response capability you have.

Our model, demonstrable: at elstir we manage today more than 250 endpoints and some 50 servers from a central ESET PROTECT console, with SonicWall firewalls at the perimeter and specific protection for email, which remains one of the most common ways in for attacks. We work at three levels, depending on each client’s requirements: ESET PROTECT Advanced as the entry standard, Complete when vulnerability and patch management is also needed, and MDR with the vendor’s 24/7 monitoring for the environments with the highest requirements. With this layered architecture, one of our clients passed the audits to get certified in ISO 27001 and the ENS.

What you take away from this article is simple: you’ll read the next acronym-filled proposal knowing what each rung adds — the diagram below sums it up. And if you’d like us to translate it into your specific case, with no alphabet soup, that’s what we do every day in managed cybersecurity.

ANTIVIRUS blocks EDR investigates, responds XDR correlates layers MDR experts 24/7
Each step includes the ones below it. The real difference isn't the tool: it's how much it sees and who is watching it.

An alarm nobody is listening to just makes noise.

← Back to the blog

Shall we talk about your infrastructure?

An initial audit with no obligation. Tailored solutions, with a single point of contact who knows your business.