EDR versus traditional antivirus
Traditional antivirus matches files against known-bad signatures. EDR continuously monitors process behaviour, network connections, file activity and user actions to detect malicious patterns even when the malware itself is novel or fileless. Modern EDR includes automated investigation (the platform investigates the alert before a human sees it), threat hunting (analysts query the security graph for indicators), and response actions (isolate the device, kill processes, quarantine files).
Where Defender for Endpoint sits
Microsoft Defender for Endpoint P2 is competitive with the leading EDR platforms — CrowdStrike Falcon, SentinelOne, Carbon Black. Its differentiation for Microsoft 365 tenants is integration: signals feed Defender XDR alongside Defender for Office, Identity, Cloud Apps; Conditional Access can block sign-in from non-compliant devices; the same Entra identities drive the security graph. For tenants outside Microsoft 365 the integration value drops sharply.