Why a traditional antivirus is no longer enough

A classic antivirus is good at catching known malicious files — things already in signature databases or that look like typical malware. But real workplace incidents often unfold differently. An attacker doesn’t have to drop an "obvious" malicious file onto a PC. It’s more important for them to get access, persist, and move quietly.

Most problems start with simple things: an email "from accounting" with a phishing link, a document with macros, or launching a legitimate utility (PowerShell, remote admin tools, archivers). At the antivirus level this often looks like normal user activity. The consequences appear later: stolen passwords, mailbox access, changed settings, data leaks.

When your estate grows to 500+ PCs and you have branches, it becomes harder to quickly build a picture. Different OS versions, different software, remote users — IT may not see what happened on a particular machine before or after an incident. Investigations then turn into guesswork: logs are sparse, there’s no context, and time is wasted.

"Quiet" attacks without an obvious malicious file (fileless attacks) are especially dangerous. An antivirus might find nothing because the threat is a chain of actions:

a user enters credentials on a fake page;
the attacker logs in under a legitimate account;
built-in Windows tools are run;
the attacker moves laterally to more valuable systems.

That’s why EDR often becomes a practical necessity: it’s not just about file checks, but visibility into endpoint actions and fast response before an incident grows.

EDR in simple terms: what it is and what it does

Think of EDR as a "black box" for endpoints. It doesn’t just look for known viruses; it records what happens on a workstation and helps quickly understand where an attack started and where it went. EDR and a traditional antivirus often work together: AV remains a baseline layer, while EDR provides context and controlled response.

EDR collects chains of events: which processes ran, which files were created or changed, what commands were executed, where network connections went, which accounts were used. The key difference is a linked history instead of isolated "signals." For example: email > document opened > PowerShell appears > file downloaded > attempt to persist in startup.

In practice, "detection" means EDR flags suspicious behavior even if a file is new and signatureless. "Response" means actions taken from the console: isolate a host from the network, stop a process, quarantine a file, collect artifacts for investigation, run a scan.

EDR helps find hidden incidents, analyze attack chains faster, remediate the same threats across the fleet, and spot recurring misconfigurations.

But EDR has limits. It does not replace patching, backups, or access control. It doesn’t "fix" systems by itself and may produce false positives if policies are coarse. With 500+ endpoints, success often depends not on installing agents but on who and how daily triages the alerts.

Project goals and scope: what exactly do you want to improve

Before choosing a vendor, start by answering: what result do you want in 2–3 months? Without that, a pilot becomes an accumulation of random alerts and debates about settings.

A good practice is to fix 5–8 measurable goals that IT and the business understand. Examples: reduce time to detect (MTTD) and time to respond (MTTR), increase visibility of process launches and executable sources, be able to isolate a host without disconnecting the whole network, tidy up script and utility usage, and get a single investigation context per user and device.

Next, define scope and risk zones. These usually depend on data and privileges, not on department size: accounting (payments), procurement (vendors and documents), admins (privileges), server groups, terminal farms. In organizations with large numbers of workstations and servers — for example, in the public sector or healthcare — it’s useful to immediately select critical segments and agree on priorities.

Agree in advance what level of blocking is acceptable at the start: monitoring mode, soft alerts, or strict blocks. Strict mode on day one almost always breaks normal processes and increases resistance.

Also agree on pilot success criteria and a decision timeline:

coverage: what percentage of PCs and which roles are included;
quality: share of false positives and time to triage;
effectiveness: how many incidents are detected and how quickly closed;
decision: product choice date and scaling plan.

Criteria for choosing EDR for a 500+ device estate

When you pass 500 devices, choose EDR based on how it behaves in production: on desktops, laptops, branches, and under limited network conditions.

First, check coverage. The agent must reliably work on your Windows versions (and other OSes, if present). For laptops, offline mode is important: events must be cached locally and uploaded when a connection appears. This is critical for traveling and field staff.

Next — investigation convenience. A good EDR provides a clear incident card: what happened, on which host, the chain of events leading to the alert, and fast search across devices. If one alert takes 30–40 minutes to triage, at scale you will run into a backlog.

Practical minimum criteria:

fast response actions: host isolation, process termination, quarantine, artifact collection;
integrations with AD, mail, SIEM and ticketing systems (at least via ready connectors);
clear licensing and predictable costs as the fleet grows;
low endpoint load and transparent network/upgrade requirements;
reporting for management: incident metrics, response times, coverage and exceptions.

A useful pre-purchase test: take 10–20 typical PCs (office desktops and some laptops) and check that business applications don’t break and support requests don’t spike. If your fleet uses identical models (e.g., corporate desktops and all-in-ones from one lineup), it’s easier to evaluate load and compatibility.

Preparation before the pilot: data, access, communications

Pilots often fail not because of the product but due to an unprepared environment. Before deployment collect basic information: what you protect, who manages it, and how changes reach users.

Start with an inventory, but not just "for the record." You need a real picture: PC and laptop models, Windows versions, user roles (office, accounting, engineers, doctors, cashiers), critical applications and their patch status. Separately note "special" endpoints: terminal servers, shared workstations, lab PCs, devices with legacy software.

Next — permissions and access. Decide who installs the agent and who can change policies. A common issue is local admins among users. During a pilot this can lead to agent removal, driver conflicts, and blame games. Better to fix in advance: who has admin rights, how they are controlled, and what to do if installation needs temporary privilege elevation.

Network also affects results. Branches, VPNs, proxies and narrow links can disrupt deployment and updates. Check whether proxies block necessary domains and ports, how telemetry will flow, and what happens if connectivity is lost.

To avoid surprises, prepare a short communication and schedule: who is included, when agents are installed, what may change, where to report issues, who’s on duty, how to roll back, and how feedback is collected.

Example: a company in Kazakhstan has a head office and six branches over VPN. The pilot includes 50 PCs from accounting and the contact center plus 5 "complex" machines with rare software. IT and security agree on the installation window and rules for local admins. This saves weeks of debate by week two.

EDR pilot: a step-by-step 4–6 week plan

Request a proposal for deployment

We will prepare an estimate and work plan so scaling is predictable.

Get a quote

A pilot should test EDR in real life: not on an "ideal" bench but on typical PCs with regular software and people. For a 500+ fleet, a good pilot saves weeks of arguments and reduces the risk of breaking processes during scaling.

Start with a group of 30–80 PCs. Ensure it includes different roles (accounting, sales, IT, managers), device types (laptops and desktops), and a few branches if available. This lets you quickly see where policies "catch" environment specifics.

Week by week

Week 1: agree test scenarios and success criteria, assign responsibilities, prepare accesses and an installation window.
Week 2: deploy agents, enable telemetry collection, and set basic alerts without hard blocking.
Week 3: run controlled tests by scenario (suspicious attachments, PowerShell, USB connection, RDP attempts), record what triggered and where it interferes with work.
Week 4: analyze events from the first 1–2 weeks, separate "noise" from real risk, compile exceptions and rule clarifications.
Week 5–6 (if needed): adjust policies, repeat checks, document improvements and remaining issues.

Keep a short cadence between weeks: 2–3 meetings of 30 minutes so you don’t accumulate disputed alerts.

What should be delivered at the end

agreed policies and exceptions with owners;
assessment of false positives and IT triage time;
a decision on scaling and a wave-based rollout plan.

Policy configuration: how not to break workflows

Policy issues, not agent installation, often cause trouble. Best approach: start in monitoring mode — minimal blocking, maximum visibility. In the first 1–2 weeks gather facts: which processes run, which scripts and drivers are genuinely needed, and what admin actions occur daily.

Then introduce deployment "rings" so mistakes don’t spread fleet-wide:

pilot: IT and a few power users ready to give feedback;
expanded group: 10–20% of PCs across departments and branches;
full fleet: only after fixes from the previous rings.

Create policies by roles rather than "one size fits all." Usually 4–5 profiles suffice: office desktops, development, administrators, kiosks/terminals, and traveling employees’ laptops. For each profile decide what is detect-only and what is blocked immediately (for example, unknown executables starting from temp folders).

Manage exceptions as a controlled process. Simple rule: an exception is granted only by request, has an application owner and an expiry. If everything is simply put on a whitelist, EDR’s effect disappears.

Change control is mandatory. Assign who approves edits (typically InfoSec plus the service owner), where reasons and risks are recorded, and how to roll back. That way you can change policies during the pilot without causing outages.

How to reduce false positives without losing protection

After launch it often feels like there are too many signals. That’s normal: EDR sees more than an antivirus, and in the first weeks it needs help distinguishing attacks from your environment specifics. Otherwise the team will tire and start ignoring important alerts.

Start with a simple classification of alerts by meaning and response:

critical: signs of compromise (persistence, malicious code, contact with suspicious hosts);
important: likely misuse (admin tools, scripts, suspicious process chains);
informational: useful for investigations but not urgent;
noise: repeated events with no significant risk.

Work carefully with exceptions. A whitelist should be precise: better to allow a specific file by hash or by publisher signature than to disable a whole class of detections. Path-based exceptions are convenient but risky if regular users can write to that folder. Publisher-based exceptions are safer if you trust the supply chain and updates.

Reducing duplicates and grouping similar events helps a lot. If the same agent reports the same action every 5 minutes on 200 workstations, operators need a single incident showing scale and a clear summary, not thousands of alerts.

A short feedback loop also works: IT > app owner > security. Example: EDR flags a custom accounting script. The owner confirms it’s legitimate, IT shows where it’s stored and how it’s updated, and security applies the narrowest exception and records the decision.

Review exceptions monthly: what’s unused, what has grown, what can be replaced with a more precise rule. This is crucial to keep visibility and avoid turning EDR into a list of allowances.

Operating model: roles, playbooks and metrics

EDR deployment as a project

We will run deployment from pilot to phased rollout with rollback windows.

Request

EDR only delivers value when it’s clear who responds and how. Otherwise alerts pile up, users get upset about blocks, and IT starts disabling protection to "keep things working."

Roles: who is responsible for what

In small teams roles may overlap, but responsibilities should be defined:

IT administrators: agent installation, updates, exceptions by agreement, fixing root causes (patches, rights, settings).
InfoSec: detection rules, incident prioritization, decision on isolation, approval of exceptions.
SOC (internal or external): 24/7 monitoring, initial triage, artifact collection and recommendations.
Service desk: user communication, ticketing, restoring access.
Business system owners: confirm criticality of nodes and acceptable downtime windows.

After assigning roles, create a short 1–2 page playbook. Example: what to do if a PC is isolated. Who notifies the user, how to provide temporary mailbox access, who removes isolation and under what conditions (clean scan, passwords reset, vulnerability patched).

Response templates and metrics

Prepare simple scenarios: phishing (password reset and search for similar mails), suspicious script (check source and signature), miner (clean and find entry point), credential leak (force password change, enable MFA, audit tokens).

To know the system works, 3–4 metrics are enough:

time to confirm an incident and time to contain;
share of false positives for critical rules;
incident repeatability (same cause recurring);
share of devices with up-to-date agent and policies.

If you work with an integrator (common when building a secured infrastructure), ask them to deliver roles, playbooks and metrics as part of the pilot, not "sometime later."

Training IT and users: so EDR actually works

EDR helps only when people understand what they see in the console and what to do next. Otherwise teams drown in alerts and users see blocks for no clear reason. Plan training as part of the pilot.

Short training for IT

For second-line and admins a 2–3 hour practical session is enough. Goal: confidently perform initial triage and decide: ignore, contain, investigate, or escalate.

Useful minimum:

console layout: devices, incidents, policies, exceptions;
triage an alert in 5 minutes: process, parent, user, time, network contacts;
basic investigations: process chain, artifacts, what to collect for InfoSec;
escalation: when SOC/InfoSec is needed and what data to provide;
safe handling of exceptions: who approves and for how long.

First line and employees

First line should be able to take a ticket without panic or "turn off the EDR." Give them scripts: what questions to ask, how to explain a block, how to quickly tell if it’s a business app or a threat.

For users, a one-page memo is enough: what may change on the PC (pop-ups, possible file blocks), what to do if they suspect an issue (don’t close the notification, don’t reboot until told, report to Service Desk), and which situations are critical (email with attachments, unexpected prompts for passwords).

Reinforce training with exercises on a test group: 2–3 prepared incidents (suspicious PowerShell, unknown exe, phishing attachment). After each drill update instructions and alert thresholds so production noise is lower.

Example deployment scenario for 500+ PCs: how it looks in practice

EDR policies without disruptions

We will set up profiles and exceptions so protection doesn’t break workflows.

Get the plan

A typical company: about 700 workstations, 6 branches, some staff use laptops and occasionally work offsite. An antivirus is long in place, but incidents still happen and it’s hard to understand what occurred on a PC. The team decides on a cautious EDR rollout that doesn’t stop work.

They run a representative pilot: 60 PCs from finance, HR, admins and one branch. The first 2 weeks are monitoring-only. The goal is simple: map behavior, spot what will “noise,” and avoid breaking processes.

Common findings repeat: undocumented admin scripts and utilities surface. Some PCs have old autostart entries and leftover contractor software. A few detections on suspicious mail attachments turn out to be legitimate messages with aggressive macros.

They tune policies: about 10–15 exceptions are added, each with an owner (who is responsible and why). For accounting and admins they tighten controls: more restrictions on running utilities and scripts.

Rollout continues in waves — 150 PCs per week. Each wave is evaluated by metrics:

alerts per 100 PCs;
share of false positives;
IT response time;
number of support tickets.

If metrics worsen, they pause the next wave and adjust policies instead of adding broad exceptions.

Short checklist before start and after launch

A short checklist helps the team remember owners, metrics and rollback plans.

Before start (before purchase and pilot)

Spend 1–2 meetings aligning basics. It’s less time than cleaning up chaos after the first blocks.

Define 2–3 measurable goals (e.g., response time, covered PCs, noise reduction) and assign owners from InfoSec and IT.
Choose a pilot group: 50–150 PCs, mixed roles (accounting, dev, contact center, managers) and 1–2 tricky apps.
Gather inventory: OS, versions, critical apps, VPN, VDI, admin tools. Mark machines and servers that cannot be rebooted during work hours.
Prepare accesses and boundaries: who installs agents, who sees the console, who approves exceptions, who can isolate a host.
Make a rollback plan: how to quickly disable policies or remove an agent, and how to instruct users if a block occurs.

After launch (and during scaling)

When the pilot gives clear results, turn settings into repeatable processes rather than relying on individual heroes.

Hold weekly tuning: review top alerts, add rules, close coverage gaps, check performance on typical PCs.
Maintain an exceptions log: who requested, reason, expiry, and what was checked before approval. Review and prune monthly.
Agree short playbooks: how to escalate, when to isolate, how to return a device to the network, and response SLAs.
Train IT and first-line support: common symptoms, what counts as an incident, what data to collect before handing to InfoSec.
Set up management reporting: 3–5 metrics (coverage, MTTD/MTTR, false positive share, number of critical incidents) and a fixed reporting day.

If your environment is mixed (e.g., office PCs and workstations with locally built devices), run pilots on different configurations to catch incompatibilities before scaling.

Next steps: moving from pilot to steady operations

After a pilot it’s easy to stay in "it seems to work but deployment is scary." To make EDR a normal operational practice you need a short transition plan and clear owners.

Document exactly what the pilot covered: which departments and device types, which attack scenarios, and which integrations (mail, AD, tickets). List critical apps and processes that must not be broken: accounting, medical systems, government services, special drivers, remote work tools. Assign an owner (IT, security, or business) and a deadline for each item.

A simple five-step route helps:

approve readiness criteria: which metric levels are acceptable (response time, false positive rate, device coverage);
plan resources for event triage: at least 1–2 people for daily initial review in early weeks;
make a wave-based rollout plan (e.g., 10%, then 30%, then the rest) with rollback windows;
define exception rules: who can request, who approves, duration and review policy;
update playbooks: what to do on blocks, how to escalate, and how to record decisions.

A sign of maturity is when exceptions don’t accumulate for years but are reviewed on schedule and each has a reason and an expiry.

If you need help designing, deploying and supporting the project, GSE.kz (gse.kz) can join as a system integrator: they can prepare infrastructure, run the deployment and provide 24/7 support to ensure the transition from pilot to operations doesn’t rely on a single overloaded specialist.