Service · Endpoint Protection

Endpoint protection — EDR with a SOC behind it.

EDR on every workstation and server, with our 24/7 SOC monitoring the alerts. Real-time response, isolation on detection, forensics on demand. Mac, Windows, Linux.

Get Free Security Assessment Book a 20-min call

Endpoint program scope

EDR deployment + tuning

Microsoft Defender for Endpoint, SentinelOne, or CrowdStrike — selected based on your existing licenses and platform mix. Default-deny baseline tuned over the first 30 days.

24/7 MDR coverage

Our SOC triages alerts in real time. Isolation actions taken under documented runbooks. Median time-to-contain measured monthly.

Forensic readiness

Endpoint timeline preservation, memory captures on demand, chain-of-custody documentation. Ready for legal proceedings if needed.

Patch + vulnerability management

OS, browser, and third-party application patching on a measured cadence. Critical CVEs (CISA KEV list) prioritized.

Application allowlisting (where appropriate)

AppLocker, WDAC, or third-party allowlisting for high-risk roles (finance, executives, service accounts). Audit-mode first, then enforce.

Mobile device management

Intune, Jamf, or Google Workspace MDM — depending on your platform. Conditional Access integration with M365 / Google Workspace identity.

● Visible proof

What incident response looks like in practice

A real ransomware-detection-to-recovery sequence with per-phase time windows and owner roles. Anonymized.

Incident Response · Ransomware · Sample · Anonymized

MTTD < 5 min · MTTR 10 hr

3 min

Time to triage

15 min

Time to client notify

10 hr

Time to restore

T+0Detection· SOC analyst · automated
EDR isolates first compromised endpoint
Defender for Endpoint blocks file-encryption pattern, isolates host from network. Initial alert fires in SOC console.
T+3 minDetection· SOC tier-2
SOC analyst opens incident, runs scope query
Identity, lateral-movement, and persistence indicators pulled from SIEM. Two additional endpoints flagged with matching IOCs.
T+8 minContainment· SOC tier-2 · IR lead
Containment: identity + endpoint quarantine
Compromised user revoked, sign-in sessions terminated. All three endpoints isolated. Lateral targets pre-emptively isolated.
T+15 minContainment· IR lead → Client CISO / Owner
Client notification + IR call bridge opened
Notification per pre-agreed SLA. Bridge opened with client lead, EFROS IR lead, and SOC on the line. Initial scope and impact statement delivered.
T+45 minInvestigation· DFIR engineer
Forensic acquisition + threat-actor identification
Memory image, disk snapshot, and log preservation. TTPs matched against known affiliate. Initial-access vector identified (phished M365 account, no MFA).
T+4 hrRecovery· Senior engineer + DFIR
Eradication + clean-rebuild starts on isolated VLAN
Confirmed-clean baseline images deployed to a quarantine VLAN. Patient zero credential rotated, app-password reset across affected services.
T+10 hrRecovery· Backup engineer
Restore from immutable backup, verified clean
Three-2-1 backup restored to clean infrastructure. Hash integrity verified, AV scan clean. User-facing systems back online on a watched VLAN.
T+48 hrReview· IR lead + Client
Post-incident review + hardening plan
Written report delivered: TTPs, IOCs, what worked, what didn't, mandatory hardening (MFA, Conditional Access, log retention). Lessons documented for tabletop.

Real-world sequence from a logistics-sector engagement. Customer details anonymized. EFROS retainer clients receive a written post-incident report with TTPs, IOCs, and a mandatory hardening roadmap within 72 hours of resolution.

Standards and frameworks referenced

NIST SP 800-83 Rev. 1CIS Controls v8.1MITRE ATT&CK Enterprise

Standard versions should be verified from the official source before contractual reliance.

Frequently asked

Questions before we start.

We already have antivirus — what changes?

Antivirus catches known signatures. EDR catches behavior — process injection, credential dumping, lateral movement. Without 24/7 monitoring behind the EDR, alerts pile up. Our SOC is the monitoring layer that turns EDR from a tool into a control.

Will EDR slow down our endpoints?

Modern EDR (Defender for Endpoint, SentinelOne, CrowdStrike) typically uses 1-3% CPU at idle. We benchmark before deployment and tune exclusions for high-CPU line-of-business apps.

What happens when a real incident hits?

Our SOC isolates the affected endpoint, captures forensic artifacts, notifies your designated incident contact within 15 minutes (Severity 1), and follows the runbook documented in your incident response plan.

Start with your domain.

Free passive external assessment. 60 seconds. No signup to start.

Get Free Security Assessment Talk to a senior engineer