This is an attempt to collect the most relevant information about existing EndPoint solutions focused on Incident

Response. The only information that is NOT collected is price. Sorry, this is not going to work.

If you think we are missing some columns, let me know!

It is by no means an exhaustive or even fair coverage at this early stage - I took many efforts to make it as objective as
possible, but since comparison is extremely difficult, there are definitely flaws here; use at your own risk. Do not sue
me :-)

But seriously, if you are a dilligent researcher, IRer, or perhaps even vendor and find mistakes or misrepresentation,
please do let me know and I will fix it.

An Objective and fair assessment is the key here ! Legend

Many features described here are looked at as a 'superset'. In many cases you may be dealing with a subset of all features
offered by the vendor/product. There is a huge difference if you buy MSS, or in-house managed solution, or a hybrid
(solutions managed by your vendor). Also, some solutions 'package' other solutions or have other 'heavy' dependencies
that may make it hard to work with.

DO NOT make any purchasing decisions based on this sheet!

Probably the most reasonable way to use this matrix is to see what features are being described, and use them to ask
more specific, technical questions to your vendors !!! X
Note that EDR is not a forensic solution; typically, it contaminates the evidence a lot
Use with a caution if you want to do L3 investigations !!! P

In the original version I listed a number of people who contributed to this document

Let me emphasize: this list was created with help from MANY people !!!

I want to thank all of them and I hope I didn't cross the line by making the matrix available to more people.

In order to prevent any accusations of any kind and to protect the innocent etc. I simply removed this part where I list all
the contirbutors, but I want to emphasize and make it crystal clear that this is a crowd-sourced information and not my
work at all; my main contribution was coming up with the idea, adding a list of features from a techie perspective,
describing it the sheets + putting it all together in a (hopefully) easy way to digest L

As an excuse for publishing it I can only say that I have received a really lot of questions and requests related to it and it
occurred to me that the best way to use this sheet better is to make it... more available. Okay, quite a few people actually
suggested to make it public, so there is obviously an interest....

Feel free to share; this is in a public domain *

Last, but not least - the companies and products are listed in an alphabetical way Organization

If you are a vendor and have a product that is not on the list, just give me a shout!

btw. don't ask me to read materials and brochures; honestly, I won't... please, better fill-in your copy of sheet and
pass it to me so I can merge it; thank you! The Matrix

Comments

There is no compliance/regulatory support listed here. The reason for it is simple - the focus of the matrix
is on the technical (often advanced) capabilities of EDR solutions for IR folk; if you need compliance/regulatory
information talk to your IR people; they can provide the evidence you need External Links
Yes, supported/active; typically advanced/full support
Partial support; may work, but not in all cases; may be implemented, but more a quick&dirty solution than actually
well-designed piece of functionality

Limited support - most likely doesn't work, but sometimes it may (ask the vendor)

Planned
empty cell = no support/no information

the Matrix of features

'loose' comments I received via email or in the sheets and could not convert them into a matrix, but wanted to
include them as they add a lot of value
Anton Chuvakin is god of EDR and has done a lot of research in this technology category (which Gartner calls Endpoint
Detection and Response or, EDR - the term I used in this sheet as well)

http://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/
http://blogs.gartner.com/anton-chuvakin/2015/07/23/reality-check-on-edr-etdr/
http://blogs.gartner.com/anton-chuvakin/2016/06/20/our-comparison-of-endpoint-detection-and-response-
technologies-and-solutions-paper-publishes/
 Management
General Info SUPPORTS system

Web Manager
On Premises
Windows

Android
Solaris

Cloud
Linux

OS/X

AIX
Company Product

iOS
Carbon Black (Formerly Cb Response X X X X X X
Bit9)

SandBlast Agent
Check Point X * X
(w/ Complete Security)

Cisco AMP for Endpoints

Cisco X X X X X X X
(old product FireAmp)

Carbon Black (Formerly Cb Defense (formerly X X X X

Confer.net) Confer)

Endpoint Threat Platform

CounterTack X X X X X X
(ETP)

CrowdStrike Falcon X X X X X

Cynet Cynet 360 X X X X X

Cybereason Cybereason Platform X X X X X X

CyberSponse Security
CyberSponse X
Operations Platform

CyFIR LLC CyFIR Enterprise X X X X X

Cylance CylancePROTECT X X

Dell SecureWorks Red Cloak X X

Facebook osquery X X X
Fidelis Endpoint X X X X X X X

Google GRR X X X

Endpoint Security
(Formerly EnCase
Guidance X X X X X X X
CyberSecurity); currently
integrated with Analytics

Hipara Threat Detection Services x

MIR -> rebranded to

Mandiant/FireEye FireEye HX (see X X X X X
comment!!)
MANTech/HBGary ActiveDefense X
Microsoft Sysmon X
Defender ATP
Microsoft (Advanced Threat X X
Protection)

Morphick Endpoint
Morphick Inc X X X
Security

NexThink NexThink X X

Nuix NIAS and NIAI X X X X X

Outlier Security, Inc Outlier X

osquery Extension for

PolyLogyx X
Windows

ReaQta ReaQta-Core X X X L L X X X

refractionPOINT LimaCharlie X X X L L X X X

Cyber Security Threat

Reversing Labs X X X X X X X X
Analysis Platform
 RSA Netwitness Endpoint
- formerly RSA Enterprise
RSA Compromise Assement X X X X
Tool (ECAT)

Automated Endpoint
Secdo Security & Incident X X X X X
Response

Endpoint Detection and

Response + Endpoint
SentinelOne X X* X X X* X X
Protection (as AV
replacment or as add on)

Percipient Networks LLC Strongarm - Intelligent X

Malware Protection

Tanium Tanium Endpoint Platform X X X X X x x

ThreatStack
Deep Discovery
TrendMIcro Inspector+Analyser+Endp X X
oint Sensor

Triumfant - Endpoint
Triumfant X X
Security

* planned feature
 Agent Visibility across environment

Volatile Data
Intercept Snapshots
Host Events (VDS)

X
lightweight kernel mode & user-space agent that Full visibility. Deploy on all endpoints to see status of all activity
captures all activity that has security value and syncs across the environment and highlight occurrence of any bad
the data real-time to a celtralized server files or behavior.

Kernel mode user agent to perform analysis of files, Sandboxing for files, analysis of malicious communication and X
communication patterns and behavioral anomalies. identification and automated remediation for ransomware.

Solid for behavioral based on its own, really shines when tied in
end point user context, looking for behavioral with network based components and additional addons X
anomolies (threatgrid)

End point agent, low profile has blocking capabilities on X

multiple indicator types End point agent reporting up to cloud for global views

agent is injected into the lowest level of the kernel which

allows to intercept operating system functions like network and X
file access without the need to decode or reconstruct the file
system or network
Kernel mode objects.

can deploy on all endpoints, records ~250 events across 25 X P

kernel mode. Designed to provide full endpoint security categories providing full account of execution, file system,
suite . network, and registry activities on the system

Process execution, network communication, user logins, file X

activities (open, close, create, execute), installed softwar,
1 agent with optional kernel driver that collects versions, windows patches and more.
process, files, users and network data, including static All the collected data is analyzed and corelated into our
and dynamic data. centrelized sensor fusion.

can deploy on all endpoints. Automated hunting engine

compares against aggregated threat intel and hunts for X
evidence of malicious use across various attacker behavior
models; full visibility into data set for manual hunting in
user mode / system context. No kernel component Investigation section of console

Can deploy on all endpoints. Allows searching across entire X X

enterprise simultaneously for files, strings, Registry, and hash
User-mode, service process, but leverages kernel mode values. Deeper inspection available on files on disk and live
driver. Has watcher process to ensure agent driver isn't RAM through remote live view of individual endpoints or
unloaded by user/bad actor. search results from across enterprise.
End point agent focused on blocking malicious content End point agent reporting up to cloud or internal host for X
from executing global views
Collects endpint telemetry and forensic artifacts on all X X
Both user and kernel mode components Windows endpoints in one federated console

Converts the endpoint data and activity in to SQL styled tables. X (on
Collects real-time event data only on Mac and Linux wit Mac/Linux)
User mode agent on Windows & thus limited support from kernel extensions. Has an extensible model for
functionality; Kernel support for Linux/MacOS adding more functionality via extensions.
 Black box flight recorder, forensic acquisition of disk and
memory, live memory analysis, threat hunting, advanced X X
monitoring, retrospective detection, auto-harvesting for
information on endpoints and correlate against TI, IR
agent runs as SYSTEM/NT AUTHORITY Workflows
Python based w/ bundled interpreter. X

Conditional endpoint analsys, Forensic-Garde remediation (no L X

wipe or re-imageing needed), IOC-Search, creates a
baseline of endpoint activity used to
detect anomalous behavior, validate, triage, and assess the
Kernel mode (Unified Agent), small footprint (<1MB) impact of malicious activity
Kernel & user mode, leveraging Yara and custom threat- Host-centric software doing for the host what Snort did for the x
centric modules network

user-mode, service process, but leverages kernel mode

driver. X X
OSX & Linux have limited features
X
None; just an .exe loading a driver X

None

end point agent watches large number of statistical great for statistical trending of changes, communication paths, X
points for comparison and highlighting changes changes to typical communications between machines

Captures behaviours on the machine as well as netflow data.

Intelligent agent that protects endpoints even if they Allows you to apply groupings to the endpoints for user group X X
are offline specific analysis
None X

Provides the real time event captures for Windows

integrated with osquer agent. So far the only extension X
in osquery ecosystem to deliver real time events An extension into osquery that provides more visibility into
capturing on Windows system events backed by real time collection

X
- Full visibility. Deploy on all endpoints, sitting outside of the
OS to gathers ALL logs and gain complete visibility.
- Collects endpiont's telemetry and forensic artifects on all
kernel mode Windows endpoints, repot back to management console.

Lots of base events (network, file, process etc). Many roll-up

events (de-duplication). Some detection events for common X
Cross platform, open source, realtime agent. Mostly injection techniques. Yara constant scanning (mem+file). All
user mode with kernel mode data acquisition events buffered in agent, fully customizable filter to send to
(optional). backend.

Network file flow sensors for capturing payloads for inbound,

Lighweight file assesment engine works against storage, outbound and laterally moving traffic across HTTP, SMTP and
file shares, cloud apps to recursively analyze and classify FTP. Lightweight engine or endpoints, storage and web app
file based content. content analysis.
 X X

Yes, can see volume with each process/file and list of

user-mode, service process, but leverages kernel mode machines, highlights interesting things by process, files or
driver anomolies

Lightweight Kernel (kernel driver)and User Mode X

(service process) agent that captures all data at the
thread-level giving it the ability to follow the branch of
an individual task/instruction within a process. Records Recommended distribution to all endpoints for full visibility of
all process, user, file and behavioral activity and sends all process, user, file and behavioral activity. Centrally stored
to central server. Approx. 5-7mb per endpoint and data is available in real-time and is capable of 100+ days of
limited to 1% of CPU. retention for over 100,000 endpoints.

Fully autonomous agent protects endpoints outside the X X

corporate network regardless if they are on or offline Full visibility. Deploy on all endpoints to see status of all activity
without the need to offload data for centralized analysis across the environment. Supports search and threat hunting 3
or decision making. month back across Windows, macOS and Linux.

X X

user mode/system level context for full system scanning

Can deploy on all endpoints to highlight abnormalities or low
user-mode, service process occurances of objects

deloly the Deep Discovery Full suite, to gain visibility on

endpoint, network

end point agent watches large number of statistical

points for comparison and highlighting changes, low X
occuring files or changes to known files in the Deploy on all endpoints for complete understanding of files in
environment your network and to highlight outliers
 On-host DFIR capabilities

VDS based on Physical Mem $MFT dump Supports Supports IR capabilities

Supports
acq or Full Packet Kernel Mode Custom Supports more Does it send when
Physical RAM Dump acq Sweeps
metadata capture coverage Sweeps queries complex alerts? endpoint off
analysis (IOCs)
extract (IOCs) queries premises

X P X X X X X X X

X
X X X X (via Smart X
Event)

X X X X X X X

X P X X X X X P

X X L X X X X

P X X X X X X X

X X X X X X P X X

X X X X X X

X X X X L X X

L X

X X X X X X X

X (on X X X X
Mac/Linux)
X X X X X X X X X X

X X X P X* X* X* X* X X

X X X X X

x x x x

X X X X X X X X X X

X X X
X

X X X

X X

P X

X X X X

X X

X* X X X X X X

X X X X X X X

X X X X X

X X X X
X X X P X X X

X X * X X X X X X X

X X X X X X X X X

X X

X x P X x X x x x

X X X X

X
bilities Cov

Self-
Supports Historical Forensically Protection/D Whitelisting,
Insider Threat Asset data (f.ex. etection of Remediation capabilities f.ex. isolation, live console Reputation,
Detection sound?
Inventory snapshots) Sensor Data Stacking
tampering

Allows to isolate the system (cut it off the network)

Block executable by hash
X X X Y X X (+ bit9)
Live Console for any other remediation activity - including
halting processes and removing malicious files and code

P X Allows for full automated remediation of infected endpoints. X

P X X see Comments X

L (can kill known bad or processess scoring above a certain

X X X X
threshhold)

endpoint quarantine/network isolation

live console-remote endpoint command
X X X X X
manual kill process
acquire file/sample, del file

Allows to isolate the system (cut it off the network), block by

X X X X X
hash

X X X X X X X

kill process, quarantine file, remove autorun, network

X X X P X X
isolation, prevent execution anywhere else in environment

GUI provides functionality to interact with host with full

access to disk and RAM contents. Live remote console allows
command-line access to endpoints at System permission
X P X X
level. Automated analysis of running processes on endpoints
to determine potential threats in environment (optional
module).

L (Focus is on killing process before it can execute if known X

bad. Also has a quarantine mode)

X N

X
X X (Mac &
Linux)
 Custom semi-automated taskt (alert response), File-collection
P (only & delete, Network Isolation, Process Kill, Windows Features
X X P X X
Windows) Enable/Disable, Windows Firewall Enable/Disable, Windows
Update Install and other more plattform depended tasks

X X X P P

Kill running processes and surgically contain and remediate

malicious files, processes, and registry keys without the need
X X X X
to
conduct a full wipe-and-reimage.

x x

X P X see Comments X

X X

X X N X X

X X X*

endpoint quarantine/network isolation

live console-remote endpoint command (with restricted
X X X X
command- due to privacy concern and to avoid the feature
being misused)

Stop execution, delete file etc.From rule in sensor, from

X X X P Python API in backend, or interactively from command line P
interface in realtime.

X X
 L (can pull stats from point in time and limited blocking of X (+ bit9
processes) limited)

Isolation (cut from network), Live Terminal and PowerShell,

File Live File Manager, Live Task Manager, Process Kill and
Freeze (stop process in memory then kill or revert), Blacklist
of IP/Hash/Path across all endpoints, Replace Registry Key,
X X P X X
run custom scripts.
Responses can be automated on Detection of TTP or IOC
event

Supports quarantine of the entire malicious group (not just

the malware artifact), remediate (cleaning up any registry
X X X X X X
attempts, schedule tasks and any leftovers the malicious
attempt created), support network isolation

X X P X

Folder
protected Allows to deploy packages to remove most common
X X x N from normal X
artifacts. Can also isolate endpoints.
users from
viewing

X
 Coverage of the threat landscape + backend support (extensibility/plugins/yara)

non-malware
Financially Feeds
Known APT attacks VT Yara
BlackListing motivated Web Shells Ransomware (Owasp top API support integration Plug-ins
groups integration (not
malware only VT!) integration
10)

P (on X X X X X X X X X
executables)

X X X X X

X X X X X L X X

X X X X X X X

X X X X X X X X

X X X X X X X X X P P

X X X X X X X

X X X X X X X X X

X (VT,
OPSWAT,
X X and Joe
Sandbox)

X X X L X X

X X X X X X X X

X X
(Mac/Linux)
X P X P X X X X X P

X X X X

X X L L L X X

x x x x x x

X X X X X X P X

X X X X N

python-
X X X X X based

X X X X

X* X*

X X X X L L

P X++ X X X X

X X X X X X X
 can add in
additional
limited to limited to RSA features
RSA live such as
X (both blacklist feeds, yara live feeds, yara,
& block yara rules, X X X
rules, metasploit
cpabilities) custom
custom for
content
content additional
scanning
capabilities

X X X X X X X X X (Plugin) X

X (offering ReversingLa
X X X X X X X
guarantee) bs

X X X X X X X

only if
coded in
(custom x X X x Yes
builds
offered to
customers)

X X

X L L L
Company Product

Carbon Black (Formerly

Bit9) Carbon Black Enterprise Response
SandBlast Agent
Checkpoint (w/ Complete Security)

Cisco AMP for Endpoints

Cisco Old name: FireAmp

Confer.net Confer

CounterTack Active Defense

CounterTack ctf

CrowdStrike Falcon
CyberSponse Security Operations
CyberSponse Platform

CyFIR Cyfir

Cylance CylancePROTECT
Cynet Cynet 360

Dell SecureWorks Red Cloak

Facebook OSQuery

Fidelis Endpoint

Google GRR

Guidance EnCase CyberSecurity

Hipara Hipara
Mandiant/FireEye MIR -> rebranded to FireEye HX
MANTech/HBGary ActiveDefense
Microsoft SysMon

Microsoft Threat Detection Services

Defender ATP
Microsoft (Advanced Threat Protection)
Morphick Inc Morphick Endpoint Security

NexThink NexThink
Outlier Security, Inc Outlier
Strongarm - Intelligent Malware
Percipient Networks LLC Protection
PolyLogyx

ReaQta ReaQta-Core

refractionPOINT LimaCharlie

ReversingLabs Cyber Security Threat Analysis Platform

RSA Netwitness Endpoint - formerly RSA

Enterprise Compromise Assement Tool
RSA (ECAT)
Automated Endpoint Security &
Secdo Incident Response
SentinelOne Endpoint Detection and Response
Tanium Tanium Endpoint Platform
ThreatStack

Deep Discovery
TrendMIcro Inspector+Analyser+Endpoint Sensor

Triumfant Triumfant - Endpoint Security

Comments

Primarily focuses on white/blacklisting executable content and highlights rare finds [data stacking]

Executable-focused with whitelisting/blacklisting capabilities

Carbon Black is a tool, not a service

Would benefit a lot from a support of regexes, and less noise in alliance feeds + actually working ban by hash (doesn't seem to work all the time)
Answers focused specifically on the SandBlast/Forensics component, which can be included as part of a larger suite of Endpoint protections (like Application Control) that
would also check off more boxes.

Ties into the full cisco FireAmp & sourcefire suite to enhance both network layer and endpoint visibility. Same base agent for both network & endpoint

next gen behavioral endpoint agent looking for IOC's and tie in's to network anomolies as well as file scanning

End point agent looks for behavior indicators and tags behaviors highlighting suspicious processes

Agent constantly runs to catalog all activity on a machine, highlights interesting and deviant behaviors and files. Full process tree of event trajectory.

Cloud manager, web management. Also have on premises solution as well

- feb 2012 Mantech acquired HBGary

'-july2015 Countertack acquired Mantech

Backend run by Hadoop -big data analytics

Digital DNA is in-memory malware behavioral detection and analysis engine featuring well over 2,200 traits and its ultra-advanced Malware Genome library.

Part of https://www.mwrinfosecurity.com/

Endpoint agent has good coverage of oddities and lifecycle of the process

Agent constantly runs to catalog all activity on a machine, highlights interesting and deviant behaviors and files. Full process tree of event trajectory.

Both service+tool
It has been suggested to remove this item from the list; this is as per the email: <<I would suggest removing CyberSponse from the list because they are an Incident
Management & Workflow platform not an EDR tool.>>

More of a deep forensic tool - you have to know what machine to start looking at but provides a full view into the machine remotely (similar to encase)

Deep forensic level end point analysis from registry hives to currently running processes

Focused on blocking malicious files from executing on endpoint. Previously focused on executables, has been expanding capabilities

agent constantly scanning files and looking up in databases for matches of white or blacklist. Additional behavioral triggers also cataloged

Focus on detecting targeted threat actor behavior during actions on objective with the goal of reduce time to detect and effort to respond. Built for and used by the
Counter Threat Unit research team to conduct Targeted Threat Hunting engagements.

Fidelis Endpoint identifies compromised endpoints and automates your investigation and response by eliminating time-consuming manual steps so you triage and validat
suspected incidents faster.

GRR Rapid Response: remote live forensics for incident response

Apparently used by Google, so must be good ;)

You can collect full ram image or just process list, network connections
Open Source project
MIR was recently rebranded to the Fireeye HX name but retains the functionality of MIR

This would be the new HX product as MIR as we know it is been redeveloped into Fireye's HX product

Fireye's HX
* Agent allows for Sec Team to "contain" a host by cutting off all network communication except to the HX appliance and whitelisted IP's.
* The HX appliance can be placed in the DMZ so that hosts can be monitored, contained, investigated, etc even off the corporate network.
* The HX is loaded with FireEye/Mandiant IOCs but also receives new IOC's based on threats seen by the NX appliance

The product is not VDI aware and hence is not able to determine when requests (aka. enterprise searches) are being executed across all of the hosts in the environment.
In an oversubscribed environment the Mandiant MIR solution has the capability of starving the VDI environment its storage layer and hence bringing the entire
environment down. The new version of HX 3.1+ allows you to group together hosts into host groups to limit the impact however the agent itself should be a little more
aware about the VDI environment and schedule/manage enterprise searches more effectively.
web browser / UI poorly implemented in older versions
SysMon utility from Sysinternals

https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp
sold as service not as standalone tool

More of a sys admin compliance tool also has security uses for compliance and behavioral oddities starting to branch into security focused themes

Statistical anomoly highlighting with tie ins to various other tools for lookup capabilities
claims to have zero impact on endpoint (no agent)

Claims to log all unfiltered data. (except FileOperations and RegistryOperations-may change in future)
ReaQta's list of collected event&forensic info is comprehensive
Sensor constantly runs and in realtime connection with the cloud (Cloud hosted or on premise, Apache v2 License). Backend detection APIs designed to operate as an
extension of the sensor.

Technology based on recursive file decomposition that classifies files based on code similarity to known malware and goodware. Because of its speed it can identify over
3K files formats and process payloads over 40GB in size. It can be used as an on premise VirusTotal alternative (has portable file reputatio database), and a network file
flow sensor that keeps history of payload activity for every IP address on the network (great for root cause identification). YARA hunting APIs are available for search
against 3x more net new malware daily.

Unique features are: retrospective alerting on file disposition changes (unknown to good/bad; good to bad, and bad to good); static extraction of configurations for RATs,
Downloaders and Ransomware; non-WinVerifyTrust certificate validation; hunting searches based on tag & code similarity over 2.5B files (this is not related to VirusTotal)
on-premises private Cloud appliances and portable devices

Ties into other RSA products, newer acquisition

Highlights abnormalities across environment from processes to files to memory analysis. Allegedly signature-less approach

Management is windows server based

It is not enterprise ready. The solution requires all agents to basically connect back to the one central unit which doesn’t scale in large environments. There are no real
RBAC controls in the solution and in two simple commands: “CTRL-A” and “CTRL-R” you reboot all the workstation in your environment with no secondary authorisation
prompts for reboot.
Endpoint agent able to pull information from anywhere on machine. More of a query level tool with limited remediation options

Scales well to large networks

Good for visibility across endpoints, very granular

It can be interactive or require sweeps, more commonly sweeps are used at present. However it is much much faster at these sweeps for most common tasks than say
MIR, it can scan an entire enterprise for the presence of a given file and report the results back to you 'live' in about four or five seconds for example.

You can schedule sweeps at a regular intervals to create streams of events (such as running processes) in order to generate historical data.

Tanium does not have any (or has very little) inbuilt functionality to detect anomalies - however you can build some yourself through periodic sweeps and then simple SQ
queries etc.

The real advantage to Tanium from a detection point of view is that you can build your own functionality through developing your own PowerShell/VBS scripts to do wha
you want and grab data that you want.

Tanium heavly relies on Visual basic Script and bash scripts for its sensors; it also relies on external tools to deliver some of its capabilities f.ex. Rekall for memory dumps,
RawCopy for copying file out of the NTFS file systems

Tanium does not rely on a centralized server; it passes the messages via P2P-like network; this has pros (it's fast), but also cons (snowball effect is easy to come across; it's
easy to run queries that may be dangerous)

Its architecture is a subject to DoS when an incorrect query is ran / sensor is deployed; this may affect productivity

it's noisy; it deploys a large number of tools that are placed on each client, including dual-purpose tools like nmap.exe, sysinternal tools, etc. the 'Trace' module wraps
sysmon; uses rekall and rawcopy for memdumps and $MFT access/native file copy

Its M.O. is polling as opposed to see-it-all approach and it may miss events (race condition)
not sure if it fits here

It appears that Trend Micro (TM) EDR built on the existing Deep Discovery series, by introducting Enpoint Sensor for additional context- endpoint visibility.
Deep Discovery series fall under the Network Defense category which was a sandbox approach, focus on network.

Take note that the Endpoint Sensor is a separate agent to its EPP-OfficeScan solution.

broad range scanning of files for malicious/abnormal activity. Not a lot of detection on kernel/processes

Primarily file based - looking for statistical outliers, not limited to just executables
Online Online2

https://www.bit9.com/solutions/carbon-black/

https://www.checkpoint.com/products/endpoint-sandblast-agent/

http://www.cisco.com/c/en/us/products/security/fireamp-endpoints/

http://www.confer.net/

http://www.countertack.com/ https://www.mwrinfosecurity.com/

http://www.crowdstrike.com/products/falcon-host/

https://cybersponse.com/

http://www.cyfir.com/

http://www.cylance.com/products/protect/

https://www.cynet.com/

https://www.secureworks.com/capabilities/managed-security/endpoint-security/red-cloak

https://github.com/facebook/osquery

https://www.fidelissecurity.com/fidelis-endpoint

https://github.com/google/grr

https://www.guidancesoftware.com/products/Pages/encase-cybersecurity/overview.aspx

https://www.hipara.org
https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye-hx-series.pdf

https://support.hbgary.com/products/activedefense/
https://technet.microsoft.com/en-gb/sysinternals/bb545021.aspx

http://download.microsoft.com/download/6/3/0/6309C906-0125-4694-B1C9-EFE49D990048/Microsoft_Threat_Detection_Services.pdf

http://www.morphick.com/

https://www.nexthink.com/

http://www.outliersecurity.com/

https://strongarm.io/

https://polylogyx.com/

https://reaqta.com

https://github.com/refractionPOINT/limacharlie

https://www.reversinglabs.com/products/malware-analysis-appliance.htmlhttps://www.reversinglabs.com/products/file-reputation-appliance.htmlhttps://www.reversin

http://hk.emc.com/security/rsa-ecat.htm

http://secdo.com/

http://www.sentinelone.com/
https://www.tanium.com/

https://www.threatstack.com/

http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/

http://www.triumfant.com/