Endpoint detection and response (EDR) and data backups are essential tools in any cybersecurity program. They help detect threats on endpoints and recover data when things go wrong. But relying on them alone leaves critical gaps.
The truth? EDR and backups are only two layers in a much larger defensive stack. Without visibility across your environment and the ability to respond fast, you’re still vulnerable and attackers know it.
As threat actors scale their efforts with automation and AI, the cost of delay grows. EDR and backups are a good foundation, but they’re not a strategy.
Why EDR alone doesn’t equal “protected”
EDR is designed to detect and respond to suspicious activity on laptops, servers, and workstations where an agent is installed and reporting. It provides:
- Visibility into endpoint behavior
- Detection of suspicious activity
- Real-time blocking of threats like ransomware
But there are major limitations.
Threats don’t always start on the endpoint
EDR solutions see what happens on the endpoints in which its deployed. But many modern attacks start where EDR wasn’t designed to cover end-to-end, such as:
- Identity (accounts and access): When attackers gain control of legitimate accounts, through stolen credentials, MFA fatigue, token theft, or privilege escalation, they can bypass endpoint protections entirely and operate as a trusted user.
- Email: Phishing, credential harvesting, malicious attachments, business email compromise (BEC), and hidden inbox rules are used to steal credentials, redirect payments, or establish persistence before endpoint defenses are involved.
- Cloud and SaaS: Attackers target Microsoft 365, Google Workspace, and other SaaS platforms by abusing OAuth permissions, making suspicious admin changes, or downloading sensitive data. Because this activity happens within legitimate cloud services, it may never be flagged by EDR.
- Network and remote access: Exposed RDP or VPN services, misconfigured firewall rules, insecure remote management tools, and reconnaissance activity give attackers a way in. Once connected through legitimate remote access, they can operate without deploying obvious malware.
- Unmanaged and shadow IT: BYOD devices, contractor systems, rogue applications, endpoints missing agents, and off-network devices create blind spots. If security tools aren’t deployed, or can’t be enforced, attackers can use these gaps to gain footholds undetected.
Detection without response is not protection
EDR produces alerts and telemetry. Turning that into protection takes people and process:
- Triaging noise versus real threats
- Connecting activity across endpoints, identity, email, cloud, and network
- Containing quickly and confidently
- Threat hunting for persistence and lateral movement
- Remediating thoroughly (not just "close the alert")
Without a response layer, EDR is just signals. And signals don’t reduce risk. Alerts get missed or triaged too slowly, early indicators don’t get connected, and attackers gain time to escalate, move laterally, and expand impact.
The result is simple: delayed response turns “suspicious activity” into a full incident. When that happens, containment is harder, recovery takes longer, and the business impact is significantly higher.
Reactive security leads to disruption
Relying on reactive detection makes disruption more likely because you’re responding after an attack is already underway. And as attackers move faster and at higher volume, often accelerated by AI, the cost of delay compounds quickly.
- Alerts sit too long, giving attackers time to escalate and expand impact
- Early signals don’t connect, so small warning signs become a broader incident
- Containment happens late, leading to operational or customer disruption
- Remediation gets rushed, increasing mistakes and repeat risk
- Recovery drags on, driving higher downtime and cost
Why "we have backups" isn't the safety net some think it is
Backups are critical for recovery but they don’t prevent disruption. Think of them as a last resort, not a defense strategy.
Attackers often target backups deliberately
Modern ransomware groups don’t treat backups as a footnote. They treat them as an objective. If they can weaken recovery, they increase pressure and payout.
Typically, that means attempts to:
- Find backup infrastructure early by enumerating storage locations, backup servers, consoles, and admin accounts
- Sabotage backup operations by disabling schedules, deleting jobs, corrupting repositories, or changing retention settings
- Encrypt or delete backups so recovery becomes slow, incomplete, or impossible
- Steal or reuse backup credentials (often highly privileged) to access repositories directly and wipe restore points
This isn’t an edge case, it’s a common step in the playbook. So “we can restore” isn’t a guarantee. It’s only true when backups are protected, isolated, and regularly tested, and when access to them is hardened against the same identity compromise attacks used elsewhere.
Restoration doesn't solve data theft (double extortion)
Even if your restoration is flawless, backups don’t address a major part of how ransomware operates today: data theft and extortion. Organizations can still be dealing with:
- Stolen data used as leverage, with threats to publish, auction, or leak information unless a payment is made
- Customer notifications and contractual obligations, depending on what data was accessed and what your agreements require.
- Reputational fallout and churn, especially if customers lose confidence in how their data is handled.
- A long tail of trust repair, because restoring systems doesn’t automatically restore confidence.
Backups help you rebuild systems. They don’t “un-steal” sensitive data or undo the downstream consequences of exposure.
The real cost is operational disruption
Even with strong backups and a successful recovery, the organization still pays a price. This price often creeps up in ways leaders don’t anticipate when they say, “We can just restore.”
Successful recovery often still includes:
- Downtime and delayed operations, which can mean lost revenue, missed SLAs, and disrupted service delivery.
- Productivity drags for days or weeks, as teams re-image devices, reset credentials, validate systems, and rebuild confidence in what’s safe.
- IT and leadership bandwidth consumed by incident work, pulling focus from strategic priorities and customer-facing initiatives.
- Complex communication decisions, including internal messaging, customer updates, legal guidance, and stakeholder management.
And yes, cyber insurance can still become painful: more scrutiny, requirements, and friction at renewal. The incident may be “handled,” but the business impact and follow-on work can linger well beyond the restore.
The shift from “reactive” to “resilient”
EDR and backups are part of resilience. Security requires multiple layers of protection, encompassing people, processes, and technology across your environment, designed to reduce the chance of compromise and limit the disruption when something gets through.
Beyond that, a defensible security posture is about more than recovery. It’s about reducing the likelihood of compromise, catching threats early, and responding fast enough to prevent disruption when something does happen.
A practical way to think about it is through four connected capabilities:
1. You can't protect what you can't see
Resilience starts with having visibility into what you’re defending and where risk is showing up:
- Full asset coverage across endpoints, identities, email, cloud/SaaS, and network access paths
- Clarity on unmanaged devices, shadow IT, and external exposure
- Telemetry that’s connected enough to see patterns, not isolated alerts in separate dashboards
2. Reduce the chance a threat becomes an incident
This piece is all about prevention, and closing the most-used pathways attackers rely on:
- Identity hardening: MFA, least privilege, conditional access, admin controls
- Exposure management: patching, misconfiguration fixes, secure defaults
- Controls that limit blast radius: segmentation basics, restricted admin pathways, secure remote access
3. Minimize disruption when something slips through
Even strong prevention won't stop everything. That's where rapid detection and response comes into play, because the difference between a security event and a business incident is speed:
- 24/7 triage (or a clear on-call model) so alerts don’t sit unattended
- Fast containment actions across systems: isolate hosts, disable accounts, revoke sessions and/or tokens, block malicious activity
- Skilled threat hunting to confirm scope and stop lateral movement early
4. Fix root cause, remove persistence, prevent repeats
Containing an alert isn’t the same as ending the threat. Remediation makes resilience real:
- Root cause analysis (how they got in, what control failed, what to change)
- Removal of persistence, credential resets where needed, and validation that access is clean
- Hardening and lessons learned applied back into prevention so the same play isn’t repeated
Backups help you recover, but resilience comes from visibility, prevention, rapid detection and response, and thorough remediation. This way, attacks are less likely to succeed and less likely to disrupt the business even when they’re attempted.
The bottom line
EDR and backup are necessary. But neither prevents attacks across your entire environment, and neither guarantees a clean outcome when the incident involves identity compromise, cloud abuse, data theft, or slow-burn intrusion.
A resilient cybersecurity strategy adds layers of visibility, prevention, and response, so you’re not betting your business (or your clients’ businesses) on two tools and a best-case scenario.
The key is building resilience to minimize the opportunity for attacks and having enough depth that when something slips through, it can’t turn into a business-level incident.
