Endpoint Protection and EDR

Cynet converges endpoint protection, EDR and all other essential security technologies into the first autonomous security platform to provide total environment visibility and protection

Learn More

Endpoint Detection and Response: The Ultimate RFP Template

Endpoint Detection and Response (EDR) is a key part of your endpoint protection strategy, and can help your analysts investigate and respond to attacks as they happen. If you’re evaluating EDR security solutions, it can be valuable to have a well organized list of capabilities, and ask each vendor what exactly their solution provides.

If you are interested in learning about the emerging solution category called Extended Detection and Response (XDR), click here.

This Request for Proposal (RFP) template provides just that – a list of capabilities you can submit to your vendors, to get a detailed comparison of their comparative offerings.

Our RFP template is comprised of five sections:

  • Monitoring & Control – routine activities to gain visibility and proactively discover and reduce attack surfaces.
  • Prevention & Detection – mechanisms to mitigate a wide array of commodity and advanced attack vectors.
  • Investigation & Response – overall toolset for rapid reaction to a live attack.
  • Infrastructure (EDR only) – architecture, deployment, data collection and communication.
  • Operation – ongoing management of the solution.


How to Use the Endpoint Detection and Response RFP

Submit this RFP to the vendors of your favorite EDR tools, to ensure their EDR solution has a robust offering in each of our five target areas. The solution should provide complete visibility over endpoint threats, able to prevent them on the device, offer the tools to investigate and respond to attacks as they occur, and provide practical deployment and administration options.

Scope of template

Our template covers EDR solutions for:

  • Desktop-based endpoints
  • Laptops
  • Servers

The template does not cover EDR for:

  • Mobile devices
  • Internet of Things (IoT) devices
  • Medical devices or industrial control systems

How to use the template:

  • Submit sections 1-5 below to your vendor
  • Ask them to fill in the “solution” columns with “Yes”, “No”, or a verbal description of their offering
  • Compare offerings between vendors and select the solution that provides the most comprehensive capabilities within your budget

Throughout the template:

  • Basic EDR capabilities are marked in YELLOW.
  • Advanced EDR capabilities are marked in BLUE.

1. Prevention and Detection

An EDR solution should offer comprehensive protection against common and advanced attack vectors. It should offer a combination of signature-based malware protection, behavioral analysis and machine-learning static analysis to detect unknown threats and compromised accounts, dynamic analysis of threats using a sandbox, and monitoring of memory access, running processes and network traffic.

Attack Type Implementation Solution
The solution must identify malicious files and prevent them from execution, including viruses, trojans, ransomware, spyware, cryptominers. Signature-based malware protection
Machine Learning static analysis
Dynamic analysis (real time Sandbox)
Threat intelligence (VT)
Threat intelligence (non-VT feeds)
The solution must identify malicious behavior of executed files, running processes, registry modifications, or memory access and terminate them at runtime, or raise an alert (exploits, fileless, Macros, Powershell, WMI, etc.) Memory access monitoring
Process behavioral analysis (heuristics)
High similarity (a.k.a. fuzzy hashing)
Threat intelligence
The solution must support the creation of rules to exclude specific addresses/IP ranges. Blacklisting malicious IPs and domains
The solution must identify and block privilege escalation attacks. Process monitoring
The solution must identify and block reconnaissance attacks (scanning). Network traffic monitoring
The solution must identify, and block credential theft attempts occuring in memory (credential dump, brute force) or network traffic (ARP spoofing, DNS Responder). Memory monitoring
User account monitoring (login attempts)
Network traffic behavioral analysis
The solution must identify and block/alert on lateral movement (SMB relay, pass the hash). Network traffic monitoring.
Deception via fake nodes.
Deception via fake user accounts.
Deception via fake network connections.
The solution must identify user account malicious behavior, indicative of prior compromise. Configure user activity policies (policy violation).
Profiling user account baseline (anomaly detection).
The solution must identify malicious interaction with data files. Deception via decoy files.
The solution must identify data exfiltration via legitimate protocols (DNS tunneling, ICMP tunneling). Network traffic monitoring.
File access monitoring.
The solution must identify and block usage of common attack tools (Metasploit, Empire, Cobalt etc.). Process monitoring.
The solution must have an internal protection mechanism against access and manipulation of unauthorized users. Alert and block upon any tampering or disabling attempt.

2. Investigation and Remediation

EDR tools should collect highly granular data about what is happening on the endpoint, at the file system, operating system, authentication and network level, and also allow security staff to easily view this data, search it, define security rules based on the data, and launch forensic investigations, whether on a single endpoint or across the organization. They should also allow automated response via incident response playbooks.

Capability Implementation Solution
The solution must continuously collect data on all the entities and their activities within the environment.
  • File interaction – create, open, rename, delete, execute.
  • Process execution (including process tree).
  • User login.
  • Network traffic.
  • Registry changes.
  • Installed software.
The solution must support the display of entity and activity data. Search on behavioral patterns in all fields of coverage (users, files, machines, network traffic).
Ability to set rules and/or raise warnings and/or determine risk level, based on a response to the search pattern and in real-time.
Enabling multiple EDR users to carry out activities in parallel, based on user permissions.
The solution must support dynamic analysis (sandbox). Manually submit files to sandbox analysis.
The solution must support cross-organization queries. Search for the occurrence of process, file, network, or user activities across all endpoints.
The solution must support cross-organization queries. Search for the occurrence of process, file, network, or user activities across all endpoints.
The solution must support the means to execute forensic investigation.
  • Investigation of running processes or files.
  • Machine-level investigation.
  • Memory activity investigation.
  • Obtain memory dump.
The solution must support isolation and mitigation of malicious presence and activity on the endpoint, via remote operations. Ability to run a coordinated command (such as CMD interface).
Running scripts or files from a network location, or mapping a drive.
Shutting down an endpoint or server.
Isolating an endpoint or server from the network.
Deleting a file (including active run files).
Quarantine a file (including active run files).
Kill a process.
Remove or delete a service or scheduled task.
Lock a local user account or domain user.
Reset user password.
Block telecommunications based on destination (domain address or IP address).
Disconnect of network cards.
Change IP address.
Edit HOST file.
Renewed operation of an end station and/or a server.
The solution must support isolation and mitigation of malicious presence and activity globally across the entire environment. Active Directory: disable user, reset password

Firewall or proxy: block IP, block domain, block port.

The solution must support incident response automation. Incident response playbooks for common scenarios available off-the-shelf as part of the solution.
Ability to define customized response playbooks.

3. Monitoring and Control

Beyond attack prevention and response to live attacks, an EDR solution should allow security staff to manage security concerns on endpoints, and proactively reduce the attack surface. This should include vulnerability assessments, endpoint inventory management, a mechanism to retain and access logs on devices, threat hunting, and the ability to search for files, processes, passwords or other aspects of an endpoint which may be susceptible to attack.

Capability Implementation Solution
The solution must support File Integrity Monitoring (FIM). Enforce policy on fixed environments to alert on any file change.
The solution must have built-in vulnerability assessment. Discover missing security updates within systems and applications.
The solution must provide the means to conduct Inventory Management. Map and correlate all assets within the environment such as endpoints, servers, installed apps, user accounts, and generate inventory reports.
The solution must provide log collection and retention. Collect authentication and activity logs on endpoints and enable central access to log data.
The solution must retain logs for a sufficient period. Retain logs for the period of time required by compliance standards, regulations, or organizational policies. Log retention supported: _________
The solution must include threat hunting. Search for malicious presence by known Indicators of Compromise (IoC).
The solution must support the discovery of unattended attack surfaces. Search for risk-susceptible files, processes or network connections. Identify user accounts with unchanged passwords.

4. EDR Infrastructure

Ease of deployment is a critical part of EDR effectiveness. An EDR platform should offer flexible deployment options, should be rapidly deployable on all operating systems used by the organization, and should consume minimal system resources on endpoints to avoid negatively affecting the user experience.

Capabilities Implementation Solution
The solution must have flexible server deployment options to match various types of environments. On-prem
The solution must support rapid and seamless installation across all endpoints and servers in the environment. Specify required time for deployment across 5000 endpoints. Time for deployment:
The solution must support automated distribution on endpoints or servers added to the environment following the initial deployment. Autonomously discover newly added machines and have the agent installed on them without manual configuration.
The solution must have a light footprint for minimal impact on the endpoint/server performance. Minimal system memory (RAM) consumed on each endpoint/server. Up to 25MB is advised. RAM used on each endpoint:
___ MB
Minimal CPU processing capacity consumed on each endpoint platform. Up to 2-5% is advised. % CPU used on endpoints:
___ %
The solution must provide encrypted communication between the central EDR server and the agents on the endpoints or servers.
The solution must support all commonly used Operating Systems. EOL systems: Windows XP, Vista, Server 2003
Windows 7 and above
Windows server 2008 R2 and above
Linux main distros: Fedora, Ubuntu, Debian, Centos, Red Hat, Suse
MAC OSX Maverick and above
Supported Operating Systems:
1. _______________
2. _______________
3. _______________
4. _______________
5. _______________
6. _______________
The solution must support connection to Active Directory. Granular authentication to the UI.
Granular deployment by Organizational Unit (OU) groups with AD.
The solution must co-exist with all commodity and proprietary software on the endpoints or servers. Seamless operation of the protected endpoint or server without bluescreens or process crashes.
The solution must provide full protection for endpoints and servers that are offline (do not connect to the organization’s network). Threat protection mechanism that do not rely on connectivity to the EDR management server.
The solution must collect endpoint, file, process, user activity and network traffic in a fully self-sustained manner. Eliminate the need for manual configuration of rules or policies or reliance on additional devices.

5. EDR Operations

Below we list management and operations functions that are important for convenient daily operations of an EDR solution by your security staff.

Capabilities Solution
Specify a list of alert exclusion rules for selected objects.
Enable deployment on multiple sites that report into a single management console.
Export the current configuration and import it later to the same or another computer.
Enable/disable certain types of notifications.
Rate the severity of security alerts.
Centrally collect and process alerts in real-time.
Block access to the program settings for end users.
Central distribution of updates with no user intervention and no need to restart endpoint or server.
Specify a schedule for downloading updates, with the ability to disable automatic updates.
Automatically assign a risk score to all objects in the protected environment.
Support the logging of events, alerts and updates.
Support integration with email infrastructure to notify security personnel in case of alerts.
Support integration with common SIEM products.
Support standardized and customizable reports.