Frequently Asked Questions

EDR telemetry refers to the data collected and transmitted by Endpoint Detection and Response (EDR) products and tools. These products are designed to monitor, detect, and respond to potential threats and suspicious activities on endpoints such as computers, servers, and other devices within a network.

The EDR Telemetry Project aims to:

• Compare and evaluate telemetry capabilities across different EDR products
• Help security practitioners make informed decisions about EDR tools
• Encourage EDR vendors to be more transparent about their telemetry features
• Provide a comprehensive reference for EDR telemetry capabilities

The data is collected through:

• Direct testing in controlled environments
• Documentation review from vendors
• Community contributions and verification
• Continuous updates and validation

You can contribute by:

• Submitting telemetry data for EDR products
• Verifying existing data
• Reporting discrepancies or updates
• Joining our Discord community

Visit our Contribution page for more details.

The data is updated regularly as new information becomes available. We encourage the community to help keep the information current. You can also search on Github Pull Requests/commits for the EDR you are interested in to find the last updated date.

We use the following symbols in our telemetry tables:

• ✅ - Feature is fully implemented
• ❌ - Feature is not implemented
• ⚠️ - Feature is partially implemented
• ❓ - Information is pending or unverified
• 🪵 - Collected via Windows Event Logs
• 🎚️ - Available through additional telemetry settings

Transparency indicators show how we validated the telemetry data for each vendor. These icons appear next to vendor names in the telemetry tables and scores page: