EDR Telemetry Scores

Compare the telemetry capabilities of different EDR solutions based on our scoring methodology.

Understanding the Scores

Our scoring system evaluates EDR solutions based on telemetry capabilities across various categories. Each telemetry feature is weighted based on its importance in endpoint detection and response.

Status Values

StatusValue
Yes1.0
Via EnablingTelemetry1.0
Partially0.5
Via EventLogs0.5
No0
Pending Response0

Feature Weights

Each telemetry feature category is weighted based on its importance in the overall assessment. Some key examples include:

Process Creation1.0
Process Access1.0
File Creation1.0
File Modification1.0
File Deletion1.0
DNS Query1.0
TCP Connection1.0
Remote Thread1.0
File Renaming0.7
Account Login0.7
Process Termination0.5
Account Logoff0.4
View complete weight distribution on GitHub

Optional Telemetry & Fair Scoring

To maintain fair and consistent scoring across all EDR vendors, new Sub-Categories are initially marked as "optional" and do not count against the final scoring until they reach sufficient adoption across the vendor ecosystem.

75% Coverage Rule: New Sub-Categories only contribute to vendor scores once they achieve at least 75% implementation coverage across all currently supported EDR vendors.
Why This Matters: This approach prevents unfair advantages for vendors who propose new telemetry additions, ensuring that scores reflect mature, widely-adopted telemetry capabilities rather than cutting-edge features that may not be universally supported.
Visual Indicator: Optional telemetry features are marked with a New badge in the telemetry tables and will be promoted to scored telemetry once the coverage threshold is met.

Final Score Calculation

Total Score = Σ (Status Value × Feature Weight) for non-optional features
The final score represents the weighted sum of all non-optional features, providing a comprehensive evaluation of each EDR solution's telemetry capabilities.

To calculate the score:

  1. Optional telemetry features are excluded from the scoring calculation
  2. For each remaining telemetry feature (sub-category), we determine the implementation status (Yes, Partially, Via EventLogs, etc.)
  3. The status is converted to a numerical value according to the status table
  4. This value is multiplied by the weight assigned to that feature category
  5. All weighted values are summed to produce the final score

This methodology ensures that more critical telemetry capabilities have a greater impact on the overall score, providing a fair and accurate comparison between different EDR solutions.