EDR Telemetry
EDR Telemetry
Transparent Scoring Methodology

EDR Telemetry Scores

Compare the telemetry capabilities of different EDR solutions based on our transparent, weighted scoring methodology.

Loading scores...

Understanding the Scores

Our scoring system evaluates exposed telemetry visibility across categories. Each telemetry feature is weighted based on its importance for investigation, hunting, and response.

Scores reflect telemetry availability and exposed visibility. They do not measure prevention, detection efficacy, product quality, SOC maturity, managed service quality, or full incident-response capability. See the methodology page for the evidence standard.

Status Values

StatusValueMeaning
Yes1.0Required telemetry is implemented and exposed directly.
Via EnablingTelemetry1.0Available only after enabling a built-in setting or feature. Same numeric value as Yes, but not equivalent to out-of-the-box Yes.
Partially0.5Related telemetry exists, but full-credit validity fails because it is incomplete, conditional, subset-only, inconsistent, missing required fields, or related-but-not-direct.
Via EventLogs0.5Surfaced through platform-native OS logs rather than independent native sensor collection.
No0Telemetry is not implemented or is not exposed in a qualifying way.
Pending Response0Unresolved at scoring time. It cannot be upgraded without qualifying evidence.

Feature Weights

Each telemetry feature category is weighted based on its importance in the overall assessment. Some key examples include:

Process Creation1.0
Process Access1.0
File Creation1.0
File Modification1.0
File Deletion1.0
DNS Query1.0
TCP Connection1.0
Remote Thread1.0
File Renaming0.7
Account Login0.7
Process Termination0.5
Account Logoff0.4
View complete weight distribution on GitHub

Optional Telemetry & Fair Scoring

To maintain fair and consistent scoring across all EDR vendors, new Sub-Categories are initially marked as "optional" and do not count against the final scoring until they reach sufficient adoption across the vendor ecosystem.

75% Coverage Rule:

New Sub-Categories only contribute to vendor scores once they achieve at least 75% implementation coverage across the supported vendor set for the scoped platform.

What Counts Toward Coverage:

Only Yes and Via EnablingTelemetry count as implementation coverage. Partially, Via EventLogs, No, and Pending Response do not count toward the threshold unless a future methodology version changes the rule.

Visual Indicator:

Optional telemetry features are marked with a New badge in the telemetry tables and will be promoted to scored telemetry once the coverage threshold is met.

Final Score Calculation

Total Score = Σ (Status Value × Feature Weight)
for non-optional features

The final score represents the weighted sum of all non-optional features, providing a comprehensive evaluation of each EDR solution's telemetry capabilities.

To calculate the score:

  1. Optional telemetry features are excluded from the scoring calculation
  2. For each remaining telemetry feature (sub-category), we determine the implementation status (Yes, Partially, Via EventLogs, etc.)
  3. The status is converted to a numerical value according to the status table
  4. This value is multiplied by the weight assigned to that feature category
  5. All weighted values are summed to produce the final score

This methodology ensures that higher-weight telemetry capabilities have greater score impact while preserving evidence-backed status labels. See the full status taxonomy for directness and evidence rules.