EDR vs Antivirus: What Your Cyber Insurance Actually Wants

A cyber insurance renewal application landed on a client’s desk last fall. Page four of the application asked: “Does your organization deploy endpoint detection and response (EDR) on all endpoints?” The client had antivirus and called us to ask if they could check yes.

The honest answer was no, and the renewal premium reflected it.

If you are a small business in West Texas getting through your first or second cyber insurance renewal, this is the post you need.

What antivirus actually does

Traditional antivirus scans files on your computer, compares them to a database of known-bad signatures, and quarantines anything that matches. It works against threats that already have a public signature.

The fundamental limitation: antivirus is reactive and signature-based. It catches the malware that has already been seen in the wild and reported. It misses anything novel — by definition, every novel attack starts as something it does not yet recognize.

Modern attackers know this. They generate fresh malware variants automatically. They use legitimate tools that no signature would catch (PowerShell, the Windows print spooler, RDP). They steal credentials and log in normally instead of breaking in.

Antivirus was a 2005 control. It is necessary and not sufficient.

What EDR actually does

EDR — endpoint detection and response — watches behavior, not files. It runs as an agent on every endpoint and continuously logs what processes are doing: what files they touch, what network connections they make, what registry keys they modify. It compares that activity to known attack patterns and to baseline normal behavior for that machine. When something looks off, it can isolate the endpoint from the network in under a minute.

Three concrete capabilities matter:

1. Behavioral detection. Catches an attack even when the executable is brand new and has never been seen before, because the behavior (encrypting many files quickly, exfiltrating large data volumes, escalating privilege) is the same regardless of the malware.
2. Network isolation. When EDR detects something, it can pull the endpoint off the network instantly. Ransomware that can’t reach the file server can’t encrypt the file server.
3. Forensic recall. Every action gets logged. After an incident, you can reconstruct exactly what happened — which is critical for breach notification, insurance, and not making the same mistake twice.

MDR — managed detection and response — is EDR plus a 24/7 human team watching the alerts. EDR without humans behind it is software with a worse pager. Most small businesses cannot staff a 24/7 SOC; that is what MDR exists for.

Why insurance carriers care

Cyber insurance got expensive between 2020 and 2023 because ransomware claims got expensive. Carriers responded by raising the bar on prerequisites. The 2024-2026 application questionnaires now consistently include:

• Multi-factor authentication on all admin accounts and remote access. (Required.)
• Endpoint detection and response on all endpoints. (Required or heavily favored.)
• Backup that is offline or immutable. (Required.)
• Email security and security awareness training. (Required.)
• Vulnerability management and patching cadence. (Required.)

The pattern is the same one OCR uses for HIPAA, the FTC uses for the Safeguards Rule, and the IRS uses for Pub 4557. The serious frameworks have converged on the same controls.

If your application says you have antivirus and the carrier asks for EDR, you have three choices: lie (don’t), pay a higher premium, or upgrade.

What we deploy

We bundle EDR into Titanium and Carbon by default. The agents we use are commercially licensed enterprise products with real behavioral models, and the response side runs out of our shop with documented playbooks. We don’t advertise the specific vendor on this site because that information is more useful to attackers than customers; clients in the relationship know what they have.

What we won’t do is sell you “endpoint protection” that is repackaged consumer antivirus. There are vendors who do this. Their margin is good. Their renewals are bad.

What you can do this week

If you have a renewal coming up:

1. Pull last year’s application. Read every checkbox carefully.
2. Run our free Cyber Score. It hits the same control areas your carrier will.
3. If you don’t currently have EDR, get a quote on it. Even bought standalone, it’s typically $7-15 per endpoint per month. Bundled in a managed plan, it’s lower.
4. Document what you have. Carriers ask for evidence. A screenshot of the EDR console showing every endpoint enrolled is worth more than your answer to a checkbox.

If your insurance broker is steering you toward a “cybersecurity assessment” that costs $5,000 and produces a PDF nobody reads, save the $5,000 and have a real conversation with an IT provider who installs the controls instead. The Cyber Score above is free and tells you the same things.

The carriers are going to keep raising the bar. The businesses that get ahead of the questions pay less. The ones that don’t keep getting surprised by their renewal letter.