How to Choose the Right Endpoint Sensor

Sensors are the workhorse of Endpoint Detection and Response (EDR) solutions. An endpoint sensor is a lightweight software component on devices that collects data and provides a firsthand account of what is taking place on the endpoint.

Sensors are primarily responsible for visibility, aggregating data from endpoints, taking response actions, and transmitting information back to analysts and investigators. In general, endpoint sensors provide on-device visibility that is crucial to threat detection and response.

Given their importance, as much thought should be put into the EDR sensor itself as the EDR capabilities and features of the overall solution when evaluating endpoint tools.

Remember, the endpoint is involved in every breach or serious security event, making visibility on the endpoint critical. A good sensor provides the sweeping visibility and control needed to mitigate risk and kick-out adversaries while having a negligible impact on endpoint performance.

Sensor Considerations when Evaluating EDR Solutions

How burdensome is the sensor?

Agents that are resource hogs are common among today’s EDR tools. Sensors that sap too much bandwidth from the endpoints they monitor or sensors that carry a heavy network burden when transmitting endpoint data up the chain for analysis can do more harm than good and lead to business disruption, frustrated users,  and a difficult-to-manage deployment.

Equally frustrating, legacy EDR vendors often require multiple sensors for access to the full suite of EDR features. Multiple sensors mean a fragmented architecture that makes the overall deployment unwieldy. This is obviously not ideal for CISOs and security teams to manage and should be a red flag. Avoid an EDR that requires multiple heavy agents for full functionality of the security suite.

An ideal endpoint security solution will have a single sensor architecture to streamline deployment and day-to-day management and have a minimal impact on both the endpoint and the network when collecting and transmitting endpoint data.

What does the sensor view/collect?

Not all EDR solutions are built to the same standards, and vendors have different approaches on what data should be collected from the endpoint and different architectural limitations on what can be submitted up the chain for analysis.

Many EDR solutions are overly simplistic in what they collect and analyze to discover threats, and some commonly used tools are limited to only a few primary telemetry sources like processes and connections, but avoid the more niche data sources, meaning attackers have ample room to hide from security analysts and escalate their operations. 

Architectural limitations in data collection mean other commonly used tools filter data from the endpoint that is streamed to a graph or threat detection server. No amount of chicanery in messaging can change the fact that any data filtering taking place by default means that visibility is less than 100%.

Data filtering should be avoided if security teams want a full, accurate picture of endpoint activity. It should be understood what is collected, and what is missed by a given sensor when evaluating an EDR solution, and if any data filtering from the endpoint takes place.

How compatible is the sensor with your environment?

Any system or endpoint not monitored cannot be protected against cyber intrusion, so a sensor that is flexible and extensible to match a given IT environment’s systems is critical for success. Most endpoint security solutions can be deployed to Windows, Mac, and Linux environments, with Windows being the focus and varying levels of efficacy for Mac and Linux endpoints.

A worthwhile EDR tool should have feature parity and also be deployable to air-gapped configurations and include legacy versions of operating systems still in use. 

How secure is the sensor from outside tampering?

Cyber attackers are well aware of the capabilities and weaknesses of endpoint security solutions and look to disable vulnerable sensors in the intrusion process, making sensor tampering a concern. Sensors for an ideal endpoint solution should go to great lengths to secure their sensors.

Some commonly used endpoint sensors are even installed unencrypted on the endpoint so adversaries can easily understand the ins and outs of how the agent is programmed, meaning the work of bypassing or disabling that agent is assisted by the endpoint vendor themselves.

The Cybereason Sensor

The Cybereason Sensor is lightweight, low impact, universally deployable, and offers the deepest visibility of any sensor in the endpoint market.

Do no harm

Our R&D mantra is to do no harm with our endpoint sensor, avoiding blue screens and costly business disruption related to the everyday use of the EDR solution.

The Cybereason Sensor generally does not exceed 5% CPU usage, averaging 1-3% during scans and heavy security workloads on the endpoint, which is negligible and dramatically lower than competing solutions. Memory utilization stays between 70-100MB per endpoint and user, with a hard cap of 5% of total memory usage.  

Maximum visibility

Visibility is everything for an EDR solution, and without visibility, adversaries can move undetected. The Cybereason sensor provides maximum visibility into data on the endpoint, with no data filtering for a complete picture of all endpoint activity. We examine userspace, but also have kernel-level access to see beneath the Operating System to view and collect unobstructed data and present true detections to security analysts.

The Cybereason Sensor leaves no stone unturned and collects more telemetry than any other solution on the market, including:

  • Process activity
  • Network connections 
  • File events
  • Device information
  • User information and activity
  • Automatic execution configuration
  • Interprocess communication
  • + much more

Flexible and extensible

The Cybereason Sensor meets the needs of teams with complicated environments and can be easily extended across the breadth of the enterprise. Teams can fully deploy hundreds of thousands of sensors within 30 days of first becoming a Cybereason customer for near immediate time-to-value. Our coverage includes standard IT configurations and air-gapped systems, offline endpoints, cloud and hybrid environments, and on-premises data centers. 

Sensors can operate independently of our Graph (the MalOp™ Detection Engine) for prevention actions and data collection, making it possible for meaningful security actions to occur without the need for a constant pinging and an uninterrupted connection to detection servers. Full detection and response require a touchpoint with the graph and detection servers, but many threats can be blocked directly from the sensor, even in isolated configurations. 

Cybereason also boasts the widest range of supported Operating Systems of any endpoint vendor in today’s market, including standard Windows, Mac, and Linux OS versions but also extends back decades for legacy coverage of niche OS systems still in use by teams today.


The Cybereason Sensor is protected against tampering efforts from bad actors. In addition to our own internal audits and penetration testing, we consult with third parties to pen test our sensor for potential vulnerabilities and close any exposed issues with R&D. 

As many security practitioners will recall, in December of 2020, IT infrastructure management provider SolarWinds issued a Security Advisory after experiencing a “highly sophisticated” supply chain attack that began as early as Spring 2020 and ultimately impacted tens of thousands of organizations worldwide.

The malicious actors had leveraged the SolarWinds product update process to gain access to SolarWinds’ client environments, establish persistence, and execute malicious code. The attackers disabled many security solutions and their sensors that were in place before moving laterally within the target networks—all while remaining undetected.

Fortunately for Cybereason customers, the attackers immediately disengaged in any infiltration attempts at the reconnaissance stage if the Cybereason Defense Platform was detected on the network. Our sensor is secure to the point that adversaries intentionally avoid Cybereason and prematurely pull the ripcord in order to stay under the radar.

Automated and Orchestrated response

The Cybereason Sensor plays a critical role in detection by aggregating data from the endpoint but has a dual role in facilitating response actions on the endpoint whenever a threat is encountered.

Security teams can kill processes, remove registries, search for and collect files in a DFIR investigation, restore encrypted files to their previously uncorrupted state, and a host of other response actions. The Cybereason Sensor also enables endpoint controls and works in tandem with components like a firewall to block known malicious activities. 

Response with Cybereason is automated and orchestrated. Because the MalOp understands the full attack story, we automatically populate tailored response playbooks for every detection and orchestrate a response to all impacted users and devices with a single click.


CISOs and CIOs can appreciate any opportunity to consolidate their IT stack and do more security work through a single vendor or solution. The Cybereason Sensor is a single sensor that transmits data to a single console and offers many opportunities for consolidation, including:

  • Replacement of aging or ineffective AV technologies
  • Replacement of a newer EDR solution that requires multiple agents
  • Extend detection and response to include cloud sources, productivity applications, SaaS applications, and identity sources (XDR) through a single sensor architecture


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise to everywhere the battle is taking place. Learn more about the Cybereason Sensor and its capabilities here or schedule a demo to see more.

JJ Cranford
About the Author

JJ Cranford

JJ Cranford is a Senior Product Marketing Manager at Cybereason, He was previously with OpenText after the acquisition of Guidance Software where he was responsible for the go-to-market strategy for endpoint security products. JJ provides insight into market trends, industry challenges, and solutions in the areas of incident response, endpoint security, risk management, and compliance.

All Posts by JJ Cranford