Below are some reasons to justify the WHY and WHAT around EDR: Provides the ability to isolate a machine while the team investigates. Deeper insights into what is happening, allowing the team to respond and ultimately remediate quickly. Additional reporting on the state of our security/compliance posture. Help determine the scope and impact of an incident. Ability to search across all devices and help identify indicators of similar compromise. Ability to clean and block files across all machines. Conduct malware analysis, we are not currently able to do this with our current Sophos deployment. Agree?