TEHTRIS EDR automatically detect and neutralize known and unknown threats in real time

Endpoint Detection Response

For about thirty years, security was limited to a few elementary axes, relatively simple but effective in the fight against standard everyday threats. From a symbolic point of view, after the summer of 2003 and the MSBlast worm that contaminated millions of Microsoft operating systems, we will remember the arrival in Windows of three security options that were really highlighted: update your system, get a firewall, and get an running antivirus.

This model has emerged as the “dominant design” of cyber security: a firewall and a few tools for the periphery, an antivirus and a few options on the inside. The Internet has become populated with networks in “crunchy” mode, i.e. “hard” on the shell (perimeter security) and “soft” inside, not to mention the interconnection of all systems: telephones, connected objects, etc. The Internet has also become a “crunchy” network. A technological debt of cybersecurity exists, and all TEHTRIS technologies are there precisely to be able to fight and help at protecting assets efficiently.

TEHTRIS EDR is one of the pioneers and creators of the EDR wave of the future, the one that aims to be able to install thousands of EDR agents in less than 24 hours, the one that is able to detect stealthy espionage operations without weapons or malware, the one that knows the techniques used by hackers and that builds the answers in advance.

TEHTRIS EDR is a solution provided in SaaS mode, via the Cloud, with a desire to anticipate, prevent, detect and react at the cybersecurity level. We believe in the convergence of these technologies, EDR and EPP, for a common and calculated mission of endpoint protection, with technical functions that combine. TEHTRIS EDR is also part of a logical transformation, by also proposing a TEHTRIS EPP agent, recognizing the interest in not multiplying the technological layers: installation, configuration, maintenance, consistency in the logs, etc.

Latest Updates

  • Added new dashboard features on alerts
  • Added Data Science features on alerts
  • Updated internal engines for security audits: more than 11.000 CVE entries verified
  • Added hunting tools thanks to a new IoC Scanner engine: process, registry, network, files, etc.
  • New Cyber Threat Intelligence capabilities to cover several million endpoints at the same time in different parts of the world.
  • Updates of the compatibility with MITRE ATT&CK Matrix and TEHTRIS EDR alerts

WHY tehtris EDR?


In Machine Learning or Deep Learning mode, low-level surveillance provides knowledge of normal behavior to better distinguish attackers, their tools and methods, offering a strong competitive advantage over traditional or stealthy attackers.


TEHTRIS goes further than other solutions, even without human operators, through active defense systems that can be configured to act autonomously by responding to an attack 24/7, following predetermined criteria and policies.


Direct sanctions are imposed on all attackers, who must take the risk of losing their tools and having their offensive methods stolen, which will then be recognized worldwide.


TEHTRIS EDR takes into account as a priority the numerous attacks that continue to arrive, with increasingly stealthy and sophisticated attacks, always giving priority to ground efficiency.


A trademark of TEHTRIS, we also work with our customers and partners, in processes oriented Open Innovation, where we are enriched by some technical and organizational feedback, to always provide the best possible service.


In 2013, TEHTRIS created a cybersecurity engine called “DAS”, in reference to more than fifteen years of research work on active digital security, giving birth to a disruptive HIPS-type agent, an Endpoint Detection and Response long before the arrival of these products and their official names on the market.


Less than 999 day

to deploy

+ 0 countries

global deployment

+ 1 EDR

deployed in the cloud in less than 24 hours

Supported platforms

Here is the current list of supported platforms. Changes may occur in the future.

Operating System 32bits 64bits
Windows XP Compatible Untested but designed for compatibility
Windows Server 2003 Compatible Untested but designed for compatibility
Windows Server 2008 Compatible Compatible
Windows Server 2008 R2 Compatible Compatible
Windows Server 2012 N/A Compatible
Windows Server 2012 R2 N/A Compatible
Windows Server 2016 N/A Compatible
Windows Server 2019 N/A Compatible
Windows 7 Compatible Compatible
Windows 8 Untested but designed for compatibility Compatible
Windows 10 Untested but designed for compatibility Compatible
macOS Sierra Compatible
macOS High Sierra Compatible
macOS Mojave Compatible
macOS Catalina Compatible
CentOS Linux 5.3 Compatible
CentOS Linux 5.11 Compatible
CentOS Linux 6.9 Compatible
CentOS Linux 7.5 Compatible
Ubuntu Linux 8.04 Hardy Compatible
Ubuntu Linux 14.04 Trusty Compatible
Ubuntu Linux 16.04 Xenial Compatible
Ubuntu Linux 18.04 Bionic Compatible

Mitre Att&ck compliance

MITRE ATT&CK is a knowledge base with a modeling of the behavior of a cyber attacker, illustrating all phases of a cyber attack’s life cycle in relation to targeted platforms: Windows, Mac, Linux, mobile, etc.

Discover the compatibility of TEHTRIS XDR with MITRE ATT&CK

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.


TEHTRIS EDR has several functions to perform automated remediation, based on predefined parameters, which allows to fight effectively 24/7 against unknown threats, without the risk of having to depend on a human team that might be missing elements.

TEHTRIS EDR proposes to search for more than 11,000 CVE vulnerabilities, which can sometimes uncover totally invisible things, such as machines that are vulnerable because of an old Java, Adobe Reader, or Flash engine, forgotten or installed in “legacy” mode. You can thus deploy TEHTRIS EDR to audit your IT assets, without consuming excessive resources, and thus have the ability to ensure the compliance of your IT assets: patch management policy, risk aversion criteria, etc.

TEHTRIS EDR has a kernel driver that allows it to modify the behavior of the operating system, so as not to leave the possibility of unwanted execution. Even ransomware that is unknown, signed, stealthy, malicious, could not execute if you decide to configure these policies.

TEHTRIS EDR has several protections against ransomware: blacklists in our CTI database that enrich the choices of EDRs, application security policies to authorize only what you want, Honeytokens type concepts with fake files that a ransomware will want to destroy while being detected (file type decoy), and many mechanisms based on behavioral: attack of certain points of the hard drive, etc…

TEHTRIS EDR has several means to combat lateral attacks, including the ability to process local logs in the operating system to detect if activity is being attempted remotely. It is a true tactical SIEM, local, capable of knowing whether a session is interactive or not, remote or not, in order to be able to track such attacks.

TEHTRIS EDR embeds a highly sophisticated analysis engine capable of differentiating between an illegitimate product and an illegitimate one, in PowerShell terms, by analyzing the code executed on the fly so as not to miss one of the many modern, stealthy attacks associated with it.

TEHTRIS EDR provides its own protection through layers that are directly in the Windows kernel, via a low-level driver, so that it cannot be uninstalled outside of an authorized centralized decision. It is not possible to remove the agent.

The analysis of malicious URL links with C&C lists, etc. is mainly conducted by the TEHTRIS EPP product. In Hunting mode, we can nevertheless do targeted searches for these threats with TEHTRIS EDR.

TEHTRIS EDR continues to operate with its security policy already loaded, when it goes offline. It then stores the events that it will report upon reconnection to its Endpoint appliance. Of course, throughout this phase, the risk of intrusion, without a network connection, seems to be reduced, since TEHTRIS EDR can also contain USB attacks for example.

TEHTRIS EDR may request the TEHTRIS Cyber Threat Intelligence module of TEHTRIS XDR Platform, to perform sandbox scans, offline antivirus scans, neural network engine scans, or malware knowledge base searches.

TEHTRIS has many elements related to artificial intelligence and automatisms associated with the Cyber world. In Machine Learning mode, TEHTRIS EDR learns all the executions in your infrastructure, in order to detect anomalies, including also the persistence points used by hackers to survive a reboot or reconnection. In Deep Learning mode, TEHTRIS EDR has a compact neural network-based engine that can tell if software is malicious or not. This engine is also used in TEHTRIS Cyber Threat Intelligence. The latter is the first French product accepted by Google on its free service VirusTotal, where a public and non-commercial version is constantly running in search of unknown malware.

TEHTRIS EDR natively uploads at-risk files back to its infrastructure so that the payload can be detonated in a Sandbox environment. Robots plan and control the execution, analyze the results, and return the right information back to the EDRs on their own, so they can make a decision.

To put it simply, EPPs are the official tools, being antivirus next-generation and protecting the OS against known attacks. That’s the real system shield. EDRs are the tools used to detect unknown threats and handling security issues remotely with a range of incident response functions. TEHTRIS believes that the difference will become blurred and that EDR and EPP products will become one tool, through a necessary technological convergence. The existence of an EDR market was only possible because they filled technical gaps on the EPP side. In a future that is already beginning, companies will choose one product, an Endpoint protection solution, combining EDR and EPP logic of the same brand, to avoid agents issues. TEHTRIS EPP and TEHTRIS EDR are already available for this purpose.

We must choose the criteria that allow neutralization by software robots. It’s a risky action, that some EDR products don’t want to offer, for fear of breaking everything. But the day an unknown ransomware comes in, these EDRs which are only used for response and analysis, will be able to say that they have understood why the company is being destroyed. No safety at all. This is not our philosophy and we prefer to offer automatic neutralization, carefully and properly configured. Depending on the aspect of the unknown software, you will be able to decide whether to let it go or not: behavior, sandbox results, antivirus results, antivirus databases results, etc.

For mobiles, we offer another range of products, called Mobile Threat Defense, different from TEHTRIS EDR. This is TEHTRIS MTD.

We collect metadata in a way that is compatible with the GDPR, and we will be able to exchange on these elements if you wish.

If your EPP agent plays at killing security software protecting your infrastructure, there might be a problem with the EPP settings or even the product. Currently, for all customers who do not have TEHTRIS EPP, and who have been using TEHTRIS EDR since 2014, we have encountered a total of zero conflict issues with other EPP brands.

A TEHTRIS EDR agent can be instructed that its host might only accept outbound network flow to its management appliances, so that a SOC can quietly study its host, without taking the risk of lateral movement or internal exploration.

TEHTRIS EDR runs on Linux, Apple MacOS, and Windows.

TEHTRIS EDR collects and analyzes security logs from workstations, providing a so-called tactical SIEM capability, in order to keep very interesting events for cybersecurity analysts.

TEHTRIS EDR uses less than 1% on average on the CPU, and less than 100Mo to 200Mo in RAM, depending on the settings you want to setup: loading the neural network in memory or not, etc….

TEHTRIS EDR supports obsolete Windows OSes, such as Windows XP and Windows 2003, which we very often encounter, especially in industrial computing environments (EO, ICS, SCADA) that sometimes need to keep these systems for decades, regarding the cost price of a plant and the related specific equipment.

TEHTRIS EDR has been tested and deployed by some of our customers in industrial environments on Windows boxes that were not advertised as supporting it, by the manufacturers. These customers could no longer imagine not having antivirus (not enough RAM, too old, etc) or no EDR (light and powerful but not officially supported by the OT manufacturer). So, they made agreements with the manufacturers, and they conducted some tests alone, with the help of TEHTRIS in background. For example, we are in factories with equipment from different brands, like Siemens (Simatic, Simotion, WinCC, TIA…), etc.

TEHTRIS EDR can prohibit the use of external storage, or even set it to read-only to prevent deliberate or inadvertent exfiltration. TEHTRIS logs all traces of connected USB devices to provide traceability regarding these threats.


Can we dream of a fully automated XDR Platform? Yes, we can!

Can we dream of a fully automated XDR Platform? Yes, we can! XDR platforms are our response to the increasing sophistication of the tools and tactics cyber attackers use, that render anti-virus programs and other traditional cybersecurity solutions helpless. XDR makes a case for a more holistic cybersecurity approach that

More information


EDR – COVID-19: TEHTRIS MAKES A COMMITMENT COVID-19: TEHTRIS EDR PROTECT HOSPITALS WORLWIDE Our country and our world are shaken by the current health and economic crisis. In response to the COVID-19 coronavirus pandemic, Cedric O, Secretary of State in charge of Digital Affairs within the French government, has launched

More information