TEHTRIS EDR automatically detects and neutralizes known and unknown threats in real time.

Endpoint Detection & Response

For about thirty years, security was limited to a few elementary axes, relatively simple but effective in the fight against standard everyday threats. After the summer of 2003 and the MSBlast worm that contaminated millions of Microsoft operating systems, three new Windows security options became essential: system updates, firewalls and a running antivirus.

This model emerged as the “dominant design” of cybersecurity: a firewall and a few tools for the periphery, an antivirus and some options for inside the infrastructure. The Internet has become populated with “crunchy” networks, i.e. with a “hard” shell (perimeter security) and “soft” inside, not to mention the interconnection of all systems: telephones, connected objects, etc. The Internet itself has also become a “crunchy” network. A technological debt of cybersecurity exists, and all TEHTRIS solutions are precisely there to be able to fight and help protecting assets efficiently.

TEHTRIS EDR is one of the pioneers and creators of the EDR wave of the future. That wave aims to install thousands of EDR agents in less than 24 hours, can detect stealthy espionage operations without weapons or malware, knows the techniques used by hackers and builds the answers in advance.

TEHTRIS EDR is a solution delivered in SaaS mode, through the cloud, with a desire to anticipate, prevent, detect and react at the cybersecurity level. We believe in the convergence of the EDR and EPP technologies, for a common and calculated mission of endpoint protection, with combined technical functions. TEHTRIS EDR is also part of a logical transformation, by proposing a TEHTRIS EPP agent as well, in order to streamline the technological layers: installation, configuration, maintenance, consistency in the logs and so on.

Latest Updates

WHY tehtris EDR?


In machine learning or deep learning mode, low-level surveillance builds a knowledge base of normal behavior to better distinguish attackers, their tools and methods, offering a strong competitive advantage over traditional or stealthy attackers.


TEHTRIS EDR prioritizes field efficiency in analyzing the numerous incoming attacks that are becoming increasingly stealthy and sophisticated.


Direct sanctions are imposed on all attackers, who must take the risk of losing their tools and having their offensive methods stolen, which will then be recognized worldwide.


TEHTRIS goes further than other solutions, since in the absence of human operators, its active defense systems can be configured to automatically respond 24/7 to any attack, even unknown, following predefined criteria and policies, from the raising of an alert to automated and immediate neutralization.


A trademark of TEHTRIS, we also work with our customers and partners, as part of our open innovation process. Their technological and organizational feedback feeds our innovation roadmap. Our goal? Always provide the best possible service.


In 2013, TEHTRIS created a cybersecurity engine called “ADS”, in reference to more than fifteen years of research work on active digital security, leading to a disruptive HIPS-type agent, an Endpoint Detection and Response solution long before the arrival of these products and their official names on the market.


Security Orchestration, Automation and Response

When it comes to  cybersecurity, the ability to orchestrate a quick and efficient response to cyber events is a fundamental issue. One of the best ways to achieve this is to use particularly powerful automation and artificial intelligence. This is what TEHTRIS offers you with its SOAR integrated to the TEHTRIS XDR Platform.

Discover our way to create hyper automation!

Supported platforms

Here is the current list of supported platforms. Changes may occur in the future.

Operating System 32bits 64bits
Windows XP Compatible Untested but designed for compatibility
Windows Server 2003 Compatible Untested but designed for compatibility
Windows Server 2008 Compatible Compatible
Windows Server 2008 R2 Compatible Compatible
Windows Server 2012 N/A Compatible
Windows Server 2012 R2 N/A Compatible
Windows Server 2016 N/A Compatible
Windows Server 2019 N/A Compatible
Windows 7 Compatible Compatible
Windows 8 Untested but designed for compatibility Compatible
Windows 10 Untested but designed for compatibility Compatible
macOS Sierra Compatible
macOS High Sierra Compatible
macOS Mojave Compatible
macOS Catalina Compatible
CentOS Linux 5.3 Compatible
CentOS Linux 5.11 Compatible
CentOS Linux 6.9 Compatible
CentOS Linux 7.5 Compatible
Ubuntu Linux 8.04 Hardy Compatible
Ubuntu Linux 14.04 Trusty Compatible
Ubuntu Linux 16.04 Xenial Compatible
Ubuntu Linux 18.04 Bionic Compatible


MITRE ATT&CK is a knowledge base with a modeling of the behavior of a cyberattacker, illustrating all phases of a cyberattack’s life cycle in relation to targeted platforms: Windows, macOS, Linux, mobile devices and so on.

Find out how TEHTRIS is compliant with MITRE ATT&CK

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.


999 day

to deploy

+ 0 countries

where our technologies have been deployed worldwide in detection and incident response mode

+ 1 EDR

deployed in the cloud in less than 24 hours


TEHTRIS EDR has several functions to perform automated remediation, based on predefined parameters, which allows to fight effectively 24/7 against unknown threats, without the risk of having to depend on a human team that might be missing elements.

TEHTRIS EDR searches for more than 11,000 CVE vulnerabilities, which can sometimes uncover elements that were entirely invisible, such as machines that are vulnerable because of an old Java, Adobe Reader, or Flash engine, forgotten or installed in “legacy” mode. You can thus deploy TEHTRIS EDR to audit your IT assets, without consuming excessive resources, and thus have the ability to ensure the compliance of your IT assets: patch management policy, risk aversion criteria and so on.

TEHTRIS EDR has a kernel driver that allows it to modify the behavior of the operating system, so that unwanted execution will not be possible. Even ransomware that is unknown, signed, stealthy or malicious could not execute if you decide to configure these policies.

TEHTRIS EDR has several protections against ransomware: blacklists in our CTI database that enrich the choices of EDR agents, application security policies to authorize only what you want, honeytoken-type concepts with fake files that a ransomware will want to destroy while being detected (file-type decoy), and many behavioral mechanisms, like the attack of certain points of the hard drive, for example.

TEHTRIS EDR has several means to combat lateral attacks, including the ability to process local logs in the operating system to detect if activity is being attempted remotely. It is a true tactical SIEM, that is local, capable of knowing whether a session is interactive or not and remote or not, in order to track such attacks.

TEHTRIS EDR embeds a highly sophisticated analysis engine capable of differentiating between a legitimate product and an illegitimate one, in PowerShell terms, by analyzing the code executed on the fly so as not to miss one of the many modern, stealthy attacks associated with it.

TEHTRIS EDR provides its own protection through layers that are directly installed in the Windows kernel, via a low-level driver, so that it cannot be uninstalled outside of an authorized centralized decision. It is not possible to remove the agent.

The analysis of malicious URL links with C&C lists, etc. is mainly conducted by the TEHTRIS EPP product. However, we can do targeted searches for these threats with TEHTRIS EDR in hunting mode.

TEHTRIS EDR continues to operate with its security policy already loaded when it goes offline. It then stores the events that it will report upon reconnection to its endpoint appliance. Of course, throughout this phase, the risk of intrusion without a network connection seems to be reduced, since TEHTRIS EDR can also contain USB attacks for example.

TEHTRIS EDR may request the TEHTRIS Cyber Threat Intelligence module of TEHTRIS XDR Platform, to perform sandbox scans, offline antivirus scans, neural network engine scans, or malware knowledge base searches.

TEHTRIS has many elements related to artificial intelligence and automatisms associated with the cyberworld. In machine learning mode, TEHTRIS EDR learns all the executions in your infrastructure in order to detect anomalies, as well as the persistence points used by hackers to survive a reboot or reconnection. In deep learning mode, TEHTRIS EDR has a compact neural network-based engine that can tell if software is malicious or not. This engine is also used in TEHTRIS Cyber Threat Intelligence. The latter is the first French product accepted by Google on its free service VirusTotal, where a public and non-commercial version is constantly running in search of unknown malware.

TEHTRIS EDR natively uploads at-risk files back to its infrastructure so that the payload can be detonated in a Sandbox environment. Robots plan and control the execution, analyze the results, and return the right information back to the EDRs on their own, so they can make a decision.

To put it simply, EPP is the next-generation antivirus tool that protects the OS against known attacks. It is the real system shield. EDR solutions are used to detect unknown threats and handle security issues remotely with a range of incident response functions. TEHTRIS believes that EDR and EPP products will soon merge and become one tool through a necessary technological convergence. The existence of an EDR market was only necessary because they filled technical gaps on the EPP side. In a future that is already beginning, companies will choose one product, an endpoint protection solution, combining EDR and EPP features, to avoid agent issues. TEHTRIS EPP and TEHTRIS EDR are already available for this purpose.

We must choose the criteria that allow neutralization by software robots. It’s a risky action, that some EDR solutions don’t want to offer for fear of breaking everything. Unfortunately, the day an unknown ransomware comes in, such products, which are only used for response and analysis, will only be able to say that they have understood why the company is being destroyed (not helpful at all). This is not our philosophy and we prefer to offer automatic neutralization, carefully and properly configured. Depending on the aspect of the unknown software, you will be able to decide whether to let it go or not: behavior, sandbox results, antivirus results, antivirus databases results, etc.

For mobile devices, we offer another range of products, called Mobile Threat Defense, different from TEHTRIS EDR. Check out our TEHTRIS MTD product page.

We collect metadata in a way that is compatible with the GDPR, and we will be able to exchange on these elements if you wish.

If your EPP agent plays at killing security software protecting your infrastructure, there might be a problem with the EPP settings or even the product. Currently, for all customers who do not have TEHTRIS EPP, and who have been using TEHTRIS EDR since 2014, we have encountered a total of zero conflict issues with other EPP brands.

A TEHTRIS EDR agent can be instructed so that its host might only accept outbound network flows to its management appliance, so that a SOC can quietly study its host, without taking the risk of lateral movement or internal exploration.

TEHTRIS EDR runs on Linux, Apple macOS and Windows.

TEHTRIS EDR collects and analyzes security logs from workstations, providing a so-called tactical SIEM capability, in order to keep very interesting events for cybersecurity analysts.

TEHTRIS EDR uses less than 1% on average on the CPU, and less than 100Mo to 200Mo in RAM, depending on the settings you want to setup: loading the neural network in memory or not, etc….

TEHTRIS EDR supports obsolete Windows operating systems, such as Windows XP and Windows Server 2003, which we encounter very often, especially in industrial computing environments (EO, ICS, SCADA) that sometimes need to keep these systems for decades, factoring in the plant operation costs and the related specific equipment.

TEHTRIS EDR has been tested and deployed by some of our customers in industrial environments on Windows boxes that were not advertised by the manufacturers as supporting it. These customers could no longer imagine not having antivirus (not enough RAM, too old, etc) or EDR (light and powerful but not officially supported by the OT manufacturer). So, they made agreements with the manufacturers, and they conducted some tests alone, with the help of TEHTRIS in background. For example, we are in factories with equipment from different brands, like Siemens (Simatic, Simotion, WinCC, TIA…), etc.

TEHTRIS EDR can prohibit the use of external storage, or even set it to read-only to prevent deliberate or inadvertent exfiltration. TEHTRIS logs all traces of connected USB devices to provide traceability regarding these threats.


Can we dream of a fully automated XDR Platform? Yes, we can!

Can we dream of a fully automated XDR Platform? Yes, we can! XDR platforms are our response to the increasing sophistication of the tools and tactics cyber attackers use, that render anti-virus programs and other traditional cybersecurity solutions helpless. XDR makes a case for a more holistic cybersecurity approach that

More information