EDR and XDR are often presented as a product-tier upgrade, but the difference is architectural and can be read off the security industry's own patents. Endpoint detection and response — EDR — is scoped to endpoints: it collects telemetry from laptops, servers, and other devices, analyzes that telemetry for signs of compromise, and supports response actions on the endpoint. Extended detection and response — XDR — is defined by reach and correlation: it ingests security data from many sources, including EDR itself, and relates events across them so a threat that touches an endpoint, then the network, then email is seen as one incident rather than three disconnected alerts.

A granted U.S. patent assigned to Cisco Technology, Inc. — US12531892B2, "Asynchronous data processing in extended detection and response systems," issued January 20, 2026 — states the architectural relationship between the two directly in its abstract. It is a granted patent, not a pending application, and it describes XDR as an umbrella that consumes EDR as one of several inputs.

"The techniques can be used in the context of an Extended Detection and Response (XDR) system architecture for advanced threat detection and response in a computer system. In some cases, the XDR system ingests security data from various monitoring components like Endpoint Detection and Response (EDR), Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), firewall engines, and email security systems."— Asynchronous data processing in extended detection and response systems, US12531892B2

That sentence captures the whole distinction. EDR appears in the list as one monitoring component among several; the XDR system is the layer that ingests all of them. The patent's stated technical problem is also telling about why correlation is hard: different monitoring sources use different local identifiers for the same device, so the disclosed technique maps those local identifiers to a common global identifier to enable correlation of monitoring events related to the same device. In other words, the engineering work XDR adds on top of EDR is largely the work of stitching multi-source data into a single, correlatable view — which is exactly the capability EDR alone does not provide.

What each is built to see

The functional consequence follows from the scope. EDR is strongest at endpoint-resident threats: malicious processes, suspicious command-line behavior, persistence mechanisms, and on-host indicators. Because it lives on and around the endpoint, it can both detect those behaviors and take response actions there. What EDR does not natively do is reason across a threat's full path when that path leaves the endpoint — a phishing email that delivers a payload, which then beacons out through the network, which then moves laterally, generates signals in an email security system, a firewall, and an endpoint agent respectively, and EDR by itself sees only the last of those.

XDR is the architecture aimed at that gap. By ingesting EDR telemetry alongside intrusion detection and prevention systems, firewall engines, and email security data — the exact components the Cisco patent enumerates — an XDR system can relate the email signal, the network signal, and the endpoint signal to one device and one incident. The patent's contribution to making that practical at scale is on the data-processing side: asynchronous processing and a common global identifier so events arriving from heterogeneous sources, at different times and under different local IDs, can still be correlated to the same device. That is the defining capability that the "X" in XDR names.

The identifier problem the patent foregrounds is more than an implementation footnote; it is why cross-source correlation is genuinely hard. An email security gateway, a firewall, and an endpoint agent each have their own notion of what a "device" is and their own local identifier for it. Without a way to recognize that three different local IDs refer to the same machine, an XDR system would see three unrelated events rather than one threat traversing layers. The patent's described technique — mapping local device identifiers to a common global identifier — is the plumbing that makes correlation possible, and the asynchronous data-processing design addresses the reality that those events do not arrive neatly in order or at the same time. Reading the granted claims this way shows that the "extended" in XDR is earned by data-integration engineering, not just by adding more sensors.

It also clarifies a common point of confusion about whether XDR makes EDR obsolete. The patent's own framing answers that: EDR is listed as a monitoring component the XDR system ingests, which means the endpoint telemetry EDR produces remains an input the broader architecture depends on. An organization running XDR is not replacing its endpoint detection; it is feeding that detection, along with network and email signals, into a correlation layer. The endpoint data is still collected and still actionable on the host — XDR adds the ability to see how an endpoint event connects to events elsewhere.

Reading the distinction without the marketing

For a defender evaluating coverage, the document-grounded way to tell EDR from XDR is to ask what data the system correlates. If the system's detection and response logic operates on endpoint telemetry, it is doing EDR — regardless of branding. If the system ingests and correlates security data across endpoint, network, firewall, and email sources to detect cross-layer threats, it is doing XDR. The patent record makes the relationship explicit: XDR does not replace EDR, it consumes it. EDR remains one of the monitoring components; XDR is the correlation layer above it.

One caveat that the claims-first reading demands: a single patent describes one company's approach to the XDR correlation problem — here, identifier mapping and asynchronous processing — not an industry-wide definition. Different vendors implement the correlation layer differently, and a granted patent describes what was claimed and allowed, not a standard. But the architectural distinction the patent states in its abstract — endpoint-scoped detection versus multi-source ingestion and correlation — is the durable, citable difference between the two terms, and it is stated here in the granted record's own words rather than in a datasheet.