Cybersecurity · Vancouver, BC
EDR and MDR for Vancouver Businesses
Hexafusion deploys, tunes, and operates managed endpoint detection and response for Vancouver and Lower Mainland businesses. Every endpoint instrumented, 24/7 security-operations-centre coverage on Enterprise plans, documented incident response, and the evidence package your cyber-insurance underwriter wants.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The patterns and recommendations on this page reflect what we deploy across BC dental, legal, accounting, manufacturing, and professional-services clients.
EDR vs MDR in plain terms
Two different things that get confused in vendor pitches:
EDR is the software
Endpoint detection and response is the agent that runs on every laptop, desktop, and server. It records process execution, network connections, file changes, registry events, and PowerShell activity. When it sees behaviour that matches a known attack pattern, it generates an alert and can isolate the device. You can buy EDR as a tool and run it yourself, but you need someone to look at the alerts.
MDR is the people
Managed detection and response wraps EDR with a 24/7 security operations centre. Trained analysts triage every alert, investigate the suspicious ones, contain compromised devices, rotate credentials, and write the incident report. MDR is EDR plus the staff to use it around the clock. For a Vancouver business without dedicated security headcount, MDR is the practical choice.
Hexafusion offers EDR-only on Professional plans (business-hours triage by our team) and full MDR on Enterprise plans (24/7 SOC coverage with an external partner whose analysts are SOC 2 Type II certified). Both deliver the evidence package underwriters want.
Why this matters for Vancouver businesses right now
Three converging trends make EDR or MDR a near-universal requirement for BC businesses by mid-2026:
- Cyber insurance renewals. Canadian underwriters have tightened. The 2026 renewal cycle treats documented EDR or MDR as a baseline. Businesses without it either pay materially higher premiums, accept reduced coverage limits, or get declined.
- PIPEDA and BC's Personal Information Protection Act (PIPA). Both frameworks require "reasonable" safeguards for personal information. The Office of the Privacy Commissioner of Canada has signalled in recent breach decisions that signature-based antivirus alone is no longer sufficient for businesses handling regulated data. EDR with behavioural detection is the new floor.
- Ransomware shift to small and mid-sized targets. Public-facing breach reports show 74 percent of ransomware victims now have fewer than 1,000 employees. Attackers automated their way down-market. EDR is the single control that stops the most common modern attack chain (initial access via phishing or stolen credentials, then lateral movement) at step two.
What we deploy on every endpoint
Our standard EDR baseline, applied during onboarding and reviewed quarterly:
Agent on every device
Windows, macOS, Linux servers, and Linux workstations. Mobile via Microsoft Intune mobile threat defense. No agent gap.
Behavioural detection rules
Vendor-default rules plus our own ruleset tuned to Vancouver SMB patterns: PowerShell abuse, Office macro execution, credential dumping, lateral movement, ransomware staging.
Auto-containment policy
High-severity detections trigger automatic network isolation of the endpoint. The device is unreachable to the rest of the network until an analyst clears it.
Log retention
90 days hot retention by default, 13 months cold retention available. Insurers and BC PIPA breach investigations typically need at least 12 months of telemetry.
Tamper protection
Agent uninstall requires a separate vendor password held by our team. An attacker with local admin cannot disable the agent.
Integration with identity
Detections feed Microsoft Entra ID Conditional Access so a flagged device cannot reach Microsoft 365 until cleared. Defence in depth, not perimeter-only.
Our 5-step incident response runbook
Every alert that reaches an analyst goes through the same sequence. We run quarterly tabletop exercises against this runbook and update it after every real incident.
The agent isolates the device from the network. The user can still receive a call from us. Containment happens automatically on high-severity, manually on medium where there is a known false-positive pattern.
Analyst reviews the alert chain, the process tree, network connections during the suspicious window, and any related alerts on other endpoints. Output: root cause, scope of compromise, dwell time.
Remove the malware, rotate all credentials used on the device in the suspicious window, kill any persistence (scheduled tasks, registry run keys, service installations), patch the underlying vulnerability if one was used.
Restore the device to production after a final sweep. If the endpoint was significantly compromised, we rebuild from clean baseline rather than clean in place. User gets a written summary of what changed and what they need to do.
Written incident report. Lessons learned added to our internal rulebook. If the same pattern shows up at a different client we know about it earlier. The report is also the evidence document for your insurer and for any regulatory notification.
Cyber insurance: what underwriters actually ask
The 2026 cyber insurance questionnaire is the practical test of whether your EDR or MDR deployment is real. The questions tend to cluster around the same eight areas. Our standard MDR statement of controls covers every one. If your current provider cannot answer all eight in writing, you do not have what your insurer thinks you have.
- EDR coverage percentage. What share of endpoints are running the agent. Underwriters expect 95 percent or higher.
- Mean time to detect (MTTD) and mean time to respond (MTTR). Both measured and reported monthly.
- Hours of coverage. Business hours only versus 24/7. Many policies now reduce coverage or exclude after-hours incidents if the response model does not match the threat window.
- Documented incident response procedures. Written runbook, version controlled, with named owners.
- Tabletop exercise cadence. Most policies expect at least annual exercises. Quarterly is becoming the new normal for higher-coverage policies.
- Log retention duration. Minimum 12 months for any business with regulated data.
- Tamper protection on the agent. Whether an attacker with local admin can disable detection.
- Analyst certifications and training. Insurers want to know that the humans triaging alerts are qualified.
How we pick a platform
We are platform-agnostic and recommend based on fit. Most Vancouver deployments land on one of three:
SentinelOne
Strong autonomous response, mature for SMBs, single agent for endpoint and server. Our default for businesses with mixed Windows and macOS fleets and limited existing Microsoft licensing.
Microsoft Defender for Endpoint
Best fit for clients already on Microsoft 365 Business Premium or E5. Native integration with Entra ID Conditional Access, Sentinel, and Intune. Cost-effective when bundled.
CrowdStrike Falcon
Premium tier with the deepest threat-intelligence integration. Recommended for regulated environments (financial services, healthcare) and clients with the budget for it. Cloud-only console.
We also support ThreatDown (Malwarebytes) for clients with budget constraints who still need above-antivirus protection, and we will evaluate any platform you already have rather than insisting on a switch.
Onboarding timeline
A typical Vancouver business of 10 to 50 endpoints is fully covered inside 30 days.
- Week 1. Inventory, asset reconciliation, platform selection, licensing in place. Pilot agent on three to five low-risk endpoints.
- Week 2. Pilot review, exclusion tuning for line-of-business apps, full rollout to all endpoints. Initial baseline of detections established.
- Week 3. Tuning continues. False-positive rate drops. Containment policy moves from notify-only to auto-isolate on high-severity. SOC handoff documentation completed.
- Week 4. Full operations. First incident-response tabletop exercise. Insurer statement-of-controls document delivered.
Frequently asked questions
What is the difference between EDR and MDR?
EDR is the software platform. MDR is the software plus a 24/7 security operations centre that uses it on your behalf. EDR alone is a tool you still need to staff. MDR is the tool plus the people. Most Vancouver SMBs without dedicated security headcount land on MDR.
Do we need EDR if we already have antivirus?
Yes. Antivirus matches known threats by signature. EDR uses behaviour-based detection to catch novel malware, fileless attacks, and lateral movement. Most 2026 Canadian cyber-insurance underwriters either require EDR or treat it as a strongly recommended control.
Which EDR platforms do you support?
SentinelOne, Microsoft Defender for Endpoint, CrowdStrike Falcon, and ThreatDown. We pick based on existing licensing, Microsoft 365 integration, budget, and the level of managed response wanted. Platform-agnostic recommendations.
How quickly do you respond to a critical detection?
Enterprise MDR: acknowledge inside 15 minutes around the clock, contain within 30 minutes in the typical case. Professional EDR: triage during business hours with the same containment target.
Will EDR slow down our computers?
Modern EDR agents are lightweight. On standard business hardware from the last five years the agent typically uses one to three percent CPU during normal operation. We measure impact during pilot and tune exclusions for dev tools, line-of-business apps, and other known-noisy software.
What happens during an incident?
Five steps. Contain (isolate the device). Investigate (root cause and scope). Eradicate (remove threat, rotate credentials, patch). Recover (restore or rebuild). Lessons (written report to your leadership and insurance carrier).
Does this satisfy cyber-insurance requirements?
Yes. Our MDR documentation answers the standard underwriter questionnaire fields. We provide the questionnaire-ready statement of controls each renewal. For PIPEDA and BC's Personal Information Protection Act (PIPA), the same documentation supports the safeguards requirement.
Can we deploy in a mixed Windows and Mac environment?
Yes. SentinelOne, Microsoft Defender for Endpoint, and CrowdStrike Falcon all cover Windows, macOS, and Linux from a single console. Mobile coverage (iOS, Android) layers through Microsoft Intune or your existing mobile device management platform.
Get your EDR assessment
We will audit your current endpoint coverage, identify gaps against the 2026 cyber-insurance baseline, and quote a tailored MDR rollout. The assessment itself is free and takes about 30 minutes.
Book an EDR assessmentRelated cybersecurity topics
Part of our broader cybersecurity coverage for Vancouver and the Lower Mainland.