What is the difference between IDS/IPS, SIEM, and EDR?

These are complementary but different security technologies: IDS/IPS (Intrusion Detection/Prevention System): network-focused, monitors network traffic for known attack signatures and anomalies. IDS alerts; IPS blocks. Operates at the network layer, inspects packets. Limited visibility into endpoint behavior. SIEM (Security Information and Event Management): aggregates and correlates log data from across the environment (network, endpoints, cloud, applications). Provides a unified view for threat detection, investigation, and compliance reporting. Relies on data fed to it — visibility depends on log sources. EDR (Endpoint Detection and Response): agent-based, runs on endpoints (servers, workstations). Collects telemetry (process, file, network, registry activity), detects anomalous behavior, enables investigation and remote response (isolate host, collect forensics, kill processes). Excellent at detecting fileless malware and living-off-the-land techniques invisible to network-only tools. Modern architecture: IDS/IPS feeds into SIEM; EDR feeds into SIEM; SIEM correlates across all sources; SOC uses all three. XDR (Extended Detection and Response) unifies EDR + network + cloud into a single platform.