Endpoint Detection and Response (EDR) in Cybersecurity - Time & Space Complexity

When analyzing Endpoint Detection and Response (EDR) systems, it is important to understand how the time to detect and respond grows as the number of endpoints or events increases.

We want to know how the system's work changes when more devices or alerts are involved.

Analyze the time complexity of the following simplified EDR event scanning process.

for endpoint in endpoints:
    for event in endpoint.events:
        if event matches threat_signature:
            alert_security_team(event)
    update_endpoint_status(endpoint)
    

This code scans all events on each endpoint to find threats and then updates the endpoint status.

Identify the loops and repeated checks in the code.

• Primary operation: Checking each event on every endpoint against threat signatures.
• How many times: For each endpoint, it checks all its events once.

The time to scan grows as the number of endpoints and the number of events per endpoint increase.

Input Size (n)	Approx. Operations
10 endpoints, 100 events each	1,000 event checks
100 endpoints, 100 events each	10,000 event checks
1,000 endpoints, 100 events each	100,000 event checks

Pattern observation: The total work grows proportionally with the number of endpoints and events combined.

Time Complexity: O(n * m)

This means the time grows in direct proportion to the number of endpoints (n) times the number of events per endpoint (m).

[X] Wrong: "The scanning time only depends on the number of endpoints, not the events."

[OK] Correct: Each endpoint can have many events, and the system must check each event, so events greatly affect the total time.

Understanding how EDR systems scale with more devices and data helps you explain system performance clearly and shows you grasp real-world cybersecurity challenges.

"What if the system only scanned new events instead of all events every time? How would the time complexity change?"