
Endpoint Protection
HarfangLab EDR/EPP Platform
Unified endpoint security platform combining EDR, EPP, and ASM with ANSSI certification.
HarfangLab EDR/EPP Platform Overview
What it does
HarfangLab EDR/EPP Platform is a European endpoint security platform that unifies Endpoint Detection and Response (EDR), Endpoint Protection Platform (EPP), and Attack Surface Management through the Scout module in one console. Its core differentiator is transparent, customizable detection built on standardized YARA and Sigma rules that security teams can inspect, tune, and extend instead of relying on opaque, vendor-only logic. The platform is designed for organizations that need sovereign endpoint coverage across workstations and servers, including government agencies and regulated enterprises in France and wider Europe.
How it works
The platform deploys lightweight endpoint agents that collect telemetry for behavioral analysis, threat hunting, and incident response managed from a central console. Proprietary models Ashley and Kio support on-endpoint malware prediction, PowerShell abuse detection, and natural-language investigation workflows in the console. Scout adds external attack surface visibility with continuous CVE monitoring and shadow IT discovery correlated against endpoint security events. A Ransomguard engine and file integrity monitoring extend prevention and change detection alongside the integrated EPP antivirus layer.
Credentials and traction
HarfangLab holds ANSSI CSPN certification, first obtained in 2020 and renewed and extended in 2024 to cover both the EDR agent and manager, and obtained an ANSSI Qualification for its EDR in December 2024. In 2025 it became the first EDR to obtain BSZ certification from the German BSI. HarfangLab participated in the 2023 MITRE ATT&CK Evaluation, its first participation, in which the Turla threat group was emulated. As of its 2023 Series A funding round, HarfangLab reported more than 250 customers, including government agencies, businesses, and international organizations operating in highly sensitive sectors across France and Europe.
Key Capabilities
mapped to solution categoriesCaptures and analyzes in-memory process state to detect fileless malware, injected shellcode, and credential material that leaves no disk artifacts. Requires kernel-level agent access.
Ingests events from non-endpoint sources (firewall, identity, email, cloud) into the EDR platform for cross-signal correlation, enabling XDR-style detection without a separate XDR product.
Detects threats by modeling process behavior, memory access patterns, and inter-process relationships rather than matching file signatures. Catches novel malware and LOLBin-based attacks that have no signature.
Maintains local detection and prevention capability when the endpoint cannot reach the management console, relevant for air-gapped, traveling, or connectivity-impaired devices.
Provides a query interface over telemetry (process tree, network connections, registry events, file events), for analyst-led investigation independent of alert workflows. Differentiation is query language expressiveness and historical data retention.
Delivers detection, behavioral analysis, and response across Windows, macOS, and Linux agents, with non-Windows coverage depth a common evaluation point.
Runs all detection and response logic locally on the endpoint without requiring a connection to the vendor cloud, preserving full detection capability in air-gapped networks, regulated environments, and high-latency conditions.
Executes isolation, process kill, or persistence removal actions automatically upon detection without waiting for analyst approval. Speed of automated response directly affects breakout time mitigation.
Maps detections and alerts to MITRE ATT&CK with severity ratings and a process tree to aid root cause analysis and remediation.
Executes endpoint response actions automatically upon confirmed detection (process termination, file quarantine, registry key removal, and ransomware rollback), without waiting for analyst approval. Scope of automated actions and rollback fidelity are the primary quality differentiators.
Centrally manages the endpoint host firewall, controlling inbound and outbound network connections per policy to reduce the endpoint's network attack surface alongside device and application controls.
Detects and blocks malware using behavioral analysis and ML models rather than signature matching. Prevents execution of known and novel malware including script-based and fileless attacks.
Enforces policies on USB storage, Bluetooth, and peripheral device connections, blocking, allowing, or auditing data transfer based on device type and user identity.
Scans endpoints for missing OS and application patches, surfacing vulnerability exposure without requiring a separate vulnerability management scanner.
Executes unknown files in an isolated VM before allowing them to run on the endpoint, enabling detection of zero-day and evasive malware through behavioral observation.
Detects and blocks endpoint threats using behavioral analysis of endpoint, application and user activity.
Provides an embedded AI assistant for alert summarization, investigation and response guidance.
Identifies cloud resources, SaaS applications, and exposed services deployed by business units without IT or security team visibility or approval.
Identifies software stacks, versions, and components running on discovered assets through passive banner analysis and active probing, mapping CVE exposure without authenticated scanning.
Continuously enumerates internet-exposed assets (domains, IPs, subdomains, certificates, cloud storage, APIs) using passive DNS, certificate transparency logs, and active probing, including assets outside the official inventory.
Ranks discovered exposures by combining exploitability signals, asset business context, and active threat intelligence to produce an actionable remediation queue.
Compliance
certificationsIntegrations
compatible toolsImplementation & support
Info last updated on June 13, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.