Endpoint detection and response lives or dies on telemetry. When an incident happens, the investigator can only reconstruct what the endpoint bothered to record. Record too little and you are blind; record everything and you drown in cost and noise. The leverage is in deciding, remotely and on demand, what to capture.
Sophos Limited's US12079757B2, “Endpoint with remotely programmable data recorder” (issued September 3, 2024; CPC G06F 21/554 — detecting malicious behavior, plus a broad machine-learning stack including G06N 20/00), describes an endpoint data recorder that can be reprogrammed remotely. Read it at US12079757B2.
Mechanically, the recorder captures endpoint activity and exposes controls so the security service can change what and how it records without redeploying — dialing telemetry up when a threat is suspected, down when it is not. The expansive CPC list (machine learning, analytics, behavior detection) shows the recorder is the data foundation an entire detection-and-response pipeline is built on top of.
Why this is a business story: telemetry is the moat in EDR/XDR — the vendor with the richest, most tunable data stream builds the best models and the stickiest product. Sophos has spent heavily here, and its 2024 acquisition of Secureworks pairs this kind of data-capture IP with managed-detection delivery. The recorder is also a cost lever: programmable capture lets a vendor manage the ingest economics that, as in SIEM, decide whether the margins work.
The grounded read: a programmable endpoint recorder is the tunable telemetry foundation EDR is built on — capture what investigators need, when they need it. Sophos' 2024 grant names that recorder, the data engine and cost lever beneath its detection-and-response platform.