Secure every endpoint with one agent

Iru detects malware, behavioral anomalies, malicious processes, and command-line attacks in real time. Purpose-built ML models and an in-house threat research team keep detection current against emerging attacks.

No. All three run through Iru's single lightweight agent. One installation covers enrollment, app management, vulnerability detection, and EDR. Nothing extra to deploy.

No. Iru's agent uses 22% fewer resources than competitors under peak loads. It installs at enrollment and self-updates. Users won't notice it's running.

In Protect Mode, Iru automatically terminates the malicious process and quarantines the file. In Detect Mode, your team gets full visibility without automatic remediation.

Iru scans every 15 minutes, enriched with NVD and CVE data. When a vulnerable app is detected, Iru patches it automatically based on severity. No admin action required.

Yes. Every quarantined file shows up in the Detections table with the threat name, classification, severity, and MITRE mapping, so your team can review it and release it back to the device. If a tool like a dev utility keeps tripping detections, add it to the EDR allow list — by file path or SHA256 hash — so it stops getting flagged.

Yes. Behavioral detections split into eight rule groups — discovery, exploit detection, persistence, privilege escalation, and others — and each group can be set to Cautious, Moderate, or Aggressive independently. Cautious focuses on clear-cut malicious activity, Aggressive maximizes coverage. Pair the right detection level with a Blueprint targeted at your engineering org and you can run a quieter posture there without softening protection on the rest of the fleet.

Iru covers the EDR control most carriers list: continuous behavioral and file-based detection on managed Macs, automatic quarantine and process termination on malicious activity, MITRE ATT&CK mapping on every detection, and a complete audit trail through the Detections page and Library Item activity log. Pair it with Iru Vulnerability Management and Compliance Automation to cover adjacent controls that show up in the same questionnaires.

Yes. Partial Isolation severs the device's network access but keeps the Iru Agent connection alive so you can still push commands, isolate further, or release the isolation from the console. Complete Isolation cuts off all network communication — release from isolation is the only remaining remote action, also done from the console. Both run from the Detections side panel, individually or across all devices tied to a threat. Bulk isolation requires typing "ISOLATE" as a safety step.

Iru EDR runs on Mac today using Apple's Endpoint Security framework, with file-based and behavioral detection, allow/block lists, sensitivity tuning, and device isolation all shipped. Windows EDR is in development — there isn't yet a help doc covering Windows EDR capabilities. If Windows protection is a hard requirement now, your SE will walk through current scope and roadmap timing.

Yes. Iru EDR ships as a Library Item assigned per Blueprint, so you can deploy it to a pilot group while your incumbent EDR stays in place on the rest of the fleet. Most teams turn off file-based protection on one of the two during the overlap to avoid duplicate quarantines on the same file. Once Iru's coverage is validated against your environment, you cut over by widening the Blueprint assignment. 

Yes. EDR settings live in a Library Item assigned per Blueprint. Each Library Item can run its own posture mode for malware and PUPs (Detect or Protect), its own behavioral posture, its own user-alert toggle, and its own allow/block list. Pair that with rule-group sensitivity (set globally or per Blueprint via separate Library Items) and you can run aggressive Protect on the exec Blueprint and quieter Detect on the engineering Blueprint — same agent enforcing both.

The user gets a native notification on their Mac when a file is quarantined or a malicious process is blocked, and they can review the full list of quarantined files and blocked processes in Self Service under Security events. User alerts are toggled per Library Item, so you can stay loud on knowledge workers and stay quiet on shared or kiosk devices. The toggle is only available when posture is set to Protect.

Yes. The Slack integration posts Iru Agent and system event notifications into public or private Slack channels, and you can pick which event triggers each notification listens for, name each notification, send a test, and route different events to different channels. The help docs show a blocked-application notification as the example trigger.

A new EDR Library Item is created by default when EDR is added to a tenant, with behavioral detections turned on and posture running in Detect mode so you can see what it catches without it enforcing actions on devices. When you're ready, switch the Library Item to Protect mode — quarantine for file detections, process termination for malicious behavior — and assign it to the Blueprints you want covered.